NWHK CHAP5-Network Hacking - System Hacking v.1

Topic 5 – ET0741
Network Hacking
(System Hacking)
ET0741 Network Hacking

Official (Open)
OBJECTIVES
▪ Hacking Methodology
▪ Explain the techniques to Gain Access to a
target system
▪ Explain Privilege Escalation

Official (Open)
Vulnerability
▪ A Security Vulnerability is a weakness, flaw,
or error found within a security system that
has the potential to be leveraged by a threat
agent in order to compromise a secure
network.
https://www.rapid7.com/fundamentals/vulnerabilities-exploits-threats/
▪ Next step is to search for exploits associated

with that vulnerability.

Official (Open)
Exploit
▪ A program, or piece of code, designed to find
and take advantage of a security flaw or
vulnerability in an application or computer
system.
https://www.cisco.com/c/en/us/products/security/advanced-malware-protection/what-is-
exploit.html

Official (Open)
Payload
▪ Software components that inject the malicious
software into systems or networks
https://turingpoint.de/en/blog/malware-what-is-a-payload/
▪ Delete or modify files

▪ Create backdoor
▪ Privilege escalation payload is what you use to attack after getting into a
system
▪ Etc.

Official (Open)
POC codes in exploits

Search for Exploits
▪ After scanning and enumeration, search for ways
to exploit vulnerabilities using online resources
▪ Exploit-db
▪ archive of exploits for the purpose of public security, and
it explains what can be found on the database.
▪ CXSecurity
▪ Provides direct access to latest exploits from a web-
based interface.
▪ Vulnerability-Lab
▪ Provides large vulnerability database complete with
exploits and PoCs for research purposes
Official (Open)
Exploit-Db
▪ Online resources
▪ Exploit Database (https://exploit-db.com)
▪ Example: Search for exploits to eternal blue

Official (Open)
Metasploit
▪ Preinstalled with Kali

▪ Exploit framework
▪ Provide tools to develop and execute exploits
▪ Many modules available for testing systems
and networks
▪ Own by Rapid7
(https://www.rapid7.com/products/metasploit/)
ET0521 Network Vulnerabilities & Security Tools

Official (Open)
Exploits Search Tools
▪ Exploit search tool in Kali

▪ searchsploit is the command line search too

Official (Open)

▪ EternalBlue SMB version 1 is the vulnerability related to eternal blue
▪ exploit developed by the U.S. National

Security Agency (NSA)
▪ Shadow Brokers hacker group on April 14,
2017
▪ WannaCry ransomware used this exploit to
attack unpatched computers.
https://en.wikipedia.org/wiki/EternalBlue

Official (Open)

getting the system's shell is very
easy for people to access internal info
▪ Exploit search tools in Kali with metasploit

choose module based on requirement

Official (Open)
Exploits from Metasploit
▪ Running exploit on metasploit

Official (Open)
Exploits from Metasploit
▪ Successful exploit with Metasploit

▪ Meterpreter session is established

Official (Open)
Metasploit Meterpreter
meterpreter is a shell like cmd prompt
▪ Payload which provides a shell for an

attacker.
▪ Allows for attacker to execute command on
the target system.
▪ Meterpreter is memory resident. Nothing is
written to disk
▪ Not all exploits can provide a Meterpreter
shell.

Official (Open)
Harvesting Passwords
▪ Information to harvest after exploiting a

target.
▪ Passwords
▪ Download/Modify files
▪ etc
▪ Meterpreter provides a command to grab
password.
▪ Hashdump
▪ Mimikatz

Official (Open)
Hashdump
▪ When executed on the target system

(Windows) via meterpreter gathers
▪ Username
▪ User identifier
▪ Hash value of passwords
500 is administrator SID

Official (Open)
Mimikatz
▪ Password harvesting using mimikatz
▪ Load mimikatz module in meterpreter
session.
▪ Execute creds_msv module to gather
passwords

Official (Open)
Password Cracking
▪ Gathered passwords hash is not very useful

▪ Need to crack the password hashes
▪ Common cracking tools
▪ John the Ripper
▪ Ophcrack payload is piece of code that is run after exploiting the system.
payload is done before password cracking
▪ Hashcat

