The gaining access phase in the ethical hacking process focuses on getting access to the individual host on a network based on the information collected during previous phases. Actual attacking starts in this phase, where an attacker will carry out password cracking/password sniffing attacks along with privilege escalation attacks to gain administrative privileges on the target host bypassing computer security. Once access is gained, maintaining that access on compromised hosts becomes important for an attacker in order to carry out future attacks. This chapter includes a study of tools and techniques like password cracking or social engineering attacks in order to gain the access on target machines based on the information collected during the previous phases. The chapter also introduces the tools and techniques used for escalating privileges by exploiting vulnerabilities, executing spyware/backdoor/key loggers/rootkits/trozans applications, etc. The chapter also explains the techniques used to maintain access in compromised hosts, to cover tracks/evidence, and methods to avoid detection. An attacker may use rootkits during this phase to hide his presence and maintain access to the compromised hosts. An attacker may hide files using rootkits/steganographic techniques, hide directories, hide attributes, use alternate data streams (ADS), place backdoors, and cover tracks by modifying/deleting log files. All these techniques are explained in this chapter.
TopGain Access By Password Cracking Attacks
Password attacks like password cracking/guessing can be used to retrieve passwords from host systems. Weak or easily guessable passwords help attackers to gain the access to the hosts easy (Li, Wang, & Sun, 2017). As discussed in Chapter 3, Security Account Manager (SAM), database is part of registry and stores users' passwords in windows operating systems like Win XP, Windows Vista, Windows 7, 8.1 and 10 etc. Open registry editor by typing “regedit” in windows start and run tab. Go to HKEY_LOCAL_MACHINE\SECURITY \SAM subkey (which is also duplicated to the HKEY_LOCAL_MACHINE\SAM subkey) to get the SAM database location as shown in Figure 1. At the file-system level, the SAM registry files are stored together with the rest of the registry files under \%systemroot%\system32\config directory.
Figure 1. Registry Editor: SAM Database
SAM database files are locked to all accounts while Windows is running, hence to copy it either export registry hive or boot target machine to other OS and copy the SAM database. SAM database contains encrypted/hashed passwords. Windows-based computers utilize two password hashing methods - LAN Manager (LM) and NT LAN Manager (NTLM) (MICROSOFT_A, 2018). The LM hash is older method but newer operating systems still support for backwards compatibility. This mode is disabled by default for Windows Vista and Windows 7. In this method, user's password is first converted into all uppercase letters and null characters are added until the length becomes 14 characters long. The formed new password is then split into two 7 character halves to create two DES encryption keys; one from each half with a parity bit added to each. This 64 bit key is vulnerable to brute force cracking attempts. NTLM is the Microsoft authentication protocol relies on the MD4 hashing (stronger than DES) and allows longer password lengths. It allows for distinction between uppercase and lowercase letters and does not split the password into smaller, easier to crack chunks. Microsoft has upgraded its default LM/NTLM authentication protocol to Kerberos, which provides strong authentication for client/server applications than NTLM. However, windows password authentication system does not utilize password salting technique. Hence, if user uses same password on two different machine or two different uses same password on same machine; then the corresponding hashes will be same. Thus they are easy to crack and once compromised, there exists security threat to all such accounts. Password salting is a technique in which a random number is generated in order to compute the hash for the password. This means that the same password could have two completely different hash values, and enhances security of system. Microsoft offers SysKey utility to secure the SAM database by moving the SAM database encryption key off the Windows-based computer. At a command prompt, type “syskey” to enable the encryption of SAM database. SysKey utility can also be used to configure a start-up password that must be entered to decrypt the system key so that Windows can access the SAM database.
Password attacks can be categorized into Non-Electronic Attacks, Active Online Attacks, Passive Online Attacks and Offline Attacks.