WITH THE INFORMATION collected up to this point, an attacker has a better picture of what the environment targeted looks like. What the attacker doesn't know, however, is what the system is actually offering. To determine what a system is offering is the goal of a process of enumeration. Enumeration takes the information that has already been carefully gathered and attempts to extract information about the exact nature of the system itself.
Enumeration is the most aggressive of the information gathering processes seen up to this point. Up to this point, information has been gathered without interacting to a high degree with the target. In contrast, with enumeration, the target is being interacted with and is returning information to the attacker. Information extracted from a target at this point includes usernames, group info, share names, and other details.
Once enumeration has been completed, the process of system hacking can begin. In the system hacking phase, the attack has reached its advanced stages in which the attacker starts to use the information gathered from the previous phases to break into or penetrate the system.
After the enumeration stage, the attack has begun, and the attacker runs code on the remote system. The attacker is now placing software or other items on a system in an effort to maintain access over the long term. An attacker places backdoors to leave a system open for repeated usage in attacks or other activities as needed.
Finally, attackers cover up their tracks to avoid detection and possible countermeasures later. In this last phase, attackers make an effort to eliminate the traces of their attack as completely as possible, leaving few, if any, traces behind.
The Windows operating system can be used as both a standalone and a networked operating system, but for the purposes of this chapter you will consider mostly the networked aspects of the operating system (OS). It is important to consider what needs to be secured and how to secure the operating system in the networked environment. One of the big issues of securing Windows in the networked environment is the sheer number of features that must be considered and locked down to prevent exploitation. However, before we can determine what to secure, we need to know how Windows works.
One of the first things that must be understood prior to securing Windows is how access to resources such as file shares and other items is managed. Windows uses a model that can be best summed up as defining who gets access to what resources. For example, a user gets access to a file share or printer.
Note
Always consider what a user account will be used for, because that will dictate what privileges it needs and what ones it doesn't. For example, if a user will never be performing administrative tasks, don't give the user administrative access.
In the Windows OS, the fundamental object that is used to determine access is the user account. User accounts are used in Windows to access everything from files shares to run services that keep the system functioning. In fact, most of the services and processes that run on the Windows operating system run with the help of a user account, but the question is, which one. Processes in Windows are run under one of four user contexts:
Local Service—A user account with greater access to the local system, but limited access to the network
Network Service—A user account with greater access to the network, but limited access to the local system
SYSTEM—A super-user style account that gets nearly unlimited access to the local system and can perform actions on the local system with little or no restriction
Current User—The currently logged-in user who can run applications and tasks, but still is subject to restrictions that other users are not subject to. The restrictions on this account hold true even if the user account being used is an Administrator account.
Each of these user accounts is used for different specific reasons, and in a typical Windows session each is running different processes behind the scenes to keep the system performing.
User account information can be physically stored in two locations on a Windows system: in the SAM or in Active Directory. The Security Account Manager (SAM) is a database on the local system that is used to store user account information. By default, the SAM resides within the Windows folder %WINNT%system32configsam. This is true of all versions of Windows clients or servers. The other method of storing user information is in Active Directory, which is used in larger network environments such as those present in mid- to enterprise-level businesses. For simplicity, this chapter will not discuss Active Directory. Inside the SAM are a few items that should be covered prior to moving forward with other features; namely, some of the storage details that occur here. The SAM stores within it hashed versions of users' passwords used to authenticate user accounts; these hashes are stored in a number of different ways depending on the version of Windows. The hash details are listed in Table 7-1.
Note
Remember that the SAM is a file that physically resides on the hard drive and is actively accessed while Windows is running.
Groups are used by Windows to grant access to resources and to simplify management. Groups are effective administration tools that enable management of multiple users because a group can contain a large number of users that can then be managed as a unit. By using groups, you can assign access to a resource such as a shared folder to a group instead of each user individually, saving substantial time and effort. You can configure your own groups as you see fit on your network and systems, but most vendors such as Microsoft include a number of predefined groups that you can use as well or modify as needed. There are several default groups in Windows, discussed in the following list:
Anonymous logon—Designed to allow anonymous access to resources; typically used when accessing the Web server or Web applications
Batch—Used to allow batch jobs to run schedule tasks, such as a nightly cleanup job that deletes temporary files
Creator Group—Windows 2000 uses this group to automatically grant access permissions to users who are members of the same group(s) as the creator of a file or a directory.
