440 likes | 477 Views
Computer Science Innovations, LLC. Cracking Systems. Crack Systems. SET toolkit from Backtrack. First attach is a Social Engineering Attack. Copy a web-site (mine). Get someone to go to the site. Get on their machine. Go to your backtrack machine. Control Alt T (for a terminal).
E N D
Computer Science Innovations, LLC Cracking Systems
Crack Systems • SET toolkit from Backtrack. • First attach is a Social Engineering Attack. • Copy a web-site (mine). • Get someone to go to the site. • Get on their machine. • Go to your backtrack machine. • Control Alt T (for a terminal). • Command cd /pentest/exploits/
Steps • Video – Backtrack 5 Applet Attack method • Terminal – cd /pentest/exploits/set; ./set • Update your metasploit and backtrack • Trial and Error is involved. It is not shrink wrapped. • Setup your server --- which is the backtrack payload. • Get someone to your machine... send an email - Chris for a hot time select girls Girls <a href=”http://10.10.1.x”>Girls</a>
Getting Someone to Your Backtrack • Phishing email. • Overwrite the DNS Server – so it thinks Facebook is you. • Overwrite the DHCP Server and make you …. the DNS.
Watch Video Again This time pausing it. Step one... Forget the nmap stuff. Step two... Go to set Step three... Java Applet Attack Vector Step four.... Facebook template Step five... www.scottstreit.com copy the site.
What We Do • Java Applet Attack • Site Cloning www.scottstreit.com • Use www.facebook.com • Use ????? • Next step.... get credentials. • Practice for test …. you guys running it. .
Credential Harvesting – Do It Credential Harvesting Attach, on your teammate. Do this via set in two ways. 1) Template 2) Site Clone. Use and email to launch
Mail Mail: Google has a sender and receiver. Convention: There is nothing in SMTP (Simple Mail Transport Protocol) that says the from has to be real. Mail in Unix you could specify the from. So you send an email and make the from --- the President. Write an application program.
ISPs have Turned of 25 That means you cannot send mail from your computer as a server. Why do you think they did this. Stop Spammers.
ARP Poisoning Application Presentation Session Transport Network Datalink --- worked at -------- Physical
Solution All routers --- all... now prevent MAC Flooding and any type of poisoning. The tools, ettercap, wireshark... they will attempt To impact the Datalink Layer, but to no avail. They will report --- no success.
History We used to have Bridges... one piece of hardware and Routers … another piece of hardware... and Interconnection (FIOS, cable modem) that was yet a third piece of hardware. There were distinct attacks on all three. What has happened since. Now, everything is integrated, you essentially get countermeasures and update automatically.
Lab – We Don't Believe Scott Ettercap wireshark Start with ettercap.. you run it … startx Command: ettercap -G you have to run this as root. So if you go to plugins and check poison, you will see it did not work.
More Ettercap Additionally, the sniffing on a switched network shows nothing. So you need a broadcast network. So where do we have a broadcast network.
Lab Problem Problem: 1) You have a virus on a Windows box in the boot sector, you cannot get to the network and you want to get your data files off. How? 2) You forgot the root password on your Unix box, you want to use rainbow tables to find it. Same answer for both, how do you do this?
Computer Science Innovations, LLC Cracking Passwords/Decrypting
Tools/Review • One Way Encryption • Three mechanisms • Brute force... John the Ripper • Command: sudo apt-get install john • Industry leader in brute force... all combinations. Fallen out of favor.... complexity of algorithms It could take weeks on a Amazon cluster. • Dictionary Approach – Yesterday. Dictionary words in conjunction with patterns.
One Way Encryption File transfer ---- big file.... SHA1 Transfer the file -----> same SHA1 or MD5 200 gig file multi-character sum... You cannot reverse it.
Break One Way Encryption Two mechanism. One is brute force. You try all the permutations. THE DOG MD5 sum and is that sum what you are looking for. If so, you are done, if not.. try another. Long – You many not get a result in your lifetime.
Another Way Rainbow tables..... Terabytes of sums..... They are store Plaintext password, SUM.. When the sum matches. You have the password – likely. So we have a mechanism to get password more easily.
Vendor, work around? Make it harder. People are going to use words in their We have this concept of SALTS... What is that. Injection variable ---> put in to hash to make it more secure. Both sides need to know the hash, precomputed.
See an Example root@companion:~# grep scott /etc/shadow scott:$6$8eyQBVh1$gcCRGBLBgGsBqmbgDAnhD3HVQL9qa3SjBtEhv/U8OglJN36Aip5Vu1j.twDrfGuAOUH68VIdZXYd0OlrUF8gM1:15527:0:99999:7::: The $6$ says the next thing is the SALT. So 8eyQBVh1 is the SALT.
