Chapter 7: System Hacking

System hacking refers to the activities hackers use to gain access to, and compromise, digital devices such as computers, smartphones, tablets, and even entire networks. This course explains the main methods of system hacking—password cracking, privilege escalation, spyware installation, keylogging, and other tactics. We'll also learn the countermeasures information technology (IT) security professionals can use to fight different attacks.

Learning about system hacking will help you implement the strongest possible security practices and help you assess your current security protection and which possible vulnerabilities may be on your systems and networks. You'll learn which security features work the best for your environment, how to discover and fix security vulnerabilities, and how to anticipate them.

In this chapter, we will cover the following topics:

• Understanding our objectives
• Phase 1 – Gaining access and cracking passwords
• Phase 2 – Escalating privileges
• Phase 3 – Maintaining access and executing applications
• Phase 4 – Maintaining access and hiding your tools
• Phase 5 – Covering your tracks – Clearing logs and evidence

Understanding our objectives

We have three goals for this chapter, as follows:

• Gain access to the target: Identify the target, understanding the services available and which ports are open. Also, understand the user accounts that may be on the machine and, possibly, some vulnerabilities.
• Maintain access: Nothing's worse than getting into a machine only to be kicked out later because someone has made it more difficult for us to get in a second time.
• Covering your tracks: If you love watching animal or nature documentaries, as I do, you know dogs are genetically related to wolves, which explains why they have a lot in common. They particularly share one disgusting habit—eating their feces to cover their tracks, because their feces would announce their presence to other predators or prey in the area. As with wolves and dogs, we need to cover our tracks. If we don't, people will see that we're in the system. They will reimage the system or take it offline, fix all the problems we've created, and restrict our access. Covering your tracks is part of maintaining that access.

To accomplish these three goals, there are five phases we must pass through during the system hacking stage.

The five phases

Here is a brief overview of the five phases we will cover in this chapter:

• Phase 1: Gaining access to the system. Again, we've identified the system, we understand which services are running, and—possibly—know user account information. We need two pieces of information to gain access to the machine: username and password. There are several methods we can use for cracking passwords.
• Phase 2: Escalating privileges. We can either escalate the privilege of an account we create or take an account that already exists—such as Billy Bob in the mailroom—and give the account user administrative rights. Guess who will be in trouble if I get discovered. Poor Billy Bob. Now, we don't have to pick on a particular user account; we can use service accounts that are already active.
• Phase 3: Maintaining access. How do we do that? By launching applications or our tools. We have a toolset of things we like to work with, and there are specific tools I enjoy. I will launch those applications to continue my attack from the inside. If I have hit the initial target, or this is my intended or final target, I need to launch my application so that I can get back in more easily.
• Phase 4: Hiding your tools. Because we don't want people to see us on the system. You don't want somebody browsing around seeing a particular application installed on your machine. You need to hide that information. There are several ways to hide tools, including rootkits and steganography.
• Phase 5: Covering your tracks. How do we do that? Well, what's on a machine that typically tracks everything we do on a system? The log files. I sometimes refer to it as the big brother. This is where we separate the good hackers from the great hackers. To achieve our goal here, we will delete log files or modify them.

Let's discuss each of the five phases in more working detail.

Phase 1 – Gaining access and cracking passwords

If you know me, you know I have a big issue with passwords. I always jump on my soapbox whenever talking about passwords, because let's face it, we create online entities, and use accounts online all the time within our network or outside—on the internet. Everything about us is contained in these entities and we are to protect these with passwords. Now, here comes my soapbox…people are so stinking lazy when it comes to creating passwords—it drives me absolutely bonkers. As we move along, you'll understand why I'm so passionate about this subject.

Matt Mullenweg, who created WordPress, had this great quote: Love is great…but not as a password. Did you know that love is one of the top 20 passwords that people use, with a variation at the end of it? So, again, our whole goal here in this phase of gaining access is attempting to crack a password. We don't necessarily go after the big bad administrative password right away, because the second phase of gaining access is escalating privileges. So, we first need to see if we can find a password to gain access.

What's cracking?

Cracking is going through and looking for or discovering passwords that are stored on a machine locally or trying to do this during transmission. A great example of this is File Transfer Protocol (FTP). When you log your username and password, the default is to transmit both the username and password in clear text. Obviously, that's something I could pick up.

People ask me: "Is there a really good reason for cracking?" Yes, there is. Often, people forget their passwords, especially when it comes to standalone machines. I would never recommend trying to crack someone's password if you're in a domain environment because that's the purpose of the feature—being able to reset a password—but oftentimes, neighbors come over to me and say: "I forgot the password on my machine and I can't get in." Of course, I usually have a lot of red flags going up in my brain when they say: "All of a sudden, I can't get in." But we can reset local account passwords. Sometimes, a disgruntled person does something malicious in the domain environment, such as locking out everyone's password. This shows there are some good purposes for cracking.

When it comes to cracking, we have two different ways we can do it—we can automate or do it manually by using some interesting tools.

The problem we have when it comes to cracking passwords is that most users pick something they know because they must remember it, and that's what makes it easy to crack people's passwords. Most people will use a name of a family member, their pet's name, their favorite sports team, comic book heroes, swear words, favorite city, religious names, or a school they went to—college, elementary, or high school. These things might be easy to remember because they mean something to you as the user, but that's the reason why passwords are easily hacked.

Most people start off with these types of words and then add numbers at the end or the beginning of that password. Usually, those numbers also mean something to them. Most people use their birth year, graduation year, wedding anniversary, and so on.

However, while we require people to create difficult passwords, they still need to be easy to remember. Otherwise, we get help tickets being opened all day long: "Hey, I locked myself out. I don't remember my password." So, in my book, as far as a proper password policy is concerned, we typically rely on four different options: biometrics, thumbprint, two-factor authentication (2FA), and retinal scans, which is one of the exciting things about Windows 10: Microsoft is building biometrics into it, and it can't be tricked easily. If your laptop or tablet has a camera on it, it can use your face to log you in. And don't worry—they've done it with a three-dimensional (3D) aspect, something they learned from Xbox. Remember the Kinect? It does 3D recognition of your face and—sometimes—your body, which I find scary.

The geniuses behind this technology created it in such a way that if you hold up a picture of your face in front of the camera, it sees it as a flat structure. It realizes there's no depth. The demo they show you is of a gentleman holding a picture of himself up in front of his face and the laptop doesn't log him in. Once he removes the picture, exposing his face, the laptop immediately logs him in. With this, nobody can steal your biometrics, unless, of course, they cut your finger off.

We also have the option of using the Common Access Cards (CACs) you swipe. Unfortunately, somebody can steal them, which is why utilizing a password would provide additional security. I'm a big fan of multi-factor authentication (MFA), whereby you type in a password, then receive a text message with a code on your cell phone or to your email confirming you've registered. You verify with a code that the company has sent to you.

With the number of passwords that are getting cracked, I think we're going to see a huge change, and we're probably leaning toward biometrics.

Complexity

Complexity means as we create these passwords, we need to make them more difficult for attackers to guess. Typically, at least in Microsoft, we handle this by using three of the following four options—and they're good options as far as a rule of thumb is concerned:

• The first option is using uppercase characters in your password. Now, I wouldn't necessarily make all my characters uppercase—my computer might think I'm yelling at it.
• We can also use lowercase characters, and you can use these two in any order—you don't have to start off with an uppercase character then end with lowercase or vice versa.
• We can also inject numbers. So, at this point, we have what they refer to as an alphanumeric-based password.
• We can also use salting techniques (we'll talk about this later) to help randomize the password hashes.

However, if these four are the only ones you're using for your complexity, someone will eventually pwn you and, therefore, this is why we like special characters.

However, we need to be careful with special characters because there are some assumptions that both users and attackers make.

Any special characters will help you create complexity, but one of my favorite special characters—which drives attackers crazy—is the spacebar, but just because it's complex doesn't mean you're safe. You still must be careful.

First, you have to be careful about what we'll refer to as the Fab Five. This includes the @, $, 3, 0, and ! characters, which a lot of people think will trick attackers, assuming they'll never guess that the dollar sign represents S, the zero an O, and the 3 an E. Well, attackers have dictionaries and mechanisms to help them figure these out. Don't try 0penm3up, assuming attackers will not guess your 3 is E or L3tm3in is Letmein. My other favorite is op3ns3same. You don't think that's in a dictionary? I know this is a cool password, but it's not going to fool an attacker.

The reason why I always use Pa$$w0rd is that it's the default password for all Microsoft labs in the training environment. Microsoft requires that three of the four complexity requirements are fulfilled, and this one fulfills it. But complexity is not everything.

The strength of a password lies in its length. Never use real words because they're what we refer to as dictionaries out there. A dictionary contains a bunch of words, and there are tons of dictionaries for different subjects.

For example, assuming you know I like Batman, we'll put batmanrules in the password file shown here:

Figure 7.1 – Password security checker at https://security.org

If I try to brute-force attack this, it will take about 1 day to crack the password because it's made up of real words. In fact, if it wasn't as long as that (for example, batman), it would happen instantaneously because it will be in a dictionary somewhere.

I do a lot of community-based talks and seminars, and one thing I try to teach users (because this is such a pet peeve for me) is how to create complex passwords but still make them easy to remember for the end user.

One of the most effective ways to do this is by using a syntax we use daily. For example, I'm using a Domain Name Service (DNS) naming syntax, but because of the length and special characters of the periods, my password takes a little bit longer to brute-force attack. And hopefully, if my policy has me change my password before many years go by, it doesn't necessarily have to follow an actual DNS syntax. In fact, I'll do M because it's an upside-down W, or maybe I'll throw in a capital in there—MMM.ilovecrafstmantools.whatever. Yes, it doesn't have to be a real website—it can be anything you want.

Let's try to crack ilovecraftsman.tools. It's extremely long; we might have to go through the time-space continuum (or at least get our DeLorean up to 88 miles an hour to go forward in time before it gets cracked through brute force), as it would take almost 900 trillion years to brute-force this password. I just typed in one of my passwords: 9 sextillion years to crack. Game over—I win!