Creator Owner—The person who created the file or the directory is a member of this group. Windows 2000 uses this group to automatically grant access permissions to the creator of a file or directory.
Everyone—All interactive, network, dial-up, and authenticated users are members of this group. This group is used to give wide access to a system resource.
Interactive—Any user logged on to the local system has the Interactive identity, which allows only local users to access a resource.
Network—Any user accessing the system through a network has the Network identity, which allows only remote users to access a resource.
Restricted—Users and computers with restricted capabilities have the Restricted identity. On a member server or workstation, a local user who is a member of the Users group (rather than the Power Users group) has this identity.
Self—Refers to the object itself and allows the object to modify itself
Service—Any service accessing the system has the Service identity, which grants access to processes being run by Windows 2000 services.
System—The Windows 2000 operating system has the System identity, which is used when the operating system needs to perform a system-level function.
Terminal Server User—Allows terminal server users to access terminal server applications and to perform other necessary tasks with terminal services
Source: http://technet.microsoft.com/en-us/library/bb726982.aspx
Each user account in Windows has a unique ID assigned to it commonly known as a security identifier (SID) that is used to identify the account or group. The SID is a combination of characters that looks like the following:
S-1-5-32-1045337234-12924708993-5683276719-19000
Even though you may use a username to access the system, Windows identifies each user, group, or object by the SID. For example, Windows uses the SID to look up a user account and see whether a password matches. Also, SIDs are used in every situation in which permissions need to be checked; for example, when a user attempts to access folder or shared resource to determine whether that user is allowed to access it.
The Windows OS exposes a tremendous number of services, each of which can be exploited in some way by an attacker. Each service that runs on a system is designed to offer extra features and capabilities to a system and, as such, Windows has a lot of basic services running by default, which are supplemented by the ones applications themselves install.
Although there are a number of services running in Windows, one of the most commonly targeted ones is the NetBIOS service, which uses User Datagram Protocol (UDP) ports 137 and 138 and Transmission Control Protocol (TCP) port 139.
NetBIOS has long been a target for attackers due to its ease of exploitation and the fact that it is commonly enabled on Windows systems even when it is not needed. NetBIOS was designed to facilitate communications between applications in local area networks, but is now considered to be a legacy service and usually can be disabled.
Note
In reality, any service can be a potential target; it all depends on the knowledge and skill of the attacker. However, some services are much more likely to be attacked than others, and NetBIOS fits the profile of a service that is commonly selected for attack.
In the Windows OS, the NetBIOS service can be used by an attacker to discover information about a system. Information that can be obtained via the service is very diverse and includes usernames, share names, service information, among other things. In the enumeration phase, we will see how to obtain this information using something known as a NULL session.
Once port scanning has been performed, it is time to dig deeper into the target system itself to determine what specifically is available. Enumeration represents a more aggressive step in the hacking and penetration testing process because the attacker has now started to access the system to see specifically what is available. All the steps leading up to this point have been aimed at gaining information about the target to discover the vulnerabilities that exist and how the network is configured. When enumeration is performed, the process is now attempting to discover what is offered by these services for later usage in actual system hacking.
When performing enumeration, the attacker has the goal of uncovering specific information about the system itself. During a typical enumeration process an attacker will make active connections to the target system to discover items such as user accounts, share names, groups, and other information that may be available via the services discovered previously. It is not uncommon during this phase of the attack to confirm information that was discovered earlier, information that the intended target may have even made publicly available such as Domain Name System (DNS) settings. During this process, however, new details will emerge that the victim did not make available; otherwise, details that tend to appear at this point include the following:
User accounts
Group settings
Group membership
Application settings
Service banners
Audit settings
Other service settings
In addition to determining what services and settings are present, the enumeration phase also can employ techniques used to determine the placement and capabilities of countermeasures. An attacker can use enumeration methods to get a picture of whether or how a target can respond to system hacking activities. By uncovering information on whether or how a defender can respond will allow the attacker to modify their attack accordingly to make their activity more productive.
Note
The more information an attacker can gather, the more accurate the attack can be. With enough information about a target, an attacker can move from a "shotgun"-style attack to an attack similar to what a sniper would carry out.
The NULL session is a feature in the Windows operating system that is used to give access to certain types of information across the network. NULL sessions are a feature that has been a part of Windows for some time—one that is used to gain access to parts of the system in ways which are both useful and insecure.
