Cracking Systems

Computer Science Innovations, LLC

Crack Systems

SET toolkit from Backtrack.

First attach is a Social Engineering Attack.

Copy a web-site (mine).

Get someone to go to the site.

Get on their machine.

Go to your backtrack machine.

Control Alt T (for a terminal).

Command cd /pentest/exploits/

Steps Video – Backtrack 5 Applet Attack method

Terminal – cd /pentest/exploits/set; ./set

Update your metasploit and backtrack

Trial and Error is involved. It is not shrink wrapped.

Setup your server --- which is the backtrack payload.

Get someone to your machine... send an email - Chris for a hot time select girls

Girls <a href=”http://10.10.1.x”>Girls</a>

Getting Someone to Your Backtrack

Phishing email.

Overwrite the DNS Server – so it thinks Facebook is you.

Overwrite the DHCP Server and make you …. the DNS.

Watch Video AgainThis time pausing it.

Step one... Forget the nmap stuff.

Step two... Go to set

Step three... Java Applet Attack Vector

Step four.... Facebook template

Step five... www.scottstreit.com copy the site.

What We Do

Java Applet Attack

Site Cloning www.scottstreit.com

– Use www.facebook.com

– Use ????? Next step.... get credentials.

Practice for test …. you guys running it.

.

Credential Harvesting – Do It

Credential Harvesting Attach, on your teammate.

Do this via set in two ways.

1) Template

2) Site Clone.

Use and email to launch

Mail

Mail: Google has a sender and receiver.

Convention:

There is nothing in SMTP (Simple Mail Transport Protocol) that says the from has to be real.

Mail in Unix you could specify the from.

So you send an email and make the from --- the President.

Write an application program.

ISPs have Turned of 25

That means you cannot send mail from your computer as a server. Why do you think they did this.

Stop Spammers.

ARP Poisoning

Application

Presentation

Session

Transport

Network

Datalink --- worked at --------

Physical

Solution

All routers --- all... now prevent MAC Flooding and any type of poisoning.

The tools, ettercap, wireshark... they will attempt

To impact the Datalink Layer, but to no avail.

They will report --- no success.

History

We used to have Bridges... one piece of hardware and Routers … another piece of hardware... and Interconnection (FIOS, cable modem) that was yet a third piece of hardware.

There were distinct attacks on all three. What has happened since. Now, everything is integrated, you essentially get countermeasures and update automatically.

Lab – We Don't Believe Scott

Ettercap

wireshark

Start with ettercap.. you run it … startx

Command: ettercap -G you have to run this as root.

So if you go to plugins and check poison, you will see it did not work.

More Ettercap

Additionally, the sniffing on a switched network shows nothing.

So you need a broadcast network. So where do we have a broadcast network.

Lab Problem

Problem:

1) You have a virus on a Windows box in the boot sector, you cannot get to the network and you want to get your data files off. How?

2) You forgot the root password on your Unix box, you want to use rainbow tables to find it.

Same answer for both, how do you do this?

Review

Computer Science Innovations, LLC

Cracking Passwords/Decrypting

Computer Science Innovations, LLC

Tools/Review

One Way Encryption

Three mechanisms

Brute force... John the Ripper

– Command: sudo apt-get install john

– Industry leader in brute force... all combinations. Fallen out of favor.... complexity of algorithms It could take weeks on a Amazon cluster.

Dictionary Approach – Yesterday. Dictionary words in conjunction with patterns.

One Way Encryption

File transfer ---- big file.... SHA1

Transfer the file -----> same SHA1 or MD5

200 gig file multi-character sum... You cannot reverse it.

Break One Way Encryption

Two mechanism. One is brute force. You try all the permutations.

THE DOG MD5 sum and is that sum what you are looking for. If so, you are done, if not.. try another.

Long – You many not get a result in your lifetime.

Another Way

Rainbow tables.....

Terabytes of sums..... They are store

Plaintext password, SUM.. When the sum matches. You have the password – likely.

So we have a mechanism to get password more easily.

Vendor, work around?

Make it harder. People are going to use words in their

We have this concept of SALTS... What is that. Injection variable ---> put in to hash to make it more secure.

Both sides need to know the hash, precomputed.

See an Example

root@companion:~# grep scott /etc/shadow

scott:$6$8eyQBVh1$gcCRGBLBgGsBqmbgDAnhD3HVQL9qa3SjBtEhv/U8OglJN36Aip5Vu1j.twDrfGuAOUH68VIdZXYd0OlrUF8gM1:15527:0:99999:7:::

The $6$ says the next thing is the SALT. So 8eyQBVh1 is the SALT.

So Now, How Do We Crack with SALT?

Use a Rainbow table for …. the stuff after the salt, then we must use, brute force for the SALT. So all the Rainbow table algorithms are rendered useless ----- temporarily

Rainbow Tables.Rainbow Tables – Ophcrack, or Rcracki

Both run in all platforms.

