Date post: | 02-Jan-2016 |
Category: |
Documents |
Upload: | loraine-lee |
View: | 222 times |
Download: | 0 times |
Cracking Systems
Computer Science Innovations, LLC
Crack Systems
SET toolkit from Backtrack.
First attach is a Social Engineering Attack.
Copy a web-site (mine).
Get someone to go to the site.
Get on their machine.
Go to your backtrack machine.
Control Alt T (for a terminal).
Command cd /pentest/exploits/
Steps Video – Backtrack 5 Applet Attack method
Terminal – cd /pentest/exploits/set; ./set
Update your metasploit and backtrack
Trial and Error is involved. It is not shrink wrapped.
Setup your server --- which is the backtrack payload.
Get someone to your machine... send an email - Chris for a hot time select girls
Girls <a href=”http://10.10.1.x”>Girls</a>
Getting Someone to Your Backtrack
Phishing email.
Overwrite the DNS Server – so it thinks Facebook is you.
Overwrite the DHCP Server and make you …. the DNS.
Watch Video AgainThis time pausing it.
Step one... Forget the nmap stuff.
Step two... Go to set
Step three... Java Applet Attack Vector
Step four.... Facebook template
Step five... www.scottstreit.com copy the site.
What We Do
Java Applet Attack
Site Cloning www.scottstreit.com
– Use www.facebook.com
– Use ????? Next step.... get credentials.
Practice for test …. you guys running it.
.
Credential Harvesting – Do It
Credential Harvesting Attach, on your teammate.
Do this via set in two ways.
1) Template
2) Site Clone.
Use and email to launch
Mail: Google has a sender and receiver.
Convention:
There is nothing in SMTP (Simple Mail Transport Protocol) that says the from has to be real.
Mail in Unix you could specify the from.
So you send an email and make the from --- the President.
Write an application program.
ISPs have Turned of 25
That means you cannot send mail from your computer as a server. Why do you think they did this.
Stop Spammers.
ARP Poisoning
Application
Presentation
Session
Transport
Network
Datalink --- worked at --------
Physical
Solution
All routers --- all... now prevent MAC Flooding and any type of poisoning.
The tools, ettercap, wireshark... they will attempt
To impact the Datalink Layer, but to no avail.
They will report --- no success.
History
We used to have Bridges... one piece of hardware and Routers … another piece of hardware... and Interconnection (FIOS, cable modem) that was yet a third piece of hardware.
There were distinct attacks on all three. What has happened since. Now, everything is integrated, you essentially get countermeasures and update automatically.
Lab – We Don't Believe Scott
Ettercap
wireshark
Start with ettercap.. you run it … startx
Command: ettercap -G you have to run this as root.
So if you go to plugins and check poison, you will see it did not work.
More Ettercap
Additionally, the sniffing on a switched network shows nothing.
So you need a broadcast network. So where do we have a broadcast network.
Lab Problem
Problem:
1) You have a virus on a Windows box in the boot sector, you cannot get to the network and you want to get your data files off. How?
2) You forgot the root password on your Unix box, you want to use rainbow tables to find it.
Same answer for both, how do you do this?
Review
Computer Science Innovations, LLC
Cracking Passwords/Decrypting
Computer Science Innovations, LLC
Tools/Review
One Way Encryption
Three mechanisms
Brute force... John the Ripper
– Command: sudo apt-get install john
– Industry leader in brute force... all combinations. Fallen out of favor.... complexity of algorithms It could take weeks on a Amazon cluster.
Dictionary Approach – Yesterday. Dictionary words in conjunction with patterns.
One Way Encryption
File transfer ---- big file.... SHA1
Transfer the file -----> same SHA1 or MD5
200 gig file multi-character sum... You cannot reverse it.
Break One Way Encryption
Two mechanism. One is brute force. You try all the permutations.
THE DOG MD5 sum and is that sum what you are looking for. If so, you are done, if not.. try another.
Long – You many not get a result in your lifetime.
Another Way
Rainbow tables.....
Terabytes of sums..... They are store
Plaintext password, SUM.. When the sum matches. You have the password – likely.
So we have a mechanism to get password more easily.
Vendor, work around?
Make it harder. People are going to use words in their
We have this concept of SALTS... What is that. Injection variable ---> put in to hash to make it more secure.
Both sides need to know the hash, precomputed.
See an Example
root@companion:~# grep scott /etc/shadow
scott:$6$8eyQBVh1$gcCRGBLBgGsBqmbgDAnhD3HVQL9qa3SjBtEhv/U8OglJN36Aip5Vu1j.twDrfGuAOUH68VIdZXYd0OlrUF8gM1:15527:0:99999:7:::
The $6$ says the next thing is the SALT. So 8eyQBVh1 is the SALT.
So Now, How Do We Crack with SALT?
Use a Rainbow table for …. the stuff after the salt, then we must use, brute force for the SALT. So all the Rainbow table algorithms are rendered useless ----- temporarily
Rainbow Tables.Rainbow Tables – Ophcrack, or Rcracki
Both run in all platforms.