A NULL session occurs when a user attempts a connection to a Windows system without the standard username and password being provided. This connection type cannot be made to any Windows share, but it can be made to a feature known as the Interprocess Communication (IPC) administrative share. In normal practice, NULL sessions are designed to facilitate connection between systems on a network to allow one system to enumerate the process and shares on another. Using a NULL session it is possible to obtain information such as the following:
List of users and groups
List of machines
List of shares
Users and host SIDs
The NULL session allows access to a system using a special account known as a NULL user that can be used to reveal information about system shares or user accounts while not requiring a username or password to do so.
Exploiting a NULL session is a simple task that requires only a short list of commands. For example, assume that a computer has the name "ninja" as the host name, which would mean that the system could be attached to using the following, where host is the Internet Protocol (IP) address or name of the system being targeted:
Note
NULL sessions may sound like a bad idea, but they are very handy when used properly. In practice, the Windows operating system has given broad powers to this account that are not needed to use the account for its intended function. As a security professional, being vigilant about how the sessions are used will help in securing them.
net use \ninjaipc$ "" /user:""
To view the shared folders on the system the following command can be used:
Net view \ninja
If shared resources are available, they will be displayed as a list, at which point the attacker can attach to a shared resource as follows:
Net use s:\ninja(shared folder name)
At this point, the attacker can browse the contents of the shared folder and see what data is present.
Table 7-2. Partial list of nbtstat switches.
NAME | FUNCTION | |
|---|---|---|
-a | Adapter Status | Returns the NetBIOS name table and mandatory access control (MAC) address of the address card for the computer name specified |
-A | Adapter Status | Lists the same information as -a when given the target's IP address |
-c | Cache | Lists the contents of the NetBIOS name cache |
-n | Names | Displays the names registered locally by NetBIOS applications such as the server and redirector |
-r | Resolved | Displays a count of all names resolved by broadcast or Windows Internet Name Service (WINS) server |
-s | Sessions | Lists the NetBIOS sessions table converting destination IP addresses to computer NetBIOS names |
-S | Sessions | Lists the current NetBIOS sessions and their status, with the IP address |
An additional tool that can be used in the enumeration process is a tool known as nbtstat. Included with every version of the Windows operating system, nbtstat is a utility intended to assist in network troubleshooting and maintenance. The utility is specifically designed to troubleshoot name resolution issues that are a result of the NetBIOS service. During normal operation, a service in Windows known as NetBIOS over TCP/IP will resolve names known as NetBIOS names to IP addresses. Nbtstat is a command line utility designed to locate problems with this service.
Nbtstat has a number of switches that can be used to perform different functions; some of the more useful functions for the ethical hacker are listed in Table 7-2.
The -A switch can be used to return a list of addresses and NetBIOS names the system has resolved. The command line that uses this option would look like the following if the targeted system had an IP address of 192.168.1.1:
nbtstat -A 192.168.1.1
SuperScan is a tool that was used back in Chapter 6 to perform port scanning, but can also perform enumeration. On top of SuperScan's previously mentioned abilities to scan TCP and UDP ports, perform ping scans, run whois and tracert, it also has a formidable suite of features designed to query a system and return useful information.
SuperScan offers a number of useful enumeration utilities designed for extracting information from a Windows-based host:
NetBIOS Name Table
NULL session
MAC addresses
Workstation type
Users
Groups
Remote procedure call (RPC) endpoint dump
Account policies
Shares
Domains
Logon sessions
Trusted domains
Services
Each of these features can extract information from a system that can be useful in later stages of the hacking process.
SNScan is a utility designed to detect Simple Network Management Protocol (SNMP)- enabled devices on a network. The utility is designed to locate and identify devices that are vulnerable to SNMP attacks. SNScan scans specific ports (for example, UDP 161, 193, 391, and 1993) and looks for the use of standard (public and private) and user-defined SNMP community names. User-defined community names may be used to more effectively evaluate the presence of SNMP-enabled devices in more complex networks.
Enumeration is designed to gather useful information about a system; specifically what can be accessed through a discovered service. By using the process of enumeration, an attacker can obtain information that may not otherwise be available such as usernames, share names, and other details. Enumeration represents the point at which the attack crosses the legal line to being an illegal activity in some areas.
After an attacker has performed enumeration, he or she can begin attacking the system. Enumeration has provided details that are actionable for the next phase of system hacking, including details of user accounts and groups. The information on usernames and groups provides points on the target system on which to concentrate the system hacking activities. Up to this point, progressively more detailed information has been gathered and what those services are offering has been determined; now the process of exploiting what has been uncovered can begin.