Official (Open)
John the Ripper

▪ Offline password cracking tool
▪ Single crack mode
▪ Gathers information from the different fields in
the file, applying mangling rules and tries as
passwords
▪ Wordlist mode
▪ Gathers input from wordlist and tries as
passwords
▪ Incremental mode
▪ Tries every possible combination of characters.
Official (Open)
John the Ripper
▪ Detects the password hash type

▪ Using single crack mode

Official (Open)
Rainbow Tables
▪ John the Ripper computes hash and test

against the password hash
▪ More efficient to pre-compute hashes before
testing against password hash
▪ Rainbow tables are pre-computed stored
hashes
▪ Ability to generate password hashes from all
possible values within the constraints
▪ E.g. generate hash between <a-z,A-Z,0-9>

Official (Open)
rtgen
▪ a package to generate rainbow table for
cracking
▪ Provides specification of constrains to
generate rainbow table

Official (Open)
rtgen
▪ Using rtgen to generate a rainbow table for
ntlm
▪ Generated rainbow table

Official (Open)
Kerberos
▪ Computer network security protocol

▪ UDP Port 88
▪ Authenticates service requests between hosts
▪ Three components
▪ Client
▪ Application server (resource)
▪ Key Distribution Center (KDC)
Video:
Kerberos Authentication Explained | A deep dive (Destination Certification)
https://www.youtube.com/watch?v=5N242XcKAsM
ET0741 Network Hacking https://www.simplilearn.com/what-is-kerberos-article

Official (Open)
Kerberoasting
▪ Attack against Kerberos

protocol to harvest
password hashes
▪ Requires network access
▪ Kerberos authentication
▪ Requires Service
Principle Names (SPN)

Official (Open)
Kerberos Attack*
▪ Compromise an account in the AD domain

▪ Compromised account obtain TGT from KDC
▪ Attacker requests service
▪ Attack tool Rubeus
https://michelepariani.com/2020/12/14/outline-of-an-attack-to-active-directory/

Official (Open)
Client-Side Vulnerabilities
▪ Web browsers make convenient client side
attack
▪ One of the most commonly used applications
▪ Browsers based applications are used for
many common applications
▪ Limited types of browsers
▪ IE/Edge
▪ Safari
▪ Chrome
▪ Etc
Official (Open)
Other Terminologies
▪ Living Off the Land
▪ Using tools that are already available on the
target system
▪ PowerShell - Windows
▪ Bash Shell – Linux
▪ Etc.
▪ Fuzzing
▪ The process of sending unexpected or
malformed data to an application to see how
that it handles
▪ Possible DoS
Official (Open)
Post Exploitation
▪ What is next after exploiting the target?

▪ Privilege escalation
▪ Password harvesting
▪ Pivot to other systems
▪ Move to compromised other systems in the
network
▪ potentially gain more sensitive information or
access to more critical systems

Official (Open)
Privilege Escalation
▪ Target accounts that has a high level of

permissions (etc root, administrators)
▪ Gain access to information on the system as
well as make changes to services and
manipulate users

Official (Open)
Privilege Escalation
▪ Search for overprovisioned accounts

▪ Business-critical application that is poorly
written from a security standpoint, requiring
local administrator privileges to run services.
▪ Exploiting an unpatched vulnerability
▪ attackers from vulnerabilities found on your
Windows machines

Official (Open)
Pivoting
▪ Flat network infrastructure , all systems are

all connected to a single network rather than
multiple networks tiered access.
▪ Compromised target may have multiple
interfaces. Allowing for possible access to
other networks.
▪ Pivoting is about using a compromised
system and using it to gain access to other
systems.

Official (Open)
Persistence
▪ Keep exploiting the same vulnerability every

time to access to the system
▪ time-consuming
▪ vulnerability could be patched.
▪ maintain access to compromised systems.
▪ Process of maintaining access is known as
persistence.
▪ Attackers can gain access into the system
when they want.
Official (Open)
Persistence
▪ several techniques
▪ Secure Shell (SSH)
▪ remote desktop on Windows
▪ create a new user
▪ change compromised user’s password
▪ install software that will connect to the
attacker’s system.