Password architecture

We can try to hack a password either while it's in storage or while it's in transmission, or what's referred to as in motion. So, where are passwords stored? Well, that depends on your operating system and the environment you're in. For example, when it comes to Windows, if this is just a machine that is not part of a domain, maybe a home PC or grandma's PC, or your laptop, there's a database on the hard drive referred to as the Security Account Manager (SAM) database.

The SAM database is located wherever you've installed Windows. The default is C:windows/system32/config/sam. In fact, let's look at it here. In the following screenshot, I've opened my File Explorer and I've gone to my C: drive where I installed Windows under System32. There's a directory called config—if you expand it, you'll notice there's this nifty little file called a SAM file inside. The passwords are stored in a hash, and this location or database is mounted up as a registry entry:

Figure 7.2 – Location of the SAM database

If you're in a domain environment, user accounts are not stored on the local drive of the client machine but in a file known as ntds.dit, which is located on every single domain controller in your environment. On your domain controllers, it's stored inside of a directory known as C:windows tds.dit.

So, here I am on the C: drive of my domain controller and inside of my Windows directory. I have a subdirectory called NTDS, which is short for New Technology Directory Services:

Figure 7.3 – Location of the NTDS subdirectory

Therein is the famous ntds.dit file, the database file that has all my accounts for my infrastructure, as we can see here:

Figure 7.4 – Location of the ntds.dit Active Directory (AD) account database

Now, don't think Linux doesn't do the same thing, because guess what? It does! It stores its passwords inside of the etc directory in a file that's called shadow (etc/shadow).

For Apple, we store it in a file that's called a plist file, located in the var directory under /var/db/dslocal/nods/default/users.

With this file, the user is inside of the greater-than and less-than brackets (<user>.plist). plist has a shadow hash data property associated with it, and there are ways you can open this file up. Typically, you can't just grab these. If you're thinking you'll just go grab them, guess what? These files contain your authentication credentials, but they're stored as hash values. You can't just open it up. In fact, most of the files are going to be locked while the operating system is running. As far as it being hashed is concerned, you need to know that it's a one-way algorithm, which means I can't reverse the hash. "Okay, that's cool, then obviously I'm secure." Well—no, you're not, because as an attacker, I can steal it.

Methods for cracking/password hacking

There are several techniques used for cracking, as outlined here:

• Dictionary attacks (one of the most common ways we can go after passwords)
• Brute-force attacks
• Syllable attacks
• Hybrid attacks
• Rule-based attacks
• Good old reliable guessing

Let's look at them in detail.

Dictionary attacks

Dictionary attacks are exactly what they sound like. We have files that we can go and download off the internet (https://zip-password-cracker.com or https://apasscracker.com) and we can create our own because they are just text documents of words. When I say words in a dictionary attack, I mean I can find a dictionary based on different languages, whether that's English, French, German, Russian, or Klingon.

We also have dictionaries based on subjects. There's a dictionary out there that has medical terms in it, historical accounts, places, characters in books, their names, and even something specific to the book itself, such as a catchphrase.

Characters would also include movie characters—I have a dictionary that's filled with names from J.R.R. Tolkien's Lord of the Rings series. I also have a dictionary of famous people's names, movie stars, historical figures, locations, and events. Don't think you're getting tricky just because you're using a password that may not be a traditional password, because you're basing it on a real word. Please don't do that. And don't think for a second I'll just put it in backward because any password-cracking tool out there that's worth its weight in salt will do string manipulation. It'll take the word and try it in different combinations or reverse. So, no—you're not tricking me.

Brute-force attacks

Listen to me now, hear me later, understand me next week (using my Arnold Schwarzenegger voice). Brute-force attacks take longer to accomplish. What we mean by a brute-force attack is we try every combination of alphanumeric and specialized characters in a password. Now, obviously, if the password is only 6 characters long, brute-force attacks will go by relatively quickly, but when we get into passwords beyond 14 characters, it gets a lot more difficult. It requires more cycles to go through, and brute force has to try every variation. Tools such as John the Ripper, Cain & Abel, or Aircrack-ng are very useful.

There's an upshot to brute-force attacks, even though it does take longer and it tries every combination, which takes more cycles. Guess what? It takes time, but it's 100% effective. And who has time? The attackers do.

Syllable attacks

With a syllable attack, we take a password—in this case, we'll say the password is pass—and then do a combination of a dictionary and brute force and try every possible arrangement of every entry in the dictionary.

Hybrid attacks

A hybrid attack still uses a dictionary, but based on users being complacent, we're going to try different variations by including numbers and special characters at the beginning or end of the password. So, let's say I have Batman, and next month I must change my password, so I change it to Batman1, and next month I change it to Batman2. Well, a hybrid attack is going to eventually crack this one.

By the way, if you or your users just modify passwords each month by adding a character or two to at the very end of it, smack yourself on the forehead and promise you'll never do that again. But don't smack your users' foreheads—you might get called in by Human Resources (HR)!

Rule-based attacks

What do I mean by rule-based attacks? Remember enumeration? If you're not familiar with this, you can reference Chapter 5 of this book, Enumeration. With enumeration, we can use the rules we've discovered, such as requiring users to have at least an 8-character password. I'm going to use those against you. And, knowing you use complexity, I'm able to discover you require two digits. So, I use a combination of brute-force, dictionary, and syllable attacks. Again, if I know that you only have 8 characters, it's all you require for your passwords, I won't try 9 or 10 characters. Or, if you don't require a digit, then why run through those digits?

Good old reliable guessing

There's also good old reliable guessing, which entails some reconnaissance and footprinting. This is where we try to figure out as much as we can about the target, whether it's a user or a company. Often, users base passwords on things they know. So, if I go on social media, there's a chance I will figure out their favorite sports team, what their pet dog was growing up, and their spouse's birth date. We share way too much information.

Types of attacks

Now that we know the different techniques used to do some cracking, let's talk about types of attacks.

Attacks are typically summed up in four different categories, as follows:

• Passive online attacks
• Active online attacks
• Offline attacks
• Non-electronic attacks

Let's discuss each category and the attacks that relate to each category.

Passive online attacks

These types of attacks are passive, which means we're not necessarily going to have direct communication with the machine or the target.

Sniffing

Passive online attacks include things such as sniffing the network to see if we can discover passwords going back and forth. An example of this is FTP, which uses clear text by default, so, just sitting there sniffing, we might be able to pick up some passwords.

Man-in-the-Middle (MitM) attacks

This type of attack occurs when an attacker places their machine or their hacking device between the source and the destination. They just handle all the traffic going back and forth. Again, I'm not modifying anything—it's so passive that it's hard for anyone to tell I'm doing anything. I'll just be capturing the data, making sure it all passes through me before it goes to a switch.

Sidejacking

This attack was made famous by a Firefox plugin that was called firesheep. It allowed an attacker to go to any Wi-Fi access point, such as at a Starbucks, some coffee shop, or internet café, and if they were on the same Wi-Fi access point as other users, they could steal their cookies in the middle of their transaction. They could then do things such as log on to their Facebook account or take over their Facebook session. Again, these are relatively passive—I'm not attacking a specific target.

Active online attacks

An active online attack is exactly that—it's a lot more active. We know the more active we are, the more chances we have of getting caught.

Hash injection

This is where we inject a compromised hash into a current session and then use the hash to authenticate to the network resources.

A hash is basically an encrypted password, and passwords are basically stored in the systems in the form of hashes. Now, if I had a file that stored usernames and passwords and it was completely clear text, there would be no use in having security, right? The reason is anybody could find that file. Remember that SAM database? Well, it stores user accounts and passwords in a hashed format.

Back in the day, Microsoft used something called a LAN Manager (LM) hash, which was a nightmare and still is a nightmare sometimes. I get this all the time whenever I teach about ethical hacking: "Why talk about hash words and all this stuff with older operating systems? Why not be talking about the new stuff?" Well, I'll be honest with you—it's almost like being a hunter. If I'm going to go out and hunt my prey, I'm not going to go out after the latest, newest target out there—I want to go after the oldest, because it's slower, and no one's paying attention to it. Who knows if it's been updated? The new stuff has newer technologies and sometimes makes it harder for me. I taught a class that had two IT people from a huge state organization, and as we were talking, they told me they still have some XP machines and some Server 2000 and 2003 systems.

You may be shaking your head, wondering why you need to upgrade a machine that maybe does one task. In my two students' case, the machine handled their imaging system for documentation. In another manufacturing facility was a robotic arm being controlled by a Windows machine. It just went back and forth all day long. Do these machines need to have Windows 10 on them if they work just fine with XP? If you created a password that was 14 characters or fewer, the LM hash would take all the letters—it wouldn't matter if you had upper- and lowercase characters—and convert them to all uppercase. After converting them to all uppercase, it would then pad any leftover fields to fill out all 14 characters. So, in this case here, I'd have three padded spaces. Then, things got kind of crazy. The LM hash then went through and split up the password into two 7-character strings. The two 7-character strings were then encrypted and combined back together.

For example, BatmanR would be hashed out to this value, and the leftover ULES with its padded spaces would be encrypted to this hash. Then, they would be combined, and that would be your LM hash, as illustrated here:

Figure 7.5 – How LM hashes are created

Microsoft then added NTLM, which is the NT LAN Manager hash. So, the result we would see inside of the SAM account database would include the user's name (in this case, Bwayne), a number listed after their name, followed by the next 32 characters, which was the LM hash, and then an NTLM hash appended. Now, the big difference between these two was in the password hash algorithm. LM used what they referred to as diz, which was very easy to crack.

Then, they came out with NTLM version 1 (v1), which got us to using Message Digest 4 (MD4), which was a better algorithm, but NTLM version 2 (v2) used MD5, which is even better, and technically, you should use it whenever possible. So, then you might see another account listed in there as administrator, followed by 500 for that number. 500's the security identifier (SID)—all administrative accounts in the Microsoft world end with 500 at the end of the SID. Again, I would see a combination of the LM hash and the NTLM hash.

Note

Anytime you see a hash that ends with a double AAD3B435B51404EE, this should mean something to you. This is a very common ending hash, and it describes the last 7 characters—remember that we must pad it to make sure we equal 14 characters? It tells me the password is 7 or fewer characters in length. Something similar happens if somebody types in a password that's over 14 characters. Remember that this happens with 14 characters. If it's over 14 characters, then the LM hash value is dumped and not utilized. Operating systems today, since Vista and higher, have the LM hash turned off.

