CompTIA CYSA+ CS0-002 – Enumeration Tools Part 4

8. Responder (OBJ 1.4)

Responder. In this short video, we are going to talk about the tool known as Responder. Now responder comes as part of the Kali open source penetration testing system. Responder is a command line tool that is used to poison responses to NetBIOS, LLMNR and Mdns name resolution requests in an attempt to perform a man in the middle attack. Essentially, Responder is designed to intercept those messages and those requests s and return the attacker’s host IP as the name of record. Now, the benefit of using something like Responder in penetration testing is you can get into the system and you can actually become that man in the middle. This is actually really useful when you’re dealing with something like Windows file sharing or server message block messages over SMB because this can allow the attacker to retrieve the password hashesand then try to crack those later on.

Now, when you use Responder and for this attack to work, the victim system must be either tricked into querying a nonexistent name or prevented from using the legitimate DNS service. If they can’t reach the real DNS service, the way Windows works is it’s going to do as a backup of asking other people on the network for that DNS name. And when it does that, Responder can then say, hey, I have the answer for you and give you your IP address. So they now are connecting to you and you become the male in the middle. That’s the idea of how this works. Now, another thing that you as a defender can use Responder for is to place it into analysis mode. If you do that, you can monitor the name resolution traffic without responding across the network, so you can detect if other people are trying to poison your name resolution inside your network.

9. Wireless Assessment Tools (OBJ 1.4)

Wireless assessment tools. In this lesson, we’re going to talk about a couple of different wireless assessment tools that help us detect if there are wireless networks around. Now, when we talk about wireless assessment tools, these are tools to detect the presence of wireless networks, to identify what security type and configuration those networks are using, and even try to exploit any weaknesses in that security to gain unauthorized access to the network. Now, the real benefit of wireless assessment tools is they allow us to get information about these wireless networks. As a network defender, your wireless networks are one of the most vulnerable things in your network. So you need to understand what vulnerabilities exist by going through and conducting assessments against them. For example, for somebody to just sniff your wireless traffic, it’s really easy.

If I’m close enough to your building, I can turn my card into what’s known as monitor mode or Promiscuous mode. And if I can do that, I can start sniffing all your non unicast traffic immediately and start collecting it. And then I can use that to crack your network password and then break onto your network. That’s the idea of how vulnerable these wireless networks are. So we have to understand that, and that’s why we have these wireless assessment tools. In this lesson, we’re going to talk about two main tool suites. The first is Aircrack ng and the second is Rever let’s start with aircrack. Ng. Aircrack Ng, as a tool suite, is a suite of utilities that’s designed for wireless network security testing. Now, the reason we call this a suite of tools is because there are actually four tools inside of it. There’s Aeromon Ng, which allows us to enable or disable modern mode on our cards.

There’s Aerodump Ng, which allows us to capture those wireless frames that are going across the air, and we’ll be able to identify that information of the wireless access point based on its Mac address. And we can also identify clients based on their Mac address. We also have Air Replay Ng, which is going to inject frames to perform the attacks to obtain authentication credentials for an access point. Essentially, I can deauthenticate you from a device and then try to reconnect to that device when I capture your reauthentication. And then we have aircrack. Ng. Aircrack Ng allows us to extract the authentication key and try to retrieve the plain text version of your password for that network. Now, lucky for us, Aircrack Ng is really only effective against Web based networks. For a web based network, you can crack that password every single time.

But if you’re using WPA or WPA Two with a long, strong password, it would take a really long time to brute force that password. So one of your best mitigations here is using long, strong passwords, especially in a home environment. Now, in a corporate environment, it is much better for you to use Radius authentication. Radius authentication is a completely effective mitigation against tools like Aircrack Ng, because by using Radius, we are no longer going to be vulnerable to those password attacks across the network because now we’re using digital certificates as our method of authentication here. The next tool I want to talk about is Reaver. Now, Reaver is a command line tool that’s used to perform brute force attacks against WPS enabled access points. Now, what is WPS Well, WPS is the WiFi protected setup mechanism.

If you look at your router and on the front of your wireless router, you have a button that says WPS. And let’s say you got a new printer and you have a long, strong password for your network. Well, it’s really a difficult thing to start typing in that long, strong password into a printer when you have to use just up and down arrow keys. So they built this thing called WPS. Essentially, you push the button on your router, you push the button on your printer. If you do both of those, within 60 seconds, they would auto communicate, pass the password back and forth, and then they would reconfigure themselves. This would allow you to really quickly and easily set up your network. Great for operations, horrible for security. The problem is WPS uses a Pin, and that Pin can be brute force. With WPS, you can do brute force attempts against that Pin and crack it within several hours.

Generally, the reason is that Pin is only eight digits long. In addition to that, the way that Pin is actually calculated is actually a four plus four number. So they actually take that eight digit Pin and break it up into two sets of four. So if we want to brute force that, we’re really only having to try 10,000 combinations and 10,000 combinations. And my computer can go through 20,000 combinations pretty darn quickly. And so that’s the idea of why this is such a weak thing to use. Now, to mitigate this brute force attack, you can mitigate this by enabling rate limiting for Pin authentications. Now, what does that mean? Well, when I try to brute force the Pin here, my system is actually going to connect to your access point and try pin one, and that’s going to try the next pin two.