Both... do the same thing.
Rcracki works with the new version of Rainbow tables and works on MD5 as well as SHA1.
Ophcrack does not work with newer rainbow tables and it only works with NTLM and other simple passwords.
Standardize on Rcracki
Crack Systems
Take the rc.tgz from my drive. Put in on your computer.. Get it to compile
You have make
errors g++
Install rcracki...
How?
wget 10.10.10.243/rc.tgz
cd
cd /tmp
ls
tar xvfz rc.tgz
cd rcracki_mt_0.6.6_src/
make
history
Pre-setup
sudo apt-get install g++
sudo apt-get install openssl
sudo apt-get install openssl-dev
sudo apt-get install libssl-dev
Access Scott's Drive
Samba ---
Command sudo apt-get install smbclient
Create a directory
Command mkdir /scott
/etc/fstab put in an entry
10.10.10.243:rainbow /scott cifs uid=root,gid=root,workgroup=StreitFamily,username=scott,password=redskins1992 0 0
Command mount /scott
Try It!
rcracki_mt -h 5d41402abc4b2a76b9719d911017c592 -t 2 /scott
Steps Download it.
Unzip it.
It is currently not packaged for Ubuntu 12.04. So this means there is no sudo apt-get install.... can't do it. Do we care? No.
Compile ourselves.
When compile yourself, you are responsible for maintenance. That means if you load a kernel update, you have to recompile. If it was a package it would take care of it for you.
Let's Assume I have Downloaded
Unzip it.
Go to root directory and as a normal user (least privilege), run make
Now we need to install it. Run sudo make install
We Have Two ToolsFirst video is concepts only.
Ophcrack
rcracki
try it out.
Go to your windows box... that is host operating system.
Command window.
Command is: net use * \\10.10.10.234\rainbow
What We Do Get a hash.... unix /etc/shadow
Take the hash and you seach.... for the actual password.
Takes every entry in the rainbow tables and compares it against the hash..
When it matches it takes the plain text... returns it to you.
Much faster to do a string search than it is to compute MD5 or SHA1 encryption.
Faster than brute force.
Computer Science Choices Process without storing partial results (brute force)
Process using temporary results: entailments.
All computer problems are scaling problems.
Everything a computer does, you can do with a pencil and paper.
Brute force vs. Entailments.
What it Looks Like
Command: vi /etc/shadow
scott:$6$eHcWMokA$Qr3aR4Od7eiLkMmH3GxcPsdF6yUIGZNpXbfsOggb843sTSAySnBiDpJj8NtFu1CUu.kAVUKH8wfetPLJ1Lc91.:15456:0:99999:7:::
hash
Case Study
aghaster@debian:~$ rcracki_mt
k/
usage: rcracki_mt -h hash rainbow_table_pathname
rcracki_mt -l hash_list_file rainbow_table_pathname
rcracki_mt -f pwdump_file rainbow_table_pathname
-r [-s session_name]: resume from previous session, optional session name
rainbow_table_pathname: pathname(s) of the rainbow table(s)
Extra options: -t [nr] use this amount of threads/cores, default is 1
-o [output_file] write (temporary) results to this file
-s [session_name] write session data with this name
-k keep precalculation on disk
-v show debug information
example: rcracki_mt -h 5d41402abc4b2a76b9719d911017c592 -t 2 [path]/MD5
rcracki_mt -l hash.txt [path_to_specific_table]/*
rcracki_mt -f hash.txt -t 4 -o results.txt *.rti
Solution.....
rcracki_mt -c lst_file rainbow_table_pathname
-h hash: use raw hash as input
-l hash_list_file: use hash list file as input, each hash in a line
Best Practice? rcracki
Source: download it
Command: make in the source directory
Command: make install
Run rcracki using the command line options
Take a hash from /etc/shadow
Use my rainbow tables....
Get the password: root... what is the password find toor.
Lab
Decrypt a hash in /etc/shadow
Use my rainbow tables.
Choice windows or linux:
Mapped as a windows drive.
Map as Unix Drive.
Solution.....
rcracki_mt -c lst_file rainbow_table_pathname
-h hash: use raw hash as input
-l hash_list_file: use hash list file as input, each hash in a line
Solution
All routers --- all... now prevent MAC Flooding and any type of poisoning.
The tools, ettercap, wireshark... they will attempt
To impact the Datalink Layer, but to no avail.
They will report --- no success.
History
We used to have Bridges... one piece of hardware and Routers … another piece of hardware... and Interconnection (FIOS, cable modem) that was yet a third piece of hardware.
There were distinct attacks on all three. What has happened since. Now, everything is integrated, you essentially get countermeasures and update automatically.
Lab Problem
Problem:
1) You have a virus on a Windows box in the boot sector, you cannot get to the network and you want to get your data files off. How?
2) You forgot the root password on your Unix box, you want to use rainbow tables to find it.
Same answer for both, how do you do this?