Keyloggers

When it comes to keyloggers, we monitor every single key stroke going on a particular system or target. All those keystrokes, depending on the keylogger itself, could be transmitted back to the attacker.

Keyloggers are software programs that monitor and record keystrokes, mouse strokes, screenshots, who logged in, and at what time. It's amazing what some of these software programs do, but most of them will log keystrokes. There's a lot of software out there, and some have a legitimate purpose to them—for example, some parents or guardians want to monitor what their kids are doing on the computer.

We also have hardware-based keyloggers, which are extremely hard to detect. They will monitor every keystroke, and it doesn't look like it's a big bad device, but some of them have small applications built into them so that they either keep a log file and I just recover the device or they will simply email me the logs.

As a security expert, you need to know what's installed on your machines, both software and hardware. If you were to look on the back of a machine and saw one of the following devices plugged into the back of your system and the mouse was plugged into it, what would you assume?

Figure 7.6 – Keyloggers

The question is: Is there a legitimate use for these devices? It may be the company's business to know what people are typing—what information they're sharing. And it doesn't stop at devices that look like these.

There are keyboards you can modify—you can do this yourself and install a keylogger piece of hardware inside of the keyboard. You can also buy these new and deploy them out to your end users. Or, how about if I just send you a free one and it's connected to your system so that we're able to capture screenshots and record which websites you've visited? I can even read your email because as you type it in, it's going to be recorded. I could also capture login names. "But hang on a second—when I type in my passwords, I get an asterisk." Well, guess what? Keyloggers don't log in asterisks—that's what you see visually.

If you are saying "Those are physically connected devices", I have bad news for you. There are Wi-Fi keyloggers out there. You are also in trouble if you have a Bluetooth keyboard (and most Microsoft keyboards are Bluetooth-based as far as connectivity from the keyboard to the system goes).

This looks like a Universal Serial Bus (USB) charger, but built inside of it is a Bluetooth keylogger:

Figure 7.7 – A keylogger hidden inside a USB charger

I don't have to be hooked up to your system. I can plug this in, and you'll just think: "As a matter of fact, I could use it as a charger for my phone." In the meantime, it'll be picking up Bluetooth signals and detecting what people are typing on their Bluetooth keyboards.

Here's where it gets scary… they have acoustic keyloggers now. What does that mean? There are apps that are being experimented with right now. It takes time because it has to learn the sound of the keystrokes, but after a while, it'll be able to predict via sound waves which keys are being typed.

If that doesn't scare you enough, how about a rootkit logger? Yes—there are two that have been found in the wild already. One of them is called Jellyfish, a keylogger that runs inside the graphics processing unit (GPU) of the video card instead of through the processor or the central processing unit (CPU) of the system, and I don't know very many antivirus products that are looking at what's running on GPUs!

To raise the hair on the back of your neck, we also have hypervisor keyloggers. These are keyloggers that will reside in a piece of malware that is hypervised. It runs underneath the operating system, so it remains untouched, just like a virtual machine (VM).

We also have form-grabbing-based keyloggers. These are basically a piece of software that's going to record web form data and then send it across the internet to show the attacker which form data you're filling out. And no—it's not specific to PCs.

Offline attacks

These are interesting because. with offline attacks, we have all the time in the world. What's meant by an offline attack? If I can somehow get access to whatever is storing your passwords and user accounts and I get to play with it offline, I'm not going to hit that machine. I grab a database such as the SAM account database, or maybe I grab your ntds.dit file, and I can start throwing things such as a rainbow attack (which we'll discuss in more detail later).

We could also use one of the following.

Distributed network attacks

A distributed network attack (DNA) extends decryption capabilities beyond a single computer by using the distributed power of multiple computers across a network to decrypt files, find passphrases, and recover passwords.

Precomputed hashes

Here, an attacker can decrypt each word in a dictionary using a hash function and then compare it to the encrypted password. The downside to this is that it does require a lot of space, but the payoff is that it's extremely fast.

Non-electronic attacks

Non-electronic attacks are possible ways to gain access to valuable information without the use of technology. While these methods may be less common, they can still be very effective in obtaining the data or access you need.

Dumpster diving

This is where we look through trash. Now, that may seem beneath you, but trust me, it happens. Oracle caught Microsoft in a fib because they had done some dumpster diving in Microsoft trash bins.

Dumpster diving is a means for attackers to find information they could use to create trust. You can find medical records, resumes, personal photos, emails, bank statements, account details, information about software, tech support logs, government records, medical bills, resumes, and the like simply by exploring the intended victim's garbage. Once garbage is collected, the information is used to piece together identity profiles, making social engineering more likely to succeed.

Shoulder surfing

In this type of attack, somebody is obviously watching over your shoulder or using some type of mechanism. The latest and greatest now is, I have an electronic cell phone in my hand that does video. How about if I hold it up to my ear as if I'm talking to somebody, but I point my camera to where you're typing in a password? As a matter of fact, I'm paranoid about such things. When I'm out shopping, if I'm going to run my credit card somewhere, I always stop and look around and see if somebody's pretending to be on their cell phone and it happens to be pointing my way.

Social engineering

There's something we can do with social engineering that is a non-electronic attack, but kind of borderline. It's a very famous attack and it entails using a USB switch blade. Here, as an attacker, I configure a USB drive, and when you plug it in, it goes through and does some interesting things such as installing a keylogger for me, maybe a piece of malware, and it does it all silently. Maybe even the emails knew your logging credentials that I detected, and what I do is take that USB drive and just arbitrarily leave it some place where I know somebody will find it—for example, at the parking lot of a company, in the main lobby, in a hallway, near a bathroom: some place near the target company. If somebody picks it up, what's the first thing they're going to try to do? Plug in this bad boy and bing—they just got pwned!

Authentication methods designed to help

Included next are additional cracking concepts to assist you in the cracking process.

When NTLM authentication doesn't work for you

This authentication mechanism is proprietary to Microsoft and it's the default authentication that is used if some specific situations exist. I know you are saying: "They're using Kerberos." I know that, except if the following situations apply to you. It's only used when there is no Kerberos trust between two different forests and you're trying to share resources.

Another time NTLM gets utilized instead of Kerberos is if authentication is being attempted by an IP instead of by a DNS name because Kerberos requires DNS or a domain name environment. Also, if one or both systems are not a part of the same domain, don't think that you're not using NTLM, because you very well could be.

Another situation is if you have a firewall that's blocking Kerberos. Now that we know when it's used, how is it used? Well, it's based on a challenge-response algorithm.

The cool thing about this is passwords are never transmitted because you're just going to respond to a request or a challenge. As I mentioned before, NTLM came in v1 back with Windows NT. v2 was released with Service Pack 4 (SP 4), so if by chance you come across an older NT system, odds are it will be running v2.

This is how it works: you have your client machine, and the user gets their login screen and types in their username and password. After this, Windows takes that password and runs it through a hash algorithm to generate a hash for the password that's been entered. The client then sends a login request to the domain controller, and since the computer has joined the domain, the domain controller is very much aware of that hash value associated with that login name. So, the domain controller then creates a random string and sends it and basically says: "If you are who you say you are, you should be able to answer this request." The client encrypts this request with the hash and sends it back to the domain controller. The domain controller then goes through, retrieves the password or the hash of the user's password, and compares it to see if it's the correct answer. If it's the same answer, then you're allowed to cross the bridge. If it's wrong, you don't get to pass. It reminds me of the famous Monty Python and the Holy Grail movie scene of the three questions and bridge of death.

Kerberos authentication

This is what we're using, pretty much up to date with the latest and greatest from Microsoft. Kerberos gets its name from the three-headed dog that guards the gates of Hell—or Fluffy, if you're a Harry Potter fan. It is ticket-based, so we issue tickets that are then used to represent the credentials. It's fast, because we don't have to keep re-authenticating the user over and over—or, possibly, the computer. Again, it avoids the transmission of passwords.

Now, there is one little kicker on this one and that is it's time-based. If you remember our chapter on enumeration, you should remember the primary domain controller (PDC). It's in charge of syncing everybody's clock to itself because when it comes to Kerberos, the default with Microsoft is you cannot have more than 5 minutes time difference between the PDC and your system clock. If you are, it won't authenticate you. So, let's look at how Fluffy is used.

First, we have a computer, a user, and a domain controller. The domain controllers have some special services running on them, and one of them is a key distribution center (KDC). If we have a file server that we're trying to gain access to, the user is going to make a request to the domain controller, saying: "I need to be authenticated, please." The domain controller responds back with: "Yes, what can I do for you? I can authenticate you.", to which the user's computer says: "I need to get a ticket-granting ticket (TGT)." Because the computer and the domain controller are members of the same domain, the domain controller can issue this TGT or ticket to the user or computer to be then utilized when they want to gain access to resources. When the user/computer wants to gain access to the file on the file server, they just simply present their TGT, the file server sees it's from a trusted source, and it will quickly check with the domain controller and say: "Is this account still valid?" The reason it does this is in case an administrator has locked the user out. Now, just because tickets are being utilized here doesn't mean that you're safe. We'll be looking at a tool later in another chapter called John the Ripper—a very famous tool, and probably one of the more powerful tools out there today. It's a Linux tool that can crack Unix, LM hash passwords, NTLM passwords, and Kerberos passwords.

Salting

Salting? Yes...my hash needs a little salt. So, what happens if you have two users with the exact same, identical, password? What is their hash going to look like? The solution? We can randomize the hashes by appending or prepending random strings—we call these salts—to the password before we hash. This helps us in having duplicate hashes and makes it hard for an attacker to find out what's going on.

Each salt needs to make sure it's unique for each password. Don't use the same string of characters for every password. If you do, all I must do as an attacker is figure out what your salting string is, and I'll then get everybody's password. For example, I have two accounts that are both using the same password, the hash values will be identical. If I use a salt, I can append some unique characters to the end of the password; therefore, two different accounts using the same password have different hash values. To check if the password is correct, we must be able to have access to the salt, so it's usually stored in a user account database along with the hash or as part of the hash string itself.

