Password Cracking: Wire Sniffing: Ethical Hacking Associate Information Security Threats Attacks
Password Cracking: Wire Sniffing: Ethical Hacking Associate Information Security Threats Attacks
Password Cracking: Wire Sniffing: Ethical Hacking Associate Information Security Threats Attacks
SC'
Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.
Module 04 Page 149 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
u Sniff credentials Off the wire while logging in to a server and then replay them to gain access
SC'
Module 04 Page 150 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
Attacker
In a MITM attack, the attacker acquires access to the Considerations: communication
channels between victim and server to extract the information 1. Relatively hard to
perpetrate
In a replay attack, packetsand authentication tokens are 2. Must be trusted by one or both sides
captured usinga sniffer. After the relevant info is 3, Can sometimes be broken by invalidating extracted,
the tokens are placed back on the networkto traffic gain access
SC'
Copyti%htfo hy Rithts Re Aetl, is Strictlw Pmhibited.
Module 04 Page 151 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
SC'
Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.
adrninis
administrator password
Module 04 Page 152 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
adminis trator
administrator
[Etc .
Type the following commands to access the text file from a directory:
c: /F tokens—I , -ti in (credentials . txt)
More?
A
More? echo outfile . txt
The outfile.txt contains the correct user name and password, if the user name and password
in credentials.txt are correct. An attacker can establish open session with the victim server
using his/her system.
Trojan/Spyware/Keylogger runs in the background and sends back all user credentials to the attacker
SC'
Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.
Module 04 Page 153 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
system. With a Trojan, attackers can gain remote access and perform various operations
limited by user privileges on the target computer.
Spyware is a type of malware that attackers install on a computer to secretly gather
information about its users without their knowledge. Spyware hides itself from the user and
can be difficult to detect.
A keylogger is a program that records all user keystrokes without the user's knowledge.
Keyloggers ship the log of user keystrokes to an attacker machine or hide it in the victim's
machine for later retrieval. The attacker then scrutinizes them carefully for finding passwords
or other useful information that could compromise the system.
An attacker installs Trojan/Spyware/Keylogger on a victim's machine to collect the victim's
user names and passwords. These programs run in the background and send back all user
credentials to the attacker.
For example, a key logger on a victim's computer is capable of revealing the contents of all
user emails. The picture given in the slide depicts a scenario describing how an attacker gains
password access using a Trojan/Spyware/Keylogger.
SC'
Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.
Non-Electronic Attacks
Non-electronic, or non-technical, attacks do not require technical knowledge of methods of
system intrusion. There are four types of non-electronic attacks: social engineering, shoulder
surfing, keyboard sniffing, and dumpster diving.
Dumpster Diving
Module 04 Page 154 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
Module 04 Page 155 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
Default Passwords
Default passwords are those supplied by manufacturers with new equipment (e.g. switches,
hubs, routers). Usually, default passwords provided by the manufacturers of
passwordprotected devices allow the user to access the device during initial setup, and then
change the password. But often, an administrator will either forget to set the new password
or ignore the password-change recommendation and continue using the original password.
Attackers can exploit this lapse and find the default password for the target device from
manufacturer websites or using online tools which shows default passwords to successfully
access the target device. Attackers use default passwords in the list of words or dictionary
that they use to perform password guessing attack.
The following are some of the online tools to search default passwords:
http://open-sez.me
https://www.fortypoundhead.com
https://cirt.net
http://www.defaultpassword.us
http://defaultpasswords.in
http://www.routerpasswords.com
Module 04 Page 156 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
http://www.defaultpassword.com
https://default-password.info
Module 04 Page 157 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
Displays real-time reports in a separate, tabbed interface and displays auditing results
based on the auditing method, risk severity, and password character sets
Displays password risk status in four different categories: Empty, High Risk, Medium
Risk, and Low Risk
Reports the completion of the various password character sets being audited, including,
Alpha, Alphanumeric, Alphanumeric/Symbol, Alphanumeric/Symbol/lnternational
Reports the overall length of the discovered password by account
Delivers summary report of password statistics such as Locked, Disabled, Expired, or if
the password is older than 180 days
Delivers audit summary for the number of Accounts cracked and the number of
Domains audited
Cracks foreign passwords using foreign character sets for brute-force attacks, as well
as foreign dictionary files
Module 04 Page 158 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
Dumps and loads hashes from encrypted SAM recovered from a Windows partition
Module 04 Page 159 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
Module 04 Page 160 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
SC'
Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.
Provides full time-memory tradeoff tool suites including rainbow table generation,
sort, conversion, and lookup
Offers Unified rainbow table file format on all supported operating systems
Includes command-line user interface and Graphical user interface
Supports computation on multi-core processor
Supports rainbow table o For LM, NTLM, MD5 and SHAI hash algorithms o In raw file
format (.rt) and compact file format (.rtc) of any charset
Module 04 Page 161 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
8
SC'
Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited. How to Defend against
Password Cracking?
Module 04 Page 162 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
Use a random string (salt) as a password prefix or suffix before encrypting. It nullifies
pre-computation and memorization. Because salt is usually different for each
individual,
it is impractical for attackers to construct tables with a single encrypted version of
each candidate password. UNIX systems usually use a 12-bit set.
Enable SYSKEY with a strong password to encrypt and protect the SAM database.