During the enumeration phase, among the detailed information that was acquired was usernames. The information on user accounts provides the system hacking process a point to focus on using a technique known as password cracking. Password cracking is used to obtain the credentials of an account with the intent of using the information to gain access to the system as an authorized user.
To understand why password cracking is successful, think of how and why passwords are used. Passwords are designed to be something that an individual can easily remember and at the same time not be something easily guessed. Herein lies the problem. In practice, individuals will tend to use passwords that are easy to guess or susceptible to cracking methods such as those introduced in this section. Some examples of passwords that lend themselves to cracking include the following:
Passwords that use only numbers
Passwords that use only letters
Passwords that are only upper- or lowercase
Passwords that use proper names
Passwords that use dictionary words
Short passwords (fewer than eight characters)
Passwords that adhere closely to any of the points on this list lend themselves to quick and easy password cracking methods. Passwords that avoid any of these points tend to be less easy to crack, but not impossible, as the techniques discussed in this section will demonstrate.
Despite what is seen in movies, TV shows, and other media, password cracking isn't as simple as a hacker sitting in front of a computer running some software and breaking the password. It is much more involved. Password cracking can take one of four forms, all designed to obtain a password that the attacker is not authorized to possess. The following are the four password cracking methods that can be utilized by an attacker:
Each one of these attacks offers a way of obtaining a password from an unsuspecting party in a different but effective way.
In passive online attacks, an attacker obtains a password simply by listening for it. This attack can be carried out using two methods; packet sniffing, or man-in-the-middle and replay attacks. These types of attacks are successful if the attacker is willing to be patient and employ the right technique in the correct environment.
Using a packet sniffer is effective, but it can be thwarted by technology that prevents the observation of network traffic. Specifically, packet sniffing will work only if the hosts are on the same collision domain. This is a condition that exists if a hub is used to join the network hosts together; if a switch, bridge, or other type of device is used, the attack will fail.
Other types of passive online attacks utilize a man-in-the-middle or replay attack to capture the password of the target. If a man-in-the-middle attack is used, the attacker must capture traffic from both ends of the communication between two hosts with the intention of capturing and altering the traffic in transit. In a replay attack, the process consists of an attacker capturing traffic using a sniffer, using some process to extract the desired information (in this case, the password), and then using or replaying it later to gain access to a resource.
The next form of attack is known as an active online attack, which consists of more aggressive methods such as brute-force and dictionary attacks. Active online attacks are effective in situations in which the target system has weak or poorly chosen passwords in use. In such cases, active online attacks can crack passwords very quickly.
Note
Brute-force attacks, although effective, are thwarted by preventive techniques such as policies that lock user accounts when a password is entered incorrectly a preset number of times. When policies are in effect that limit unsuccessful logon attempts before locking an account, the effectiveness of a brute-force attack is diminished.
The first type of active online attack is the brute-force attack, which is unsophisticated but can be very effective in the right situation. In this type of attack, all possible combinations of characters are tried until the correct combination is discovered. Given enough time, this type of attack will be successful 100 percent of the time; however, that is also part of the problem—having enough time.
A dictionary attack shares some traits with the brute-force attack. Whereas a brute-force attack attempts all combinations of characters, the dictionary attack tries passwords that are pulled from a predefined list of words. Dictionary attacks are particularly successful in situations in which the passwords in use on a system have been chosen or can be chosen from common words. This type of attack is successful even if the password is a reversed form of a dictionary word, changes certain characters, or even uses tactics such as appending digits to the end of the word. These types of attacks are easy to carry out by an attacker largely due to the availability of the components to perform them, such as password crackers and predefined word lists that can be downloaded and used immediately.
Offline attacks are a form of password attack that relies on weaknesses in how passwords are stored on a system. The previous attack types attempted to gain access to a password by capturing it or trying to break it directly; offline attacks go after passwords where they happen to be stored on a system. On most systems, a list of usernames and passwords is stored in some location; if these lists are stored in a plaintext or unencrypted format, an attacker can read the file and gain the credentials. If the list is encrypted or protected, the question becomes "How is it protected?" If the list is using weak encryption methods, it can still be vulnerable.
Four types of offline attacks are available to the attacker, each offering a method that can be used to obtain passwords from a target system. The types of offline attacks available include the two mentioned previously (dictionary and brute-force attacks), and also hybrid and precomputed attacks.
