CEH_ Official Certified Ethical Hacker Review Guide_ Exam 312-50 - Kimberly Graves [35]
18. A. nsl ookup is a Windows tool that can be used to initiate a DNS zone transfer that sends all the DNS records to a hacker's system.
19. D. A null session involves connecting to a system with no username and password.
20. A. The best countermeasure to SNMP enumeration is to remove the SNMP agent from the device. Doing so prevents it from responding to SNMP requests.
System Hacking
CEH EXAM OBJECTIVES COVERED IN THIS CHAPTER:
✓ Understanding Password-Cracking Techniques
✓ Understanding Different Types of Passwords
✓ Understand Escalating privileges
✓ Understanding Keyloggers and Other Spyware Technologies
✓ Understanding Rootkits
✓ Understanding How to Hide Files
✓ Understanding Steganography Technologies
✓ Understanding How to Cover Your Tracks and Erase Evidences
In this chapter, we'll look at the various aspects of system hacking. As you recall from Chapter 3, "Scanning and Enumeration," the system hacking cycle consists of six steps. The first step-enumeration-was discussed in the previous chapter. This chapter covers the five remaining steps:
■ Cracking passwords
■ Escalating privileges
■ Executing applications
■ Hiding files
■ Covering tracks
Understanding Password-Cracking
Techniques
Many hacking attempts start with attempting to crack passwords. Passwords are the key piece of information needed to access a system. Users, when creating passwords, often select passwords that are prone to being cracked. Many reuse passwords or choose one that's simple-such as a pet's name-to help them remember it. Because of this human factor, most password cracking is successful; it can be the launching point for escalating privileges, executing applications, hiding files, and covering tracks. Passwords may be cracked manually or with automated tools such as a dictionary or brute-force method, each of which are covered later in this chapter.
Manual password cracking involves attempting to log on with different passwords. The hacker follows these steps:
1. Find a valid user account (such as Administrator or Guest).
2. Create a list of possible passwords.
3. Rank the passwords from high to low probability.
4. Key in each password.
5. Try again until a successful password is found.
A hacker can also create a script file that tries each password in a list. This is still considered manual cracking, but it's time consuming and not usually effective.
A more efficient way of cracking a password is to gain access to the password file on a system. Most systems hash (one-way encrypt) a password for storage on a system. During the logon process, the password entered by the user is hashed using the same algorithm and then compared to the hashed passwords stored in the file. A hacker can attempt to gain access to the hashing algorithm stored on the server instead of trying to guess or otherwise identify the password. If the hacker is successful, they can decrypt the passwords stored on the server.
Hacking Tools
Legion automates the password guessing in NetBIOS sessions. Legion scans multiple IP address ranges for Windows shares and also offers a manual dictionary attack tool.
NTInfoScan is a security scanner for NT 4.0. This vulnerability scanner produces an HTMLbased report of security issues found on the target system and other information.
LOphtCrack is a password auditing and recovery package distributed by @stake software, which is now owned by Symantec. It performs Server Message Block (SMB) packet captures on the local network segment and captures individual login sessions. LOphtCrack contains dictionary, brute-force, and hybrid attack capabilities.
John the Ripper is a command-line tool designed to crack both Unix and NT passwords. The cracked passwords are case insensitive and may not represent the real mixed-case password.
KerbCrack consists of two programs: kerbsniff and kerbcrack. The sniffer listens on the network and captures Windows 2000/XP Kerberos logins. The cracker can be used to find the passwords from the capture file using a brute force