Usually, the password information of user accounts is stored in the SAM database. It
is very easy for password-cracking software to target the SAM database for accessing
passwords. SYSKEY protects password information stored in the SAM data against
password-cracking software through strong encryption techniques. It is more difficult
to crack encrypted passwords than unencrypted ones.
Never use personal information (e.g., birth date, or a spouse's, child's, or pet's name)
to create passwords. Otherwise, it becomes quite easy for those close to you to crack
those passwords.
Monitor the server's logs for brute-force attacks on user accounts. Though brute-
force attacks are difficult to stop, they are easily detectable by monitoring the web
server log. For each unsuccessful login attempt, an HTTP 401 status code is recorded
in the web server logs.
Lock out an account that has been subjected to too many incorrect password guesses.
This provides protection against brute-force and guessing attacks.
Many password sniffers can be successful if LAN manager and NTLM authentication
are used. Disable LAN manager and NTLM authentication protocols only after making
sure that it does not affect the network.
Perform a periodic audit of passwords in the organization.
Check any suspicious application that stores passwords in memory or writes them to
disk.
Unpatched systems can reset passwords during buffer overflow or Denial of Service
attacks. Make sure to update the system.
Examine whether the account is in use, deleted or disabled. Disable the user account
if multiple failed login attempts are detected.
Enable account lockout with a certain number of attempts, counter time, and lockout
duration.
One of the most effective ways to manage passwords in organizations is to set an
automated password reset.
Make the system BIOS password-protected, particularly on devices that are
susceptible to physical threats, such as servers and laptops.
Module 04 Page 163 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
Scanning
Scanning is an attack performed to locate and identify communication channels that are
vulnerable. The main idea of scanning is to discover communication channels that are
exploitable to probe as many listeners as possible, and keep track of the ones that are
responsive or useful to an attacker's need. While scanning, the attacker tries to find out
various ways to intrude the target system. The attacker may also try to discover more about
the target system by trying to find out what operating system is used, what services are
running, and whether any configuration lapses are present in the target system. Based on
the facts gathered by the attacker, he will launch his attack by proper strategy.
The various types of scanning are as follows:
Port Scanning
A port scan is a series of messages sent by someone attempting to break into a
computer to learn which computer network services the computer provides (each
service is associated with a "well-known" port number). Port scanning involves
connecting to TCP and UDP ports on the target system to determine the services
running. The listening state gives an idea of the operating system and the application
in use.
Network Scanning
Network scanning is a procedure for identifying the active hosts on a network, either
to attack them or as a network security assessment.
Module 04 Page 164 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
• Vulnerability Scanning
The vulnerability scanning is an automated process that proactively identifies
vulnerabilities of computing systems in a network in order to determine where a
system can be exploited and/or threatened. A vulnerability scanner involves scanning
an engine and a catalog. The catalog consists of a list of common files with known
vulnerabilities and common exploits for a range of servers. For example- the
vulnerability scanner could look for back up files or directory traversal exploits.
Scanning engine handles the logic for reading the catalog of exploits, sending the
request to the web server, and interpreting the requests to determine if the server is
vulnerable. These tools generally target vulnerabilities that can be fixed by secure host
configurations, updated security patches, and a clean web document.
Module 04 Page 165 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
SC'
Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.
Scanning Countermeasures
The particular network firewall should be good enough so that it can detect the probes that
are sent by an attacker to scan the network. So, the firewall should carry out stateful
inspection with it having a specific rule set. Some firewalls do a better job compared to
others in detecting stealth scans, e.g. many firewalls have specific options to detect SYN
scans while others completely ignore FIN scans.
Network intrusion detection systems should be used to find the OS detection method used
by tools such as Nmap. Snort (http://www.snort.org) is an IDS that can be helpful, because
signatures are often available from public authors and it is free. Only ports needed should be
kept open and rest should be filtered as the intruder may try to enter through any port kept
open. All the sensitive information that is unnecessary to be disclosed to the public on the
Internet should not be displayed, as they will give the attacker a good database by which
he can plan an attack on that network/system.
Up-to-date vulnerabilities databases are available which give information about the latest
security loopholes. So, tools having such type of databases should be used so that the
information can be availed and accessed. These types of tools update their databases in an
automatic fashion.
Module 04 Page 166 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
Denial-of-Service (DOS)
DOS is an attack on a computer or network that reduces, restricts, or prevents accessibility of
system resources to its legitimate users. In a DOS attack, attackers flood a victim's system
with nonlegitimate service requests or traffic to overload its resources, bringing the system
down, leading to unavailability of the victim's website or at least significantly slowing the
victim's system or network performance. The goal of a DOS attack is not to gain
unauthorized access to a system or to corrupt data; it is to keep the legitimate users away
from using the system.
Following are the examples of types of DOS attacks:
• Flooding the victim's system with more traffic than can be handled
• Flooding a service (e.g., internet relay chat (IRC)) with more events than it can handle
• Crashing a transmission control protocol (TCP)/internet protocol (IP) stack by sending
corrupt packets
• Crashing a service by interacting with it in an unexpected way
• Hanging a system by causing it to go into an infinite loop
DOS attacks come in a variety of forms and target a variety of services. The attacks may
cause the following:
• Consumption of scarce and nonrenewable resources
• Consumption of bandwidth, disk space, CPU time, or data structures
Module 04 Page 167 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks
Module 04 Page 168 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.