So Now, How Do We Crack with SALT? Use a Rainbow table for …. the stuff after the salt, then we must use, brute force for the SALT. So all the Rainbow table algorithms are rendered useless ----- temporarily
Rainbow Tables. Rainbow Tables – Ophcrack, or Rcracki • Both run in all platforms. • Both... do the same thing. • Rcracki works with the new version of Rainbow tables and works on MD5 as well as SHA1. • Ophcrack does not work with newer rainbow tables and it only works with NTLM and other simple passwords. • Standardize on Rcracki
Crack Systems Take the rc.tgz from my drive. Put in on your computer.. Get it to compile You have make errors g++ Install rcracki...
How? wget 10.10.10.243/rc.tgz cd cd /tmp ls tar xvfz rc.tgz cd rcracki_mt_0.6.6_src/ make history
Pre-setup sudo apt-get install g++ sudo apt-get install openssl sudo apt-get install openssl-dev sudo apt-get install libssl-dev
Access Scott's Drive Samba --- Command sudo apt-get install smbclient Create a directory Command mkdir /scott /etc/fstab put in an entry 10.10.10.243:rainbow /scott cifs uid=root,gid=root,workgroup=StreitFamily,username=scott,password=redskins1992 0 0 Command mount /scott
Try It! rcracki_mt -h 5d41402abc4b2a76b9719d911017c592 -t 2 /scott
Steps • Download it. • Unzip it. • It is currently not packaged for Ubuntu 12.04. So this means there is no sudo apt-get install.... can't do it. Do we care? No. • Compile ourselves. • When compile yourself, you are responsible for maintenance. That means if you load a kernel update, you have to recompile. If it was a package it would take care of it for you.
Let's Assume I have Downloaded • Unzip it. • Go to root directory and as a normal user (least privilege), run make • Now we need to install it. Run sudo make install
We Have Two Tools First video is concepts only. Ophcrack rcracki try it out. Go to your windows box... that is host operating system. Command window. Command is: net use * \\10.10.10.234\rainbow
What We Do • Get a hash.... unix /etc/shadow • Take the hash and you seach.... for the actual password. • Takes every entry in the rainbow tables and compares it against the hash.. • When it matches it takes the plain text... returns it to you. • Much faster to do a string search than it is to compute MD5 or SHA1 encryption. • Faster than brute force.
Computer Science Choices • Process without storing partial results (brute force) • Process using temporary results: entailments. • All computer problems are scaling problems. • Everything a computer does, you can do with a pencil and paper. • Brute force vs. Entailments.
What it Looks Like Command: vi /etc/shadow scott:$6$eHcWMokA$Qr3aR4Od7eiLkMmH3GxcPsdF6yUIGZNpXbfsOggb843sTSAySnBiDpJj8NtFu1CUu.kAVUKH8wfetPLJ1Lc91.:15456:0:99999:7::: hash
Case Study aghaster@debian:~$ rcracki_mt k/ usage: rcracki_mt -h hash rainbow_table_pathname rcracki_mt -l hash_list_file rainbow_table_pathname rcracki_mt -f pwdump_file rainbow_table_pathname -r [-s session_name]: resume from previous session, optional session name rainbow_table_pathname: pathname(s) of the rainbow table(s) Extra options: -t [nr] use this amount of threads/cores, default is 1 -o [output_file] write (temporary) results to this file -s [session_name] write session data with this name -k keep precalculation on disk -v show debug information example: rcracki_mt -h 5d41402abc4b2a76b9719d911017c592 -t 2 [path]/MD5 rcracki_mt -l hash.txt [path_to_specific_table]/* rcracki_mt -f hash.txt -t 4 -o results.txt *.rti
Solution..... rcracki_mt -c lst_file rainbow_table_pathname -h hash: use raw hash as input -l hash_list_file: use hash list file as input, each hash in a line
Best Practice? • rcracki • Source: download it • Command: make in the source directory • Command: make install • Run rcracki using the command line options • Take a hash from /etc/shadow • Use my rainbow tables.... • Get the password: root... what is the password find toor.
Lab Decrypt a hash in /etc/shadow Use my rainbow tables. Choice windows or linux: Mapped as a windows drive. Map as Unix Drive.
Solution..... rcracki_mt -c lst_file rainbow_table_pathname -h hash: use raw hash as input -l hash_list_file: use hash list file as input, each hash in a line
Solution All routers --- all... now prevent MAC Flooding and any type of poisoning. The tools, ettercap, wireshark... they will attempt To impact the Datalink Layer, but to no avail. They will report --- no success.
History We used to have Bridges... one piece of hardware and Routers … another piece of hardware... and Interconnection (FIOS, cable modem) that was yet a third piece of hardware. There were distinct attacks on all three. What has happened since. Now, everything is integrated, you essentially get countermeasures and update automatically.
Lab Problem Problem: 1) You have a virus on a Windows box in the boot sector, you cannot get to the network and you want to get your data files off. How? 2) You forgot the root password on your Unix box, you want to use rainbow tables to find it. Same answer for both, how do you do this?