Now, I'll give you an unfortunate shout-out here because Microsoft won't use this. They kind of use it, in the aspect that the passwords in AD are hashed, but the ending hash is just the username itself. So, again, make sure that if you're going to salt your passwords, each salt is unique to each password. If you're a developer and you're creating your application and want to make it so that people have to log in, a common mistake is they'll hardcode in a salt into the program or generate a salt only once and then reuse it. If I'm using the same salt for every password, two users with the same password will have the same hash.

There's also the issue of your salts not being long enough—for example, 3 characters. 3 characters narrow down the limits of the number of possibilities the attacker needs to consider. Now, because I just told you the hash needs to be available, that creates a dilemma, right? If the key is kept on the system and the attacker gains full access to the system, they'll be able to steal the key no matter how long the salt is. The key needs to be stored in external systems such as a physically separated server dedicated to password validation. There is specialized hardware out there that also helps with storing salt keys.

Other cracking methods

Besides the methods we spoke about previously, there are a couple of other methods that deserve a mention.

Rainbow tables and other options

A rainbow table is a precomputed hash table, so I don't have to try every variation of the hash values—I precomputed them ahead of time. I just do comparisons. Unfortunately, these precomputed hashes take up a lot of storage space. There are, however, free rainbow tables you can download.

Note

You'd have to google them and be prepared for a HUGE file (terabytes (TB), in some cases). Go to https://freerainbowtables.com for examples.

You can also create your own rainbow tables if you have the storage space to handle these. What's interesting is, with new technology such as solid-state drives (SSDs) and cloud computing, attackers are utilizing these technologies to create rainbow tables at record speeds and utilizing the processing power of Amazon's cloud system or Azure. After they compile them, attackers will then go off and sell them.

Lookup tables

We can also utilize lookup tables (LUTs), which are just plain old tables. What this basically says is: "Does any hash out there equal this hash? Oh, look—I found one, and the password was password5," because that's what the hash equaled.

Here are some examples:

• Does any hash equal the following?

5f4dcc3b5aa765d61d8327deb882cf99: FOUND: password5

It then continues to go through those tables, saying: "Hey, what about this one?" Oh, not in the database, so nobody has that password or hash.

• What about the following?

6cbe615c106f422d23669b610b564800: not in database

Your cracking tool will then continue: "Hey, can I get a letMEin12? Any responses?"

• Can I get the following?

630bf032efe4507f2c57b280995925a9: FOUND: letMEin12

"Yes, here's another one—try this one." Here it is:

• 386f43fab5d096a7a66d67c8f213e5ec: FOUND: mcd0nalds

And it will continue, depending on the size of the table you download.

Reverse LUTs

Similar to a LUT is a reverse LUT. These operate by saying: "I have a hash for the password of apple123—who on this list uses that hash? Oh, a couple of accounts... There's alice3, 0bob0, and charles8."

I love technology but sometimes, I look at new things and ask myself: "What's this going to do me security-wise?"

Let me show you something. The following screenshot depicts a computer system with multiple video cards. It was done as a project:

Figure 7.8 – GPU cracking system

Many of today's video cards have a GPU on them, and GPUs love cracking passwords. We typically think of a CPU as having multiple cores—for example, i7 might have 8 cores, or maybe you got a dual-core. Well, GPUs have hundreds of cores in them. In this research project, they set up five of these systems. They had 25 Advanced Micro Devices (AMD) GPUs and, between the five systems, they were connected at 10 gigabits per second (Gbps). Guess what? We don't have to do rainbow tables anymore. With this system and brute force, this cluster went through 348 billion NTLM passwords per second. What this means is a 14-character password took only 6 minutes to hack.

What about MD5? Well, I'll do 180 billion per second with this rig and, even if you think you're being secure and you're using Secure Hash Algorithm 1 (SHA-1), you'll only slow me down to 63 billion passwords per second being brute-forced. Remember—a system such as this, I would use in an offline attack. I'll get your database and, probably, within a day or two, I'm going to have several login options for you.

Now that we have worked on gaining access and cracking passwords, let's discuss escalating privileges next.

Phase 2 – Escalating privileges

Wanting local administrative rights, even though you're not allowed them, is what escalating privileges is all about. So, the problem we have here is now we've gone through and hacked a password and figured out the user ID, we're stuck with the privilege of that user—or are we?

Kevin Mitnick, the world-famous hacker said the following:

It's true, I had hacked into a lot of companies and took copies of the source code to analyze it for security bugs. If I could locate security bugs, I could become better at hacking into their systems—it was all towards becoming a better hacker.

When you think about it, what he was doing was elevating his privileges by getting to know the source code and seeing which bugs or vulnerabilities he had to escalate out of.

We've made it in. What now?

What do we do now? Remember how we made it in this far? We found a user account and cracked their password. Our goal now is to give ourselves adequate rights and permissions to do what we wish. So, never assume that just because you're not an administrator or don't have administrative rights, you can't accomplish your goal.

Once we make it in, our next step is to look around. If we make it in as a local administrator, I'm going to look at any configuration mistakes that have been made. I might also check out any design errors from the network infrastructure level. Again, there are many times you might find a target through a Google hack, and you make your way in just using a default username and password. You get in and think to yourself: "Well, I haven't fully reconned this environment yet", so, we may want to take another look at these design errors. Maybe they've been misconfigured or didn't change default passwords or default settings.

I also want to get a layout. This target I've hit, what is its purpose on the network? I'll also be looking at any programming flaws. I know—programmers don't make mistakes, right? They just come out with patches to enhance the application. That's kind of like IT people—they don't make mistakes. They just improve the performance.

Now, as far as our overall goals are concerned, we have four basic methods for escalation, as follows:

• Pwning the admin/root account

One of the goals we're going to have is being able to pwn the admin or the root account.

• Taking advantage of vulnerabilities

The second method is to take advantage of a vulnerability that may be in the application or in the operating system that's going to allow you access as a privileged user. There are many applications that raise the privilege of the currently logged-in user on the backend you may not have considered.

Try using www.exploit-db.com. It gives insights about vulnerabilities you could take advantage of. Some of them we will go through. We can do a privilege escalation with this one.

• Using escalation tools

Another method of escalation is firing up a tool such as Metasploit, a complete framework and hacking suite designed to allow you to see if you have any exploits or any type of vulnerabilities in your network. But obviously, we know attackers are going to use these types of tools against us. The downside to Metasploit is it's extremely easy to use. You might find a YouTube video about it, which means that some 12-year-old is out there coming at your system.

There are more tools such as these out there, including Canvas and Core Impact, which is a complete pentesting tool, and Armitage, which is basically a GUI frontend for Metasploit.

• Social engineering

What if we just get somebody to do it for us? That's called social engineering. As an attacker, I can persuade people to run an application for me or maybe to look at a file for me. I must entice them somehow using one of the core emotions of social engineering. Typically, I'm going to do it either out of fear or greed, or I need some help—which is a very reliable social engineering aspect, because as humans, we like to help, right? All I can do is send you an email, attach a script or a program to it, and ask you to double-click on it because it's going to patch your system for you. I'll make it look as though the email came from IT staff. I could create a Portable Document Format (PDF) file that, when opened, executes a program for me.

Countermeasures

How do we stop this? Well, there are some countermeasures, but you need to remember your job is not to stop them – because you can't. You can only slow them down. And how do we do that? Here's how:

• The first way is using encryption, which helps you protect data that is considered sensitive. If I've encrypted data to a particular user, then regardless of what that user's permissions are or what my user permissions will be, I won't have access to that information.
• You could also consider giving least privilege when it comes to your users and applications. What we mean by this is don't overallocate your privileges. If somebody needs the ability to do something on a machine, take the time to figure out which rights and permissions they need and only give them those rights and permissions.
• You could also look at making sure your updates are done. It drives me bonkers because a lot of the privilege escalation issues can be avoided by making sure you are patching your systems.
• Another thing you can do is limit the interactive login. Interactive login is the right to throw a three-finger salute or the Ctrl + Delete keys on a box and log in. By default, regular users don't have the right to log in interactively on a server.
• You could also make sure that your service accounts are limited, using the same concept that applies to least privilege. I see this mistake done all the time where IT will go to install an application—a server application such as Structured Query Language (SQL) or SharePoint—and they need a service account that utilizes the machine. As far as the machine is concerned, a user is doing all the work, but it's being done by this account. Sometimes, IT will use the administrator account on the local box. Again, you need to evaluate what access these service accounts need because it could create a vulnerability or a hole for you.
• Another option is limiting the extent of the code if you're the developer and you are creating an application that runs at a high privilege level. Again, typically, it's when we take shortcuts that we create issues.
• You can also do privilege separation. With this type of approach, we limit the scope of programming errors and possible bugs.
• You can also test the operating system and your apps meticulously and review code if you're a developer. If you are an IT person and a developer says: "Here's a new app we're going to be using", there should be some type of documentation that says what was done where. You should question any type of code somebody wants you to place in your environment. And, if you are a developer, don't go off and download somebody's sample code and just copy and paste it. Make sure you understand what each line does.
• Using multi-factor is another countermeasure. This way, we place another safety-net layer for us.
• Do some stress tests. This is because many times when an application or an operating system gets overloaded, it creates vulnerabilities. You may even want to consider performing debugging using BoundsChecker. However, please realize none of these will stop everything from happening, but at least it'll make you feel as though you've got a handle on things.

Next, we'll discuss the types of escalation that will help us accomplish our purpose.

Types of escalations

Now that we know the different countermeasures used, let's talk about the different types of escalations.

Privilege escalation

This is any condition that allows an attacker to gain elevated access after the system has been compromised. So, we take a lower-end account and escalate its rights and permissions to a higher account, which allows us to pivot and have all kinds of fun. We also have what they refer to as information disclosure. This is basically any type of vulnerability that allows the attacker to gain access to data that is sensitive or protected. We also have what they refer to as security feature bypass. Now, this is typically caused by a software weakness that allows an attacker to bypass policies, validation, or even other safeguards such as bypassing User Account Control (UAC) or any type of filter. There are different types of escalation that you can perform. Determining which one you use will depend on what it is you're trying to accomplish. Privilege escalation can be accomplished by using dynamic link library (DLL) injection.

Horizontal escalation

In security terms, horizontal escalation is one of the most common methods used by attackers to achieve their objectives.