Examples of password crackers in this category include:
Cain and Abel—Has the ability to crack password hashes offline. Works with Windows, Cisco, VNS, and other similar passwords.
John the Ripper—Cracks UNIX and Windows passwords
Pandora—Designed to crack Novell passwords
Pwdump3—Extracts passwords from the SAM database
Dictionary attacks are similar to active online attacks in that all possible combinations are tried until the correct combination is discovered. The difference between this type of attack and the active online version is how the correct combination is uncovered. In this method, an attacker reads the list of passwords looking for hashes that match the hashed values of words in the dictionary. If the attacker finds a match between the hashed values on the system and the hashed values from a dictionary or wordlist, he or she has found the correct password.
Hybrid attacks are another form of offline attack that functions much like dictionary attacks, but with an extra level of sophistication. Hybrid attacks start out like a dictionary attack, in which different combinations of words from the dictionary are attempted; if this is unsuccessful at uncovering the password, the process changes. In the next phase of the attack, characters and symbols are added to the combinations of characters to attempt to reveal the password. The attack is designed to be fast and thwart the incorrect or improper use of salting.
Brute-force attacks function like online attacks because they attempt all possible combinations or a suspected subset of possible passwords. Brute force has the benefit of always working, but the downside is that it takes a long time. Typically, this method starts using simple combinations of characters and then increases complexity until the password is revealed.
Examples of brute-force password crackers include:
Opcrack
Proactive Password Auditor
Precomputed hashes are used in an attack type known as a rainbow table. Rainbow tables compute every possible combination of characters prior to capturing a password. Once all the passwords have been generated, the attacker can then capture the password hash from the network and compare it with the hashes that have already been generated. With all the hashes generated ahead of time, it becomes a simple matter to compare the captured hash to the ones generated, typically revealing the password within a few moments.
Of course, there's no getting something for nothing, and the case of rainbow tables is no exception. The downside of rainbow tables is that they take time. It takes a substantial period of time, sometimes days, to compute all the hash combinations ahead of time. Another downside of rainbow tables is the lack of ability to crack passwords of unlimited length because generating passwords of increasing length takes increasing amounts of time.
Note
Rainbow tables are an effective method of revealing passwords, but the effectiveness of the method can be diminished through salting. Salting is used in Linux, UNIX, and BSD, but is not used in some of the older Windows authentication mechanisms such as LM and NTLM.
Examples of password crackers that use rainbow tables include:
Opcrack
RainbowCrack
The last of the password cracking methods is a family of techniques that obtain passwords using nontechnical methods. In some cases, an attacker may choose to use nontechnical methods due to the conditions in the environment or just because it is easier. The nontechnical methods represent a change over previous attacks; where previous attacks relied on attacking the technology, nontechnical methods go after the human who uses the system. In the right hands, nontechnical methods can be as effective as technical methods at obtaining passwords.
Shoulder surfing is a method of obtaining a password by observing people entering their password. In this attack, the individual wanting to gain access to the password takes a position to see what a user is typing or what is appearing onscreen. Additionally, the attacker may also look for clues in the user's movements that suggest they are looking up a password such as on a Post-It note or other location. To deter this attack, use the privacy screen that can be put onscreen and always pay attention to your surroundings to see whether anyone is watching.
Keyboard sniffing intercepts the password as a user is entering it. This attack can be carried out when users are the victims of keylogging software or if they regularly log onto systems remotely without using any protection.
Social engineering methods can be used to obtain a password based on trust or ignorance on the user's end. For example, a password may be obtained by an attacker calling an individual, pretending to be the system administrator, and asking for the password. Social engineering is effective because users tend to be trusting; if an individual sounds or acts legitimate, the feeling is that he or she probably is.
Using any of the methods discussed here with any type of password cracking software may sound easy, but there is one item to consider: whose password to crack? Going back to the enumeration phase, it was discussed that usernames could be extracted from the system using any one of a number of software packages or methods. Using these software tools, usernames were uncovered and at this point the attacker could target a specific account without the password cracking tool of choice.
So which password to crack? Accounts such as the administrator account are targets of opportunity, but so are lower-level accounts such as guest that may not be as heavily defended nor even considered in security planning.
If a password is cracked, the probability of the account being one that has high level access is somewhat low because these types of accounts tend to be well defended. If a lower-level account is cracked, the next step is privilege escalation: to escalate the privileges to a level at which increased access and fewer restrictions are in place such as with the administrator account.