Official (Open)
Covering Tracks
▪ Anytime you gain access to a system you will

be leaving footprints.
▪ logging into a system leaves a log entry
behind.
▪ possibility of having your actions investigated
and your foothold removed.
▪ Logs may need to be adjusted.

Official (Open)
Rootkits
▪ Process table is the hardest item to

compromise due to required privileges and
system/Operating system security
▪ Typically boots at the same time operating
system, or after the boot process begins
▪ Very difficult to detect

Official (Open)
Rootkits
▪ Most modern operating systems, uses a ring

model for security and privileges.
▪ The highest level of permissions is ring 0
(kernel space).
▪ Interacting with the kernel uses application
programming interfaces (APIs).

Official (Open)
Rootkits
▪ Attackers manipulate what users can see by

using a collection of software called rootkit.
▪ May contain kernel mode module or driver
that will filter process table results.
▪ May replacement binaries that will filter
results so users using the system binaries
won’t know that the files in the file system
has been infected or compromised.

Official (Open)
Process Injection
▪ Do not want to leave processes that can be

traced
▪ Start a new execution thread that uses the
injected code from the existing process
space
▪ Code is effectively hidden inside this new
process.
▪ Using Metasploit Meterpreter migrate
command.
Official (Open)
Log Manipulation
▪ Easy way to handle logs of compromised

system is to clear them
▪ Wipe all entries in event logs on Windows
system
▪ Delete log files in Linux system
▪ Meterpreter can use clearev

Official (Open)
Hiding Data
▪ Linux can use dot files and dot directories to

hide files and directories
▪ Windows systems have a feature called
alternate data streams (ADS)
▪ Implemented in New Technology Filesystem
▪ Use to support Apple disk when attached to
Windows NT

Official (Open)
Summary
▪ Search exploits
▪ Cracking password hashes
▪ John the Ripper
▪ Lophcrack
▪ Pivoting, privilege escalation
▪ Cover your tracks to avoid detection

NWHK CHAP5-Network Hacking - System Hacking v.1

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NWHK CHAP5-Network Hacking - System Hacking v.1

Uploaded by

Copyright:

Available Formats

Topic 5 – ET0741

ET0741 Network Hacking

ET0741 Network Hacking

▪ Next step is to search for exploits associated

ET0741 Network Hacking

ET0741 Network Hacking

▪ Delete or modify files

ET0741 Network Hacking

POC codes in exploits

ET0741 Network Hacking

▪ Preinstalled with Kali

ET0521 Network Vulnerabilities & Security Tools

Exploits Search Tools

▪ Exploit search tool in Kali

ET0741 Network Hacking

Exploits Search Tools

▪ exploit developed by the U.S. National

ET0741 Network Hacking

Exploits Search Tools

▪ Exploit search tools in Kali with metasploit

ET0741 Network Hacking

Exploits from Metasploit

▪ Running exploit on metasploit

ET0741 Network Hacking

Exploits from Metasploit

▪ Successful exploit with Metasploit

ET0741 Network Hacking

▪ Payload which provides a shell for an

ET0741 Network Hacking

▪ Information to harvest after exploiting a

ET0741 Network Hacking

▪ When executed on the target system

ET0741 Network Hacking

ET0741 Network Hacking

▪ Gathered passwords hash is not very useful

ET0741 Network Hacking

John the Ripper

John the Ripper

▪ Detects the password hash type

ET0741 Network Hacking

▪ John the Ripper computes hash and test

ET0741 Network Hacking

ET0741 Network Hacking

▪ Generated rainbow table

ET0741 Network Hacking

▪ Computer network security protocol

ET0741 Network Hacking https://www.simplilearn.com/what-is-kerberos-article

▪ Attack against Kerberos

ET0741 Network Hacking

▪ Compromise an account in the AD domain

ET0741 Network Hacking

▪ What is next after exploiting the target?

ET0741 Network Hacking

▪ Target accounts that has a high level of

ET0741 Network Hacking

▪ Search for overprovisioned accounts

ET0741 Network Hacking

▪ Flat network infrastructure , all systems are

ET0741 Network Hacking

▪ Keep exploiting the same vulnerability every

ET0741 Network Hacking

▪ Anytime you gain access to a system you will

ET0741 Network Hacking