Attackers will often look for a way through the perimeter to get an initial foothold within a network. Often, they find a low-hanging fruit such as a user who has left their password blank or a web application that lacks proper security controls.

Once they have gained access to the network, the attackers will then look for ways to move laterally and spread their infection to as many systems as possible. By doing so, they can gather more valuable data or even take control of the entire network.

Offline access

Offline access is typically looking at machines that may not be always hooked up to the network. If a laptop gets stolen or if I'm able to compromise that laptop, I'm going to have all the time in the world because it's offline. And because of that, I can use some simple exploits to give myself total control of this machine, and then, hopefully, when you hook it back in, I'll be able to continue my total domination.

DLL and DYLIB hijacking

DLLs haunt us. It's something we must deal with. Most Windows applications don't use a fully qualified path when they load a DLL, so there's no structure. It basically says: Run this DLL. Instead, the default is that when an application launches, it first searches the directory from which it's been launched. Knowing most application developers and people take shortcuts—by not specifying a path—an attacker can load up a DLL inside of the application directory with malicious intent. An example of this is if an application needs the library.dll file (which is in the system directory) to install the application. If it can't find it, or if it finds it first in the path you're installing at, it'll never see the one in the system's directory of Windows. So, when the user goes through and loads up the application, it uses the DLL and the attacker will have full remote access to that box. Hmm—maybe this should make you wonder about downloading torrent files now, right?

Fortnite, a game that gets played by both children and adults, is extremely popular. Knowing this, attackers used to release patches to make players invincible or to give them extra guns. Well, sure it does, but it's mostly loaded with something else. In fact, security researchers discovered that flaw.

Don't think for a second Windows is alone in this. Apple is very much a target. But instead of using DLLs, Apple uses DYnamically linked LIBraries (DYLIBs), which is basically the same concept. This is a dynamic library, hence the name, that an application may call, but DYLIBs are typically specific to a user. So, depending on how we want to deploy this, an attacker can just simply place a malicious DYLIB into a specific location. In a ton of cases, the loader in OS X is going to search for dynamic libraries in multiple paths. This is going to help the attacker inject a malicious DYLIB into one of the primary directories and then simply load the malicious DYLIB at runtime. This allows attackers to bypass security software, as well as even bypass Gatekeeper—a security feature of the macOS system that enforces code signing and verifies downloaded applications before allowing them to run. But again, I can bypass that all by doing a DYLIB hijack. Okay—let's stop picking on software. Let's talk about hardware!

Using CPU flaws

Let's talk about Spectre and Meltdown, shall we? Both these vulnerabilities are CPU-based and, unfortunately, the vulnerability goes back through all different types of chips over a long period. Each one of them takes advantage of either the memory's cache and the execution order, and/or takes advantage of branch prediction. Now, these are geeky terms but know that the vulnerability is there.

The other issue we have, especially when focusing on things such as Spectre, is that it has some interesting issues here because it affects CPUs from Apple, AMD, Advanced RISC Machines (ARM) CPUs, Intel, Samsung, and even Qualcomm. These are basically all the mobile phones on the planet, right? This vulnerability tricks the processor into exploiting a speculative execution to read restricted data. What that means is that if the chip identifies a program that includes multiple conditional statements, it'll start to execute and then conclude all possible outputs before the program does, which makes the system faster. This vulnerability allows the attacker to force the processor to accomplish a speculative execution of a read before bounds checking is performed. The result? The attacker can access and read out-of-bounds (OOB) memory locations. Those locations could include things such as confidential information—such as credentials that are stored in a browser—or even reading kernel memory or performing a web-based attack using JavaScript.

When it comes to Meltdown, this one's not as prevalent in all the CPUs, but it does affect any of the processors, whether Intel- or ARM-based, that Apple deployed. This vulnerability tricks a process to access OOB memory by exploiting CPU optimization mechanisms through speculative execution. The attacker can use either one of these vulnerabilities to execute or escalate their privileges by forcing an unprivileged process to read other adjacent memory locations, such as the kernel memory or physical memory.

One of the biggest problems with both these vulnerabilities is they're built into the chip, and the only fixes that they've been able to come out with to support the CPUs that were released that had this vulnerability, which goes back years, was a software fix that ended up slowing down the performance of the CPUs.

Access token manipulation

An attacker can gain escalated privileges through things such as access token manipulation. Windows itself uses access tokens to determine the owner of a running process. A user or an attacker can manipulate access tokens to make a running process appear as though it belongs to someone else other than the user that started the process. We refer to those as spoofed tokens.

Application shimming

This comes into play when the Windows operating system uses the Windows Communication Framework (WCF). We call it a shim, and it's what allows Windows 10 to execute or run older programs. For example, for programs that were created under XP and you've upgraded to Windows 10, you still want the application to run. These shims provide a buffer between the program and the operating system.

If you have ever done a compatibility wizard for Windows when trying to run an application, it'll ask you questions such as: "Does it need elevated privileges or did it run in previous versions of Windows?" That's helping you to build that shim. Now, the buffer, which the shim creates, is referenced when a program is launched. It needs to verify whether the program has access to the shim database. Some shims can be used to bypass the UAC, inject malicious DLLs, capture memory addresses, or even give the attacker the ability to install backdoors or escalate their privileges.

Other Windows issues

There are also a ton of processes within the Windows operating system that execute binaries automatically as part of their functionality or whatever it is they're trying to accomplish with this application. If the filesystem permissions on these binaries aren't set appropriately, the attacker can replace these with malicious files. We refer to this as a filesystem permission weakness. If the process that executes the binary has a higher-level permission, then the binary also executes under the higher-level permission, which may include the system account. Attackers can take advantage of this technique and replace the original binaries with their malicious ones to escalate or elevate their privileges.

We also have something called path interception. This is a method attackers use of placing an executable in a particular path so that it'll be executed by the application in place of the legitimate target application. Path interception helps the attacker maintain persistence on the system as well as escalate their privileges.

Scheduled tasks

The Windows operating system has this thing called task scheduler, which allows a user to configure to defragment their system every 3 days or so. A user with administrative privileges could use these utilities in conjunction with a task scheduler to schedule a script or a program that can be executed at a particular time and date. If a user provides proper authentication, they can schedule a task from a remote system using a remote procedure call (RPC). The attacker can use this technique to execute malicious programs at the system startup, during any type of maintenance, as well as performing remote execution and, of course, escalating our privileges.

Apple issues

For non-Windows folks, for macOS or OS X, during the boot process, launchd is executed to complete the system initialization process. Parameters for each of the launch-on-demand and system-level daemons are loaded using launchd. These daemons have a property list file (plist) that's linked to the executables that run at the time of booting. The attackers can create and install a whole different launch daemon that can be configured to execute at bootup time. These weak configurations allow the attackers to alter the existing launch daemons executable to maintain persistence within the system or to escalate their privileges.

I know—you're saying: "Please tell me that's all." No—there's even more. Remember that plist file I just told you about? Well, these files exist for any application or service. It includes the necessary information that's needed to configure them. The plist files themselves are technically just Extensible Markup Language (XML) files, and how easy is it to modify an XML file? Attackers can access and alter these plist files to execute malicious code on behalf of a legitimate user. They can also use them to maintain persistence, as well as escalate their privileges on that box.

Linux issues

If you are a Linux person, you're probably saying: "Man, we're safe!" Well, both in Linux and in macOS, if an application uses a setuid or a setgid flag, then the application will execute with the privileges of the owning user or the group. Typically, applications run under the current user's privilege, but there are some circumstances where the program must be executed with elevated privileges, but the user running the program doesn't have those elevated privileges. In this case, someone, maybe the developer, could set the setuid or the setgid flag for their application. An attacker could exploit the application with the setuid or the setgid flags to execute malicious code with elevated privileges. Do you see what's going on here? We're elevating our privileges all over the place.

Web shells

The last one is a web shell, which is just a script that can be uploaded to a web server—or maybe it becomes part of the server—that enables remote administration to a machine. This works well for things such as remote administration using PowerShell. The problem is, an attacker can create their own web shells and inject malicious scripts into the web server to maintain or escalate their privileges. They can also use them as a backdoor to gain access and control the server remotely. Typically, a web shell runs under the current user's privileges, but if that box has any type of vulnerabilities built into it, they can escalate their privilege and then install malicious software, change user permissions, add users and groups, steal credentials, read emails—almost anything.

Buffer overflows

Let's first back up and understand what the ultimate purpose of any program is that runs on a computer—it's to process data of some type. Usually, that data is going to be provided by a user, so the program needs to store the data somewhere, and the best place to put it into is memory. This is where our troubles begin. Many developers assume that user input will be reasonable to a certain extent. It would seem kind of unreasonable for, as an example, a URL address to be more than, say, 500 characters. And usually, developers will pad this by multiplying in either by 2 or even by 10. So, based on this assumption, the developer could reserve memory for a web page address that could hold up to 5,000 characters. Now this memory space that's reserved is called a buffer, and it's a buffer in random-access memory (RAM). So, because the developer may never suspect that someone's going to use more than 5,000 characters, they usually don't apply any type of check. The data is just processed as it's applied. So, what happens if the user unintentionally—or possibly intentionally, with malicious motives—provides a web address that I don't know with 5,500 characters in it? Well, after writing that 5,000th character, anything else left over is bad, and it's placed in memory after the buffer, which results in a buffer overflow. Now, the purpose of these attacks is usually to allow the attacker to run their own code directly on this system. This is referred to as arbitrary code execution, or possibly they can execute their code and transmit it from one machine to another. This is sometimes referred to as remote code execution.

Denial of service

Then we have, obviously, our most famous one (probably): denial of service (DoS). This includes conditions that allow attackers to consume all the resources of the CPU—the drive, connections, RAM—so that the process can no longer service legitimate requests.

Another type of vulnerability is another famous one, cross-site scripting (XSS). This is a vulnerability whereby a malicious script is injected into a website, and then that script is downloaded and executed by the browser on an end user's system—or, should I say—a different user's system.