One way to escalate privileges is to identify an account that has the access desired and then change the password. There are several tools that offer this ability, including the following:
Active@ Password Changer
Trinity Rescue Kit
ERD Commander
Recovery Console
These utilities function by altering the SAM with the goal of resetting passwords and accounts to settings desired by the attacker.
The Active@ Password Changer is a utility that is used to perform multiple functions on user accounts including password resets. The utility can be used to change a password of a targeted user account to a password that the attacker chooses to set. To use this utility requires the attacker to gain physical access to a system, at which point the system can be rebooted from a universal serial bus (USB), floppy, or CD.
Note
The designers of Active@ designed it to prevent the lengthy process of reinstalling operating systems when a password reset could be performed instead. However, as is the case with any tool, it can be used for good or bad. It all depends on the user's intent.
Active@ has the advantage of being able not only to reset passwords, but also to:
Re-enable accounts
Unlock an account
Reset expiration on an account
Display all local users on a system
Reset administrator account credentials
To change a password using Active@, select a specific user account to view the account information, as seen in Figure 7-2.
To view and change permitted logon days and hours, press the [PgDn] key, as seen in Figure 7-3.
Select and choose days and hours to allow logons. Account logon hours are displayed in GMT (Greenwich Mean Time). The time will have to be adjusted for the local time zone where the system resides or for the time zone set on the system.
Press [Y] to save changes or press [Esc] to leave the previous account information unchanged and return to previous window (List of accounts). See Figure 7-4.
Resetting a user's password results in the following:
The user's password is set to blank.
The account is enabled.
The password will be set never to expire.
Trinity Rescue Kit (TRK) is a Linux distribution that is specifically designed to be run from a CD or flash drive. TRK was designed to recover and repair both Windows and Linux systems that were otherwise unbootable or unrecoverable. While TRK was designed for benevolent purposes, it can easily be used to escalate privileges by resetting passwords of accounts that you would not otherwise have access to.
Note
The TRK can be used as a follow-on tool to the enumeration techniques discussed earlier. It works best when you know the name of the account to be changed. The enumeration techniques shown previously allow you to browse the accounts on a system and select a target account.
TRK can be used to change a password by booting the target system off of a CD or flash drive and entering the TRK environment. Once in the environment, a simple sequence of commands can be executed to reset the password of an account.
The following steps change the password of the Administrator account on a Windows system using the TRK:
At the command line enter the following command:
winpass -u Administrator
The winpass command will then display a message similar to the following:
Searching and mounting all file system on local machine Windows NT/2K/XP installation(s) found in: 1: /hda1/Windows Make your choice or 'q' to quit [1]:
Type 1 or the number of the location of the Windows folder if more than one install exists.
Enter the new password or accept TRK's suggestion to set the password to a blank.
You will see this message: "Do you really wish to change it?" Enter Y and press Enter.
Type init 0 to shut down the TRK Linux system.
Reboot.
As you can see, it is possible to change the password of a specific account using TRK in a few steps.
Escalating privileges gives the attacker the ability to perform actions on the system with fewer restrictions and perform tasks that are potentially more damaging. If an attacker gains higher privileges than he or she would have otherwise, it is possible to run applications, perform certain operations, and engage in other actions that have a bigger impact on the system.
The next step after escalating privileges is to place backdoors on the system so you can come back later and take control of the system repeatedly. An attacker who places a backdoor on a system can use it for all sorts of reasons, depending on specific goals. Some of the reasons for planting backdoors include the following:
Placing a rootkit
Executing a Trojan
Of course, the question is how to get a backdoor on a system. With the escalated privileges obtained earlier, you have the power to run an application on a system and do so more freely than you would without such privileges. If the privileges obtained previously were administrator (or equivalent), you now have few if any limitations, which means that you can install a backdoor quite easily.
To start the process, you must first run an application remotely. Several tools are available, but for this discussion you will use some of the components of a suite of tools known as PsTools.
The PsTools suite includes a mixed bag of utilities designed to ease system administration. Among these tools is PsExec, which is designed to run commands interactively or nonin-teractively on a remote system. Initially, the tool may seem similar to Telnet or remote desktop, but does not require installation on the local or remote system in order to work. PsExec need only be copied to a folder on the local system and run with the appropriate switches to work.