Both... do the same thing.

Rcracki works with the new version of Rainbow tables and works on MD5 as well as SHA1.

Ophcrack does not work with newer rainbow tables and it only works with NTLM and other simple passwords.

Standardize on Rcracki

Crack Systems

Take the rc.tgz from my drive. Put in on your computer.. Get it to compile

You have make

errors g++

Install rcracki...

How?

wget 10.10.10.243/rc.tgz

cd

cd /tmp

ls

tar xvfz rc.tgz

cd rcracki_mt_0.6.6_src/

make

history

Pre-setup

sudo apt-get install g++

sudo apt-get install openssl

sudo apt-get install openssl-dev

sudo apt-get install libssl-dev

Access Scott's Drive

Samba ---

Command sudo apt-get install smbclient

Create a directory

Command mkdir /scott

/etc/fstab put in an entry

10.10.10.243:rainbow /scott cifs uid=root,gid=root,workgroup=StreitFamily,username=scott,password=redskins1992 0 0

Command mount /scott

Try It!

rcracki_mt -h 5d41402abc4b2a76b9719d911017c592 -t 2 /scott

Steps Download it.

Unzip it.

It is currently not packaged for Ubuntu 12.04. So this means there is no sudo apt-get install.... can't do it. Do we care? No.

Compile ourselves.

When compile yourself, you are responsible for maintenance. That means if you load a kernel update, you have to recompile. If it was a package it would take care of it for you.

Let's Assume I have Downloaded

Unzip it.

Go to root directory and as a normal user (least privilege), run make

Now we need to install it. Run sudo make install

We Have Two ToolsFirst video is concepts only.

Ophcrack

rcracki

try it out.

Go to your windows box... that is host operating system.

Command window.

Command is: net use * \\10.10.10.234\rainbow

What We Do Get a hash.... unix /etc/shadow

Take the hash and you seach.... for the actual password.

Takes every entry in the rainbow tables and compares it against the hash..

When it matches it takes the plain text... returns it to you.

Much faster to do a string search than it is to compute MD5 or SHA1 encryption.

Faster than brute force.

Computer Science Choices Process without storing partial results (brute force)

Process using temporary results: entailments.

All computer problems are scaling problems.

Everything a computer does, you can do with a pencil and paper.

Brute force vs. Entailments.

What it Looks Like

Command: vi /etc/shadow

scott:$6$eHcWMokA$Qr3aR4Od7eiLkMmH3GxcPsdF6yUIGZNpXbfsOggb843sTSAySnBiDpJj8NtFu1CUu.kAVUKH8wfetPLJ1Lc91.:15456:0:99999:7:::

hash

Case Study

aghaster@debian:~$ rcracki_mt

k/

usage: rcracki_mt -h hash rainbow_table_pathname

rcracki_mt -l hash_list_file rainbow_table_pathname

rcracki_mt -f pwdump_file rainbow_table_pathname

-r [-s session_name]: resume from previous session, optional session name

rainbow_table_pathname: pathname(s) of the rainbow table(s)

Extra options: -t [nr] use this amount of threads/cores, default is 1

-o [output_file] write (temporary) results to this file

-s [session_name] write session data with this name

-k keep precalculation on disk

-v show debug information

example: rcracki_mt -h 5d41402abc4b2a76b9719d911017c592 -t 2 [path]/MD5

rcracki_mt -l hash.txt [path_to_specific_table]/*

rcracki_mt -f hash.txt -t 4 -o results.txt *.rti

Solution.....

rcracki_mt -c lst_file rainbow_table_pathname

-h hash: use raw hash as input

-l hash_list_file: use hash list file as input, each hash in a line

Best Practice? rcracki

Source: download it

Command: make in the source directory

Command: make install

Run rcracki using the command line options

Take a hash from /etc/shadow

Use my rainbow tables....

Get the password: root... what is the password find toor.

Lab

Decrypt a hash in /etc/shadow

Use my rainbow tables.

Choice windows or linux:

Mapped as a windows drive.

Map as Unix Drive.

Solution.....

rcracki_mt -c lst_file rainbow_table_pathname

-h hash: use raw hash as input

-l hash_list_file: use hash list file as input, each hash in a line

Solution

All routers --- all... now prevent MAC Flooding and any type of poisoning.

The tools, ettercap, wireshark... they will attempt

To impact the Datalink Layer, but to no avail.

They will report --- no success.

History

We used to have Bridges... one piece of hardware and Routers … another piece of hardware... and Interconnection (FIOS, cable modem) that was yet a third piece of hardware.

There were distinct attacks on all three. What has happened since. Now, everything is integrated, you essentially get countermeasures and update automatically.

Lab Problem

Problem:

1) You have a virus on a Windows box in the boot sector, you cannot get to the network and you want to get your data files off. How?

2) You forgot the root password on your Unix box, you want to use rainbow tables to find it.

Same answer for both, how do you do this?