Another famous one is directory transversal. This is a vulnerability that allows the attacker to access restricted directories from where they've entered. For example, if I were to maybe go to my home directory on my production network that is assigned to a D. Meredith directory on a server somewhere, if I'm able to execute some malicious code and be able to move over to B. Wayne's directory to see their information, or C. Kent's, or even L. Lane's, we might have some fun there. We also have what they refer to as cross-site request forgery (CSRF). These types of vulnerabilities allow unauthorized commands to be transmitted from the user to a web app.

So far, we have cracked a password, figured out our user account, got into the system, elevated our privileges—so, we're done, right? Well, we may have pwned the machine so far, but a total pwn is when we can maintain access via executing applications.

Phase 3 – Maintaining access and executing applications

Overall, the whole process in this phase is being able to make sure that we can always get back in. Again, from the attacker's perspective, you don't go through all the steps that we've gone through just to say: "Haha, I did it!" and walk away, right? We're also here to see what's going on and to get a clear picture of the system or the target machine. We are also detecting what other information could be available to us that might have been blocked to us before.

Let's say I'm an attacker who's created a piece of software, and I put it out into the wild and it phones home, and one day I see three systems have installed my piece of software. I'll use that software to get back in and then use some additional software to make sure I have an extremely clear understanding of the environment. One of the things I'll be looking for is if they have any type of intrusion detection system (IDS).

How do we execute applications?

Well, this is typically applied in one of the following three ways:

• Spyware: The most common and easiest way is via spyware. I know that's a hot word out in the industry and there are different levels of spyware—for example, there are legitimate spyware products out there. If I were to go in and install an application on my Android device, many times I'm saying: "Yes—go ahead and look at my contacts, or use my network connection."

My father taught me something very valuable. He said: "There is no free lunch." If you are old enough to understand that phrase, you know he meant there's nothing for free out there. I know it says it's free—Gmail says: "Hey, it's free." But is it? We're paying a price for that. The price is Google going through and looking at your emails and looking for specific words so that they can sell marketing. That's how they make their money! Nobody's out there saying: "I'd like to be a Good Samaritan, spend countless hours creating an application, and just give it away for free." It doesn't work that way.

• Backdoors: We can execute applications via a backdoor, which allows a user or an attacker to come back in without being noticed. With a keylogger, I can say anytime a specific keystroke or combination of keystrokes are executed, please execute my program. Backdoors are great because they're stealthy and can also be used in command and control (C2) scenarios to bypass firewalls and IDS systems.

Spyware and backdoors

When we talk about spyware, we have this vision that comes up in our minds about uneducated users, such as grandmas (or, in my case, nieces and nephews), who install fake software or click on a link, and boom: "Bob's your uncle."

Spyware is normally installed by us when we download a file, app, or free product. Typically, the manufacturer wants to know how you're running that product, or maybe they are going to make money. In fact, I think it's funny that the last time I installed Java, if I hadn't hit the Advanced button during installation, I would have also installed some additional toolbars and software that I'm sure Oracle gets paid for.

Spyware is designed to capture our authentication credentials as we type them in. An attacker might even capture emails or fire up and record information when we type in something on a web form. Again, I'll use Google as an example since they're the big boy on the block and they give everything away for free. A lot of it is they're trying to capture habits. Well, think of that from the attacker's perspective. Could they not profile you a little better if they understood your habits? "What kind of habits?" That could be: "Hey, this target uses this password when it comes to banking sites", or "They use this password when it comes to their social networking sites", or "The target is just using a variation of a specific password." If I'm capturing both screenshots and keystrokes, I can start to capture habits. Even on your Android phone, if you download a free app from a torrent and sideload, it could be malicious, and these apps could start capturing your habits. Some legitimate apps track how long the user is using the app or even finger-swiping actions on your devices.

Also, when you go to install an application on your tablet, phone, computer, do you sit down and read the user license agreement (ULA)? No? I know—I sometimes don't either. But I understand the overall gist of it. That is—one: you don't own the software; and two: we are going to collect information about you, possibly access your contacts, see how long you use our app, and maybe see which app you open after using our app. If I deem the app to be that worthwhile, I'll accept that as a risk. However, I only accept it as a risk from legitimate software companies.

Types of spyware

Spyware is typically installed while installing an application. For example, if I download a copy of WinZip, and then during installation, I just hit Next, Next, Next, Next, Next, Next, Next, Next—which they're hoping I do—I might install a new toolbar, and that toolbar in Internet Explorer (IE) will track some of my activities.

Now, think of this from an attacker's perspective. Let's say a new version of Photoshop comes out, and as an attacker, I crack that product and put in my own piece of spyware so that when the user installs the app, my spyware gets installed. I'm going to make sure it's hidden so that they can't see it running. Yes, I can hide it from your Task Manager.

It's in videos

We also have spyware that comes across via video. I'm not talking about YouTube, although I'm pretty sure YouTube does monitor which videos you're watching on their channel. But that would be legitimate, right? Other video sources might tempt you with the latest blockbuster movie for free, but the truth is… it's not. I had a nephew who brought me his computer once and said: "Hey, it's running really slow and sluggish."

Important Note

Slow performance is one of the signs you have spyware installed.

As I'm going through and looking at it, I see all these programs that are firing up during startup, and as I'm talking to him, he tells me about finding this really cool website where he can stream movies that are still in the theater for free. Now, again, I'm sure Netflix spies on us; however, I'm more worried about someone coming to my house and making a mistake on my network or systems. My nephew tried to pull up the web page so that I could see it, and I jumped up: "Noooo", and quickly unplugged the network cable because I know what's out there.

Your printer is spying on you

There's also spyware for printing. How about if I load a piece of spyware and everything you print, I get a copy of it, please? Think about that for a second. What do you print? Are you sure you've never printed tax forms, medical records, or—better yet—let's say your doctor gets a piece of spyware on their machine because the doctor's receptionist thinks every time a popup comes up saying "You need to install this piece of software" Is this because they visit inappropriate or malicious websites? An attacker can install a piece of spyware and get a copy of every single document printed.

USB is guilty too

We also have USB-based spyware. Here, I have this piece of software that I show as kind of a proof of concept (POC). It's used quite often out there but I always have students come up to me and say: "Is there any way you can give me a copy of this whitepaper?" Or, they say: "Can you give me a copy of these VMs?" If I had malicious intentions, I could simply say: "Sure, just bring me a USB drive", and when they do, I would plug it in. I would have a little program whereby as I'm copying files to their USB drive, I'm also injecting spyware onto their USB drive so that when they plug it into their system, it injects everything silently, without their knowledge. It would also download everything on their USB drive to my machine as well.

Mic check – 1,2…1,2

We also have spyware that's injected into audio. There is no such thing as free MP3s! Again, let's think about both sides—legitimate reasons for spyware and the dark side of spyware.

Let's say you have an account with Spotify, Google, or Google Music. I guarantee those companies are monitoring and seeing what you're doing with their audio files: how many machines you've installed it on, how many times you've listened to it, and so on. Some of this is done with cookies, but if you're installing any type of application or plugin in your web browsers, I guarantee you're getting some type of tracking software.

If I want to get spyware on your machine, I'll go for a new album coming out by a popular musician or band, rip it, add my spyware, and post it on torrent sites. Whenever somebody downloads it and starts to play music, my spyware would kick in.

Email and phishing

We also have spyware that's distributed via email and the internet. We've talked about malicious websites, and I've seen them. People get emails saying: "Hey, this is the IRS. We're going to start filing charges against you because of your tax forms… click here." And you or the user clicks on the link, goes to a site, or executes a script that's malicious in nature.

Don't think for a second that attacks are limited to PCs/laptops. This is exploding on the mobile platform. One of the things I do before installing an application on my phone—because I know there could be something there to track what I'm doing—is look at the permissions to see what it is they need access to. If it's a game, I don't care how cool the game is. If it wants access to my contacts, there's no way it's going on my device. Likewise, review the permissions of applications. Most of the big vendors require you to do this, whether you're getting it from the iTunes Store, the App Store, Google, or Amazon—those I would consider somewhat trusted sources. History shows us that there have been many bad apps sneaking into their stores.

Be very careful about downloading software or applications from different repositories out there, even if it's the coolest thing ever. In fact, that's part of the social engineering aspect of hacking. I'm counting on the fact that you want this so stinking bad, you're willing to justify and jump through some hoops and maybe install a piece of software that's going to help me pwn you.

Next, we'll discuss the use of backdoors to further our ability to access our targets.

More about backdoors

When it comes to backdoors, we want to make sure we understand what they are.

Backdoors consist of two components—one of them is on the client side, while the other is on the server side.

The client is what I want to hopefully install on my targets, while the server is the box that all the clients will report into.

Many backdoors will also have automation built into them. Some of that automation could include things such as a connect-back technique. This is where I can get the client side installed on a target (maybe because they've downloaded my free evil copy of Photoshop), and, to bypass the security of most firewalls (most firewalls block all inbound connections unless they've been initiated by an outbound connection), I have the client connect back through the firewall to my server side.

We might also use what's referred to as the first-line backdoor, which is sending the initial malware. The primary backdoor acts as a downloader for other malware that we then get to install. Normally, when somebody is infected, there's going to be multiple backdoors created, not just one. So, if I get the first-line backdoor installed, then the second-line backdoor is what goes out and steals the information I'm looking for.

You may be thinking "I'll just delete it if I detect it" or "I have antivirus installed". Well, the issue here is that part of the automation of most of these backdoors and spyware programs includes the ability to make it impossible to update Windows. They disable your antivirus product, infect your host file, make sure you can't open it, and lock down the system to stop you from fixing it. Or, at least, it's going to take somebody with some computer knowledge, which typically isn't the standard user, to repair it.

Common backdoors

Some of the more common backdoors are the most popular ones out there. Back Orifice was a popular one. This was created by an organization that was called Cult of the Dead Cow. They got the name Back Orifice from the fact that Microsoft had a product line for all their server platform products. Not only Server 2000, but also SQL and Exchange, were all part of the BackOffice product line, so, making fun of it, they called it Back Orifice.

Sercomm manufactures most routers and parts that go on the router, and routers are sold by Netgear, Cisco, Linux and so on. Well, there was a backdoor in these devices, and it's funny that they came out with a patch that was supposed to fix the backdoor but didn't—all it did was hide the backdoor. Their backdoor worked across a particular port so that an attacker could open up a remote shell, reset the router, or even make modifications to the configuration.