Let's take a look at some of the commands that can be used with PsExec:
The following command launches an interactive command prompt on a system named \zelda:
psexec \zelda cmd
This command executes IpConfig on the remote system with the /all switch, and displays the resulting output locally:
psexec \zelda ipconfig /all
This command copies the program rootkit.exe to the remote system and executes it interactively:
psexec \zelda -c rootkit.exe
This command copies the program rootkit.exe to the remote system and executes it interactively using the administrator account on the remote system:
psexec \zelda -u administrator -c rootkit.exe
As these commands illustrate, it is possible for an attacker to run an application on a remote system quite easily. The next step is for the attacker to decide just what to do or what to run on the remote system. Some of the common choices are Trojans, rootkits, or backdoors.
A rootkit is piece of software designed to perform some very powerful and unique tasks to a target system. This software is designed to alter system files and utilities on a victim's system with the intention of changing the way a system behaves. Additionally, a rootkit quite commonly has the capability to hide itself from detection, which makes the device quite dangerous.
A rootkit is beneficial to an attacker for a number of reasons, but the biggest benefit is the scope of access the attacker can gain. With a rootkit installed on a system, attackers gain root access to a system, which means that they now have the highest level of access possible on the target system. Once attackers have a rootkit installed, they effectively own the system and can get it to do whatever they want. In fact, a rootkit can be embedded into a system so deeply and with such high levels of access that even the system administrator will be unable to detect its presence. Having root access to a system allows an attacker to do any of the following:
Installing a virus at any point—If the virus requires root level access to modify system files, or alter and corrupt data or files, a rootkit can provide the means to do so.
Placing a Trojan on a system—Much like viruses, a Trojan may require root level access, so a rootkit will provide the level of access needed to run these types of malware.
Installing spyware to track activity—Spyware typically needs to be well placed and well hidden. A rootkit can provide a way to hide spyware such as a keylogger so it is undetectable even to those looking for it.
Hiding the attack—A rootkit possesses the ability to alter the behavior of a system any way an attacker wants, so it can be used to hide evidence of an attack. A rootkit can be used to hide files and processes from view by altering system commands to prevent the display or detection of the attack.
Maintaining access over the long term—If a rootkit can stay undetected, it is easy for an attacker to maintain access to the system. For an attacker, the challenge is to construct a rootkit to prevent detection by the owner of the system.
Monitoring network traffic—A rootkit can install a network sniffer on a system to gain inside information about the activities on a network.
Note
Rootkits are dangerous because once a system has become the victim of a rootkit, it can no longer be trusted. A rootkit alters the behavior of a system to such a degree that the information being returned by the system itself has to be considered bogus.
Blocking the logging of selected events—To prevent detection, a rootkit can alter the system to prevent the logging of activities related to a rootkit.
Redirecting output—A rootkit can be configured to redirect output of commands and other activities to another system.
Above all, a rootkit is an application and as such can be run with a tool such PsExec and run remotely on a target system. Of course, running a rootkit is one thing; obtaining one is quite another. Currently there exist many ways to get a rootkit—whether it is from a Web site or through a development tool designed to help nonprogrammers create basic rootkits.
An attack that can be detected is an attack that can be stopped, which is not a good result for an attacker. To stop an attack from being detected, attackers need to cover their tracks as completely and effectively as possible. Covering tracks needs to be a systematic process in which any evidence of the attack is erased to include logons, log files, error messages, files, and any other evidence that may tip off the owner of the system that something has occurred.
One of the best ways to cover your tracks is to not leave any in the first place. In this case, disabling auditing is a way to do just that. Auditing is designed to allow the detection and tracking of events that are occurring on a system. If auditing is disabled, an attacker can deprive the system owner of detecting the activities that have been carried out. When auditing is enabled, all events that the system owner chooses to track to will be placed in the Windows Security Log and can be viewed as needed. An attacker can disable it with the auditpol command included with Windows.
Note
A prepared defender of a system will regularly check event logs to note any unusual activity such as a change in audit policy. Additionally a host-based intrusion detection system (IDS) will detect changes in audit policy and in some cases re-enable it.
Using the NULL session technique seen earlier, you can attach to a system remotely and run the command as follows:
auditpol \<ip address of target> /clear
It is also possible for an attacker to perform what amounts to the surgical removal of entries in the Windows Security Log using tools such as the following:
Dumpel
Elsave
Winzapper
Of course, clearing audit logs isn't the only way to clear tracks because attackers can use rootkits. Using techniques that will be discussed later, you can thwart rootkits to a certain degree, but once rootkits make their way onto a system, sometimes the only reliable way to ensure that a system is free of them is to rebuild that system.