When we talk about backdoors, I can't go very far without talking about some government agencies. Some of these backdoors were included in hardware being sold to other countries. The National Security Agency (NSA) has been working hard to come up with backdoors for encryption technologies. In fact, in early 2015, Microsoft issued a security advisory where they admitted they were aware of a security feature bypass vulnerability, which was known as FREAK. FREAK is short for Factoring Attack on RSA-EXPORT Keys and is a known MitM vulnerability caused by weak website encryption. It made it possible for attackers to backdoor in and spy on secured communications. You'll never guess who took advantage of that one!

There are also consumer products. Remote exec is probably one of the more popular ones out there. You can use this product to install applications silently, meaning that the user doesn't see an application being installed, executing scripts, copying, modifying, or deleting files. Maybe do a filter and say: send me all DOCs. I could even change the admin password or turn the machine off or on at any given time. Again, this product is designed for administrators to manage their environment, but if I install something such as this on your machine or get a client to install it, and have it report back to my server, I'll have total control of your box.

We've discussed how to maintain access and execute applications through several different tools and options, allowing us continued access to a system or network while remaining undetected. Next, we'll discuss hiding our tools.

Phase 4 – Maintaining access and hiding your tools

I know what you're thinking. There's no way he can come up with a joke for this one, right? So, when I'm talking about hiding your tools, what we're really getting into here is something I saw on one of those sarcastic t-shirts: Shhhh…I'm hiding from stupid people! That's what we're going to do here—hide our tools so that less intelligent people or those who are not security-minded will not be able to find them. Again, the last thing we want to do is go through all this effort to get our machine totally pwned and then lose it because we don't hide our software from users or IT experts.

Rootkits

When you find a rootkit in your environment, you're going to be terrified beyond the capacity for rational thought. You'll think, mother-puss-bucket!

Security Note

If you discover a system with a rootkit installed, you should never trust it. Don't clean it. Don't try to fix it. You need to reimage the system from scratch—operating system and apps, all new. Please don't make the mistake of trying to save the system.

Rootkits were first discovered by something that Sony tried to slip past everybody. This was back in 2005 when Sony started loading copy protection measures on about 22 million compact discs (CDs). When you inserted the CD into a computer, the CD installed a piece of software that modified the operating system so that it would interfere if you tried to copy the CD. What was bad is this: 1) The rootkit couldn't be uninstalled; 2) It created additional vulnerabilities. And one of the programs that they utilized actually installed even if the user denied or refused its end-user license agreement (EULA), and it phoned home and reported what the user's listening habits were. Now, this is back during the height of things such as Napster.

This was discovered by Mark Russinovich, the gentleman who created the Sysinternals software suite. He saw something going on with the CDs and he reported it. Nobody believed him, except for one small antivirus firm called F-Secure. F-Secure was one of the first companies that came out with one of the first rootkits and uninstallers.

So, why do we use rootkits? Well, they have two primary functions associated with them: remote control or a backdoor. As well as eavesdropping, rootkits allow an attacker to gain administrative control over a computer. This means that they can run any program, see what people are doing on the system, and even change the system's configuration.

There are different types of rootkits out there allowing for different functionality, but the biggest issue is these are extremely hard to remove. Rootkits are the mother of all infections if you want to think of it from a virus perspective. So, again, why are rootkits used? Well, we'll gain remote-control access and watch what's going on with the environment. If you're thinking "I just got my antivirus and it's doing just fine—it didn't detect it", you need to make sure your antivirus is always up to date, but there is something out there referred to as the polymorphism of rootkits. This technology makes rootkits extremely difficult to find because of what it allows a rootkit to do. It allows a rootkit to rewrite the core assembly code. So, now, suddenly, your antivirus, especially if it's signature-based, is useless.

The only way to find rootkits that use polymorphism would be to use technology that looks deep inside the operating system and compares it against a baseline of what a good operating system, or a healthy operating system, would be like.

There are several types of rootkits out there, as outlined here:

• User-mode rootkit: In user mode, the rootkit runs on the computer with administrative rights or privileges. This allows the rootkit to alter security, as well as hide processes, files, system drivers, and system services, and the rootkit stays installed by just simply copying the files to the computer's hard drive and automatically launching them every time the system boots. The downside, at least from the attacker's perspective, is that user mode is one of the only types that antivirus and anti-spyware applications can detect.
• Kernel-mode rootkit: What the attackers have done at this point is they know user-mode rootkits can be detected—so, how about if we just load the rootkit at the same level as the operating system? At this point, the operating system can't be trusted. One of the most famous kernel-mode rootkits was Da IOS Rootkit, which was focused on Cisco's iPhone OS (iOS) operating system. So, yes—you can get rootkits on network devices.
• Hybrid rootkit: This is the best of both worlds, where we can take some of the characteristics from a user-mode rootkit, being that it's easy to use and stable, along with the kernel-mode rootkit—meaning: I can hide this thing. This is one of the more popular rootkits out there today.
• Firmware: This type of rootkit is similar to a user-mode or a kernel-mode rootkit, but this rootkit actually hides in the firmware when the computer shuts down—so, when you restart the computer, the rootkit just reinstalls itself. When we say that it hides itself inside of firmware, it could be anything from a microprocessor code to a Peripheral Component Interconnect (PCI) expansion card firmware. And again, on every restart, the rootkit gets reinjected.
• Virtual rootkit: These are relatively new, and the most popular one I can think of is called Blue Pill, which is based on x86 virtualization. It was a POC that was presented in Black Hat back in 2006. The concept of Blue Pill was to trap a running instance of an operating system by simply starting a thin hypervisor and then virtualizing the rest of the machine underneath it. The previous operating system would remain, and any references to devices or files, or anything that dealt with hardware interrupts or requests for data, including system time, could be intercepted or faked by the new hypervisor.

The gentleman who came up with this made a statement at Black Hat that he felt it would be 100% undetectable because the rootkit itself was virtualized. You might say: "Yes, but I still have an antivirus, and I keep it up to date." Well, it doesn't matter. Your antivirus might pick up the fact that you have a rootkit on your machine, and you can try to clean it off, but I want you to repeat after me, this is SuperDale rule number 385: "Any system that's been detected with a rootkit is no longer trusted." What that means is you're going to take it offline, format the hard drive, and reinstall. Do not—this is my personal feeling—continue using an operating system that has already been compromised because you don't know if it's firmware-based; cleaning it may clean the one instance, but as soon as you restart the machine, you're back to square one.

Now that we're here, let's look at some interesting rootkits.

Horse Pill

This rootkit was presented at Black Hat back in 2016 by a security engineer and member of the Red Team for Intel. Horse Pill was a POC Linux rootkit. That was really kind of interesting because it infected the internal RAM disk. Once there, it was put into a mount and a persistent ID (PID) namespace that allowed it to run covertly, including its storage. This also allowed it to run some network systems without the user knowing, such as a DNS tunnel.

Don't worry—I'm not going to just pick on Linux! Yes—we've got Windows too. There's one out there known as the GrayFish rootkit, which runs inside the Windows operating system. It is one of the most modern and sophisticated malwares implanted from a group that was called the Equation Group and was designed to provide an almost invisible presence using hidden storage, as well as malicious commands executed inside the Windows operating system. This was developed around 2013, but variations of it have been popping up all over the place. The reason it's so malicious is when the computer starts, GrayFish hijacks the operating system loading mechanisms by injecting its own code into the boot record. This basically allows it to control the launching of Windows at each stage, bypassing the Windows Secure Boot controls. Rootkits use stealthy storage, but GrayFish implemented its own encrypted virtual filesystem inside of the Windows registry.

If that's not emough to scare you, check this out. Hold on to your socks here. You ready? The Equation Group has released a module named nls_933w.dll that was the first of its kind that was designed to reprogram or reflash a computer's hard drive and its firmware with the malicious code. It has been found in drives from Seagate to Toshiba, Samsung, Western Digital, Micron, Nextdoor, IBM, and Hitachi. You may be saying: "Wow, whoever created this really thought this through." Yes—its origins are from some of the tools that my big brother—as I like to call the NSA—uses.

Alternate Data Streams

First, I need to make sure I have your attention. Next to passwords, this is my next biggest pet peeve. When it comes to Alternate Data Streams (ADS), there's something you need to understand. First, this is not a well-known feature. I'm surprised how many times I teach a security class and I mention ADS to people that have been in IT for years whose jaws drop as they say: "I didn't know that was something that could be done."

ADS has been around since NT 3.1. That's a long time ago, but it's still being used today. The reason this feature was first created was—thanks, Steve Jobs—so that Microsoft could be compatible with the Macintosh Hierarchical File System (HFS). Now, the Macintosh filesystem stores its data in two parts. There's a data fork and resource fork. The data fork is where we store the data itself about that file. The resource fork is what gives us additional information about a file. Because of these two forks, we're able to hide files extremely efficiently. So, this is one of those necessary evils. We want to be able to store additional data about a document, as well as the document itself.

Detecting rootkits

As far as detecting rootkits is concerned, it depends on the type of rootkit that is installed. It could be one of the following methods:

• Integrity-based detection: This can be regarded as a substitute to both signatures in a heuristic-based detection. What happens is the user will run a tool such as Tripwire or Advanced Intrusion Detection Equipment (AIDE) on a clean system. The tool then creates a baseline of a clean system and stores it in a database, and then we can use that database to compare existing workstations to see if there are any issues.
• Signature-based detection: This is like a fingerprint. It compares the characteristics of all the system processes, as well as the executable files with a database that's been created of known rootkit fingerprints—very similar to how most of our virus programs work.
• Runtime execution path profiling: This technique compares the runtime execution path of all the processes and the executable files. Normally, the rootkit adds new code near to the routine's execution path, which destabilizes it, and this runtime execution path profile picks it up.
• Heuristic/behavior-based detection: This works by identifying the deviations of the normal operating system behaviors and their patterns. The cool thing about these types of detection is that they are normally capable of identifying new, as well as previously unidentified, rootkits. They're able to do this because they can see a difference in what would be considered normal as far as the system pattern or its behaviors is concerned.