There are other ways to hide evidence of an attack, such as hiding the files placed on the system. Operating systems provide many methods that can be used to hide files, including file attributes and alternate data streams.
File attributes are a feature of operating systems that allow files to be marked as having certain properties, including read-only and hidden. Files can be flagged as hidden, making for a convenient way of hiding data and preventing detection through simple means such as directory listings or browsing in Windows Explorer. Hiding files in this way does not provide complete protection, however, because more advanced detective techniques can uncover files hidden in this manner.
Another lesser known way of hiding files in Windows is Alternate Data Streams (ADS), which is a feature of the New Technology File System (NTFS). Originally, this feature was designed to ensure interoperability with the Macintosh Hierarchical File System (HFS), but has since been used by hackers. ADS provides the ability to fork or hide file data within existing files without altering the appearance or behavior of a file in any way. In fact, when ADS is used, a file can be hidden from all traditional detection techniques as well as dir and Windows Explorer.
Note
ADS is available only on NTFS volumes, although the version of NTFS does not matter. This feature does not work on other file systems.
In practice, the use of ADS is a major security issue because it is nearly a perfect mechanism for hiding data. Once a piece of data is embedded using ADS and is hidden, it can lie in wait until the attacker decides to run it later on.
The process of creating an ADS is simple:
type ninja.exe > smoke.doc:ninja.exe
Executing this command will take the file ninja.exe and hide it behind the file smoke.doc. At this point, the file is streamed. The next step would be to delete the original file that you just hid, specifically ninja.exe.
As an attacker, to retrieve the file the process is as simple as the following:
start smoke.doc:ninja.exe
This command has the effect of opening the hidden file and executing it.
As a defender, this sounds like bad news because files hidden in this way are impossible to detect using most means. But with the use of some advanced methods they can be detected. Some of the tools that can be used to do this include:
Sfind—A forensic tool for finding streamed files
LNS—Used for finding ADS streamed files
Tripwire—Used to detect changes in files, this tool by nature can detect ADS
Depending on the version of Windows and the system settings in place, an attacker can clear events completely from an event log or remove individual events.
Enumeration is the process of gathering more detailed information from a target system. Whereas previous information has been gathered without disturbing the target, with enumeration the target is being interacted with, and more detailed information is being returned. Information extracted from a target at this point includes usernames, group information, share names, and other details.
Once the attacker has completed enumeration, he or she begins system hacking. In the system hacking phase, the attacker starts to use the information gathered from the enumeration stage by hacking the services. This stage represents the point at which the attacker is compromising the system.
An attacker who wants to perform more aggressive actions or needs greater access can perform a process known as privilege escalation. In this stage, the attacker gains access to a user account or system and attempts to grant it more access than it would otherwise have by resetting passwords of accounts that have more access or installing software that grants this level of access.
Finally, the attackers cover up their tracks to avoid detection and action by possible countermeasures. They can stop auditing, clear event logs, or surgically remove events from the logs to make things look less suspicious. In this last phase, attackers eliminate the traces of their attack as completely as possible leaving few (if any) behind.
Backdoor
Enumeration
Keylogger
NULL session
Password cracking
Privilege escalation
Rainbow table
Rootkit
Security Account Manager (SAM)
Simple Network Management Protocol (SNMP)
Spyware
Virus
Enumeration discovers which ports are open.
True
False
What can enumeration discover?
Services
User accounts
Ports
Shares
_______ involves increasing access on a system.
System hacking
Privilege escalation
Enumeration
Backdoor
_______ is the process of exploiting services on a system.
System hacking
Privilege escalation
Enumeration
Backdoor
How are brute-force attacks performed?
By trying all possible combinations of characters
By trying dictionary words
By capturing hashes
By comparing hashes
A _______ is an offline attack.
Cracking attack
Rainbow attack
Birthday attack
Hashing attack
An attacker can use a(n) _______ to return to a system.
A _______ replaces and alters system files, changing the way a system behaves at a fundamental level.
Rootkit
Virus
Worm
Trojan
A NULL session is used to attach to Windows remotely.
True
False
A(n) _______ is used to reveal passwords.
A _______ is used to store a password.
NULL session
Hash
Rainbow table
Rootkit
A _______ is a file used to store passwords.
Network
SAM
Database
NetBIOS