There are tons of tools out in the world that will help you detect rootkits, and that's fine and dandy, but a lot of times, attackers are coming up with new ways of bypassing or being undetected by this type of protection. So, it's sometimes best to check manually, and there are two different steps to do that.

The first and most common step is doing it through the filesystem by typing in d-i-r, which is short for directory; /s is to include subdirectories, followed by /b, which uses a bare format, meaning: I don't need any header information or summary; I just need the information itself. We will then type /a, which basically says: I want to include the following attributes. The attribute we're specifying here is h, which is hidden files. We would save that result, and then run a very similar command, except that you'll notice it's a little different on ah. Instead of ah, we do a-h. h means not—so, don't give me the hidden attributes. You would save those results and boot off a clean CD—it could be a Windows CD, an installation CD—and you get to Command Prompt and run the same commands again and save that output.

The second step is where we determine what the differences are.

We'll download a program called WinDiff by Microsoft and run that on the two sets of results to detect file-hiding ghostware. What we mean by that is files that aren't recognized while the system is on, which is what we did in the first two steps, versus files that are exposed or visible because we booted off the CD. Now, it should be noted that sometimes, you'll get some false positives, and you'll just need to track those down. This method doesn't detect stealth software that's hiding, for example, in the basic input/output system (BIOS) or in a bad disk sector or an alternate data stream, or even video card e-prompts. But it's something, right?

Steganography

Steganography, or—as we sometimes refer to it, stega—is the ability to take a document and hide it in plain sight. We do that by placing the document in—more commonly—a photo so that we can hide it behind or inside of other data. Unlike ADS, the size of the picture file—in this case, a photo—will increase in size. If I have a picture that's 1 megabyte (MB) in a file and a document that's 4 MB, the picture file becomes 5 MB in size. It hides inside of the other file by replacing the unused data bits with bits from the file you're trying to hide. It's extremely difficult to detect. In fact, some will say it's almost impossible to detect.

Steganography is broken into two classifications, technical and linguistic.

Technical steganography hides the message using a scientific method, whereas linguistic steganography hides the message inside of what they refer to as a carrier or some type of media that's used to transfer files back and forth or communicate. As far as the type of steganography that's accessible to us is concerned, we can hide files in an image. We can also use steganography to hide files in another document, very similar to what we saw with ADS.

Steganography can also be used to hide files inside of a folder, or the object representing the folder, and audio. Yes—I can hide a hidden message or file inside of an audio file. In fact, this is one of the things that's going on right now in fighting terrorism. A lot of terrorist organizations communicate with each other by hiding their messages inside audio and video-based files. You always hear on the news that a new video's been released by some terrorist organization and that the government is currently reviewing it. What they're doing here is going through and checking to see if there's anything hidden inside the video, as well as looking at the video in depth to find out if they can find out where it's coming from by looking at backgrounds and listening to background noises.

We can also hide our files inside of web-based applications or websites so that you must know exactly where to go within the website, either to a hidden image, a hidden URL, or just a hidden location on the page that would reveal information that is normally not visible.

We can also use it to hide information that we refer to as white space. We do this with a program called Snow that conceals the message, which is normally in an American Standard Code for Information Interchange (ASCII) format by pinning white space to the end of each line. Now, because the space and tabs are generally not visible in text viewers, the message is effectively hidden, and if you use built-in encryption, the message can even be read even if it's detected.

Steganography can also be used to hide files in emails. In fact, it's very similar to the web-based steganography types because most emails will support HyperText Markup Language (HTML). So, again, we can hide files or messages inside of emails.

We can also use it to hide files inside digital versatile discs (DVDs). So, again, I ask you this: Where did you get your last copy of the latest movie release? I could be hiding my tools, and when you run the movie or go to watch it, my tools inject.

Natural text-based is another type of steganography. These types of programs will convert information you're trying to transmit into a flow of text like a play. So, if somebody's looking at your text document, they'll be wondering: "What is this guy talking about? He's just talking about one day he went for a walk with his dog."

One of the more popular programs out there, Sams Big G PlayMaker, goes through and you hide your text within the play itself.

Another type of steganography is hidden operating system-based. This is where I inject my tool inside of some of your hidden operating system files and my tools execute anytime your operating system needs to use those files.

Now that we have been able to maintain access and hide our tools, let's discuss how we get out without leaving a trail and being detected by clearing logs and evidence we've been there.

Phase 5 – Covering your tracks – Clearing logs and evidence

So, why do we clear our tracks?

First, we want to remain obscure. We don't want somebody knowing that we've gotten into the system. Otherwise, all our hard work has gone to waste.

Second, we want to avoid tracebacks. This is where the victim hires a forensic expert to figure out exactly what happened. Back in the day when I had my own internet service provider (ISP) service, I had a customer who was complaining he wasn't getting the speeds he was paying for. Together with one of my friends, a white hat from Microsoft and author of several security and integrated security system (ISS) books, we saw something going on with this customer's antenna. We discovered the customer had plugged the internet connection directly into his company laptop without going through a router, and he got totally pwned. We found out the reason he wasn't getting the speeds is because somebody had uploaded movies on his laptop and was using his laptop as a parted FTP server. My friend was able to use some of the log files we were looking at to see the IP addresses of the connections coming in, and we were able to trace it back to an IP address in Germany. There wasn't much we could do about it at that point, which I guess really does sum up one of our biggest problems with the internet today: there is no sheriff in town. But that's what we want to avoid. We want to avoid tracebacks.

Third, we want to convince the victim or victims there is nothing is going on. "This machine has not been compromised; continue to do what you're doing." In fact, it's when machines start acting funny that people start getting their suspicions up, right? Now, we could also talk about the big issue for attackers not wanting to be detected as they don't want to go to jail.

Next, we'll look at a basic method of clearing our tracks, which would be the action of a good attacker, and then we'll look at what a great attacker might accomplish.

Basic method – Five things to do

A basic method is what a good attacker would accomplish or do while covering their tracks. They're going to do some basic things, and most of this will be detected very easily. This is what they'll do:

• Clear browser history: A basic method would be to clear any browser history on that machine relating to looking up information about the target, the vulnerabilities that are on the target, or if they're trying to upload a file or download a file from a website. If they've done any type of research, they're going to want to clear out the browser history.
• Delete cookies: There's also the issue of internal users not wanting the IT department or security professionals to know that they are looking up things about how to crack a hash on a Windows 7 box. They might also delete cookies. In the case of a website, cookies are designed to contain information about your preferences for that website. I'm always amazed that I have a lot of people that will come to me and say: "Can you help me clean up my computer?" and I'll be looking around only to notice their history and browser have been cleared out, but they forgot about the cookies. Well, it's all about the cookie. Cookies contain information about the sites they've visited, so this would be another entry that an attacker would want to delete.
• Delete downloads: You will want to delete any downloads that may have been done on this machine. Maybe as an attacker, I've downloaded a payload file that I made available on a website somewhere or an FTP site, so I would want to delete those.
• Delete passwords: I'd also want to clean out any password managers that may be on this machine. This would be more toward the aspect of an internal user who wants to make sure that nobody sees what their passwords are, but this would also possibly apply to an attacker.
• Delete private data: They'll also want to delete any private data that may be on the machine.

As an instructor, I go to different training centers, and most of them provide an instructor machine for me which I use while I'm teaching. While I'm using that machine, I may check my email, load up my Dropbox or my OneDrive, and on the very last day, I have a script I carry around with me now on a thumb drive I execute off. It goes through and clears out all that private data for me. You could say these would be some good guidelines to follow if you were ever in fear of somebody utilizing the same machine you've been using.

Advanced methods

Advanced methods are what great hackers do. This is about clearing out the logs. There are certain files on the system tracking everything happening on a machine and recording it inside of a text file. Now, you must be careful how this is done if you're clearing out the logs—you don't want to raise a flag about your activity. It can raise an obvious flag something has been messed with and removed. In fact, you'll see an event ID 1102, which is a log was cleared error.

The overall concept here with advanced methods is a great attacker is not going to just clear out the logs. They are going to use tools to help them do the following:

• Disable and turn off auditing so that the system is no longer looking at what they are doing. Simply open Command Prompt and use a built-in utility called Auditpol for audit policy. I want to set a category called Logon/logoff, and I'd like to change the success rate, so that any successful logins are disabled, as well as any failures.After disabling auditing, they then do their damage, try to hack the password, make modifications to files—whatever they need to do.
• Then, after they are done, they simply turn the auditing back on.

We have now covered the necessary steps to leave a system that's been hacked and some of the best ways to leave while covering our tracks.

Summary

In this chapter, we discussed the five phases of system hacking. In Phase 1, we covered how to gain access to the system. Once we understand the system and which services are running, we need to find out what the username and password are. We also discussed the various ways to crack passwords. Phase 2 discussed escalating privileges. We can either escalate the privilege of an account we create or take an account that already exists. In Phase 3, we discussed how to maintain access by launching applications and tools that will allow you to continue your attack from inside the system and allow you to can get back in more easily. Phase 4 discussed the various ways of hiding our tools. This allows us to hide information or anything we may want to use in our attack. Phase 5 discussed covering our tracks and how we do that. It covered how to disable auditing, allowing you to accomplish the purposes of your hacking, and then how to enable auditing and get back out of the system undetected.

There are plenty of advantages to learning how to hack a system. You will be able to discover holes in your security, and if you know how to hack, you'll know how to better set up and protect yourself from other hackers, and you'll know the main issues involved in keeping your systems safe.

Next up, we get to hack humans, or what is called social engineering.

Questions

As we conclude, here is a list of questions for you to test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:

1. Which filesystems are supported by Alternate Data Streams (ADSes)?
   1. VHD
   2. FAT32
   3. NTFS
   4. CDFS
2. What utility can be used to stop the auditing or logging of events?
   1. Auditpol
   2. ADS
   3. Regedit
   4. NTFS
3. An attacker adding higher privileges to their account (adding themselves to the administrators group) is called what?
   1. Trinity slide
   2. Vertical escalation
   3. Sideloading
   4. Pass the hash
4. Clark brings in a new keyboard to work and gives it to Lois; soon after, Lois's credentials are being used on other systems. What do you suspect is the cause?
   1. A keylogger
   2. Malware
   3. MFA attacks
   4. Ransomware