Well, if you put a wait time in between there of 15 seconds or 30 seconds or three minutes, you can actually have that backup delay. And that delay makes it so it takes me infinitely longer for me to go and get that password cracked. If you have no delay, I can get through 10,000 attempts in maybe a couple of minutes. But if you put in a 32nd delay each time, it’s now going to take me several hours or several days to crack that pin. The problem is, even with doing this mitigation, you’re just going to frustrate the attacker. But if they’re determined and you have WPS enabled, they are going to get in eventually. Because, again, there’s only 10,000 plus 10,000 or 20,000 options here for them to be able to guess. So what do I recommend? If you have WPS, turn it off on your networks. It is bad, bad, bad. It is a huge vulnerability. So make sure you disable WPS on your networks.

10. Hashcat (OBJ 1.4)

Hashcat. Hashcat is the last enumeration tool we want to talk about. Now, the reason we’re bringing this up is because we just talked about the fact that you might want to brute force a password, such as a hash that you’ve collected over the network or something like a wireless password. And to do that, you’re going to use something like hashcat. Hashcat is a command line tool that is used to perform brute force and dictionary attacks against password hashes. Now, hashcat could be really slow. In the old days, the reason for this is you’d have to actually guess every single option as you’re going through those hashes. But smart people had figured out there’s a quicker way of doing this. Instead of relying on the CPU, let’s rely on the GPU or graphical processing units.

Now, GPUs can be relied on by hashcat to perform the brute force cracking much more quickly. Why is that? Well, because GPUs are made to do complex math in a very quick fashion. When you create graphics on a screen, it takes a lot of mathematical computations. And so these GPUs are extremely fast at churning out things for mathematics that would create those 3D graphics. And that same technology can be used for password cracking. For instance, here you can see a rig that is one of five servers that somebody put together. They put these five servers together and each of them had a bunch of GPUs together. They had 25 GPUs. Now, this rig was able to crack 348,000,000,000 billion with a B hashes per second. Now, luckily, this machine was built all the way back in 2012 and it focused on Landman and NTLM hashes, both of which only took a few minutes to crack.

But you can see here just the power of using these GPUs over traditional CPUs when you’re conducting this type of hash cracking. Now, our modern hashes, like Sha 256, are much more resilient to this type of attack, thankfully. But if you have enough GPUs put together, you could put together enough power to crack those things as well. And that’s one of the things that we really worry about in the security industry. If people can get enough power, they can start cracking a lot of the passwords and security that we use. So how do you use hashcat? Well, it’s pretty easy. It’s actually a command line program, like I said. So you just type in the word hashcat and then M and give it the hashtag. For instance, MD five, then A and the attack mode. Do you want to do brute force or dictionary attack? And then O, and you give it the output file. Where do you want to save your information to? And then you have to give it an input file with all those hashes.

That’s it. One simple line of code. And you can start cracking hashes. When you do that, it’s going to give you a screen that looks like this and it’s going to start running. It’s going to tell you what kind of hash it’s looking at. In this case, LTLM version two. It’s telling you the hash target that it’s going after, what the time started was, what the estimated time of completion is, and how many guesses it’s going through. In this case, we’re just trying to crack one administrator hash. But how fast can it do it? Well, if you look at the speed line, it tells you it’s currently doing 364,000 hashes per second. Now, this is just on somebody’s standard laptop. This isn’t even using a full, dedicated GPU rig like I showed you earlier. So this just shows you how powerful using something like hashcat can be. Now, for the exam, do you need to know how to use hashcat? No, you don’t. But you should know that hashcat is used for brute force attacks. If you know that much, you’ll do fine on the exam.

11. Testing Credential Security (OBJ 1.4)

Testing Credential security. In this lesson, I’m going to show you how you can test Credential security on your network. Now in this demonstration, I’m going to do it locally using a Kali Linux machine and looking at the hashes on that particular machine. But if you want to test it across your network, you could gather those hashes using some method like network sniffing or using other tools on your network devices, and then putting those hashes through this tool. And so we’re going to use John the Ripper, which is one of the most common password crackers out there. Now to do this, we’re going to try to crack the password for this Kali Linux machine. Now I’ll tell you right now, the password is to, which is a very standard password that’s used by Kali Linux by default when you install it. But we’re going to go ahead and go through the process of trying to crack that now.

So before we can try to crack those hashes, we have to gather those hashes from the Kali Linux machine. Now by default, inside Kali Linux, these passwords are stored inside the password file and as a shadow inside the shadow file. So we’re going to grab both of those and put those into a file for us called my password. So we’ll do that by typing unshadowettsypassword and then etsy shadow. And then we’ll pipe that over to the file password TXT and it’s done. So now if I hit LS, you’ll see that there is the password TXT file.So what does that password file look like now? Well, let’s go ahead and print it to the screen so that you can see it. And I’m going to do more password TXT. And you’ll see here you have your usernames on the left and then what group they’re associated with it and how they’re going to be logging on. Now, under root, you’ll see that long hash there at the top, that dollar sign, six dollar sign you all the way through, across the top.

That is the shadowed password, the hash of it that we’ve captured. Now, how do we crack that? Well, that’s where John the Ripper is going to come in handy. So let me go ahead and clear my screen here. And what we’re going to do is type John password TXT and hit enter. And John is going to go through and try to crack that password. Now it already says it found it. It was very, very quick. And so to show that password, we’ll just type in John show and then the file that we had used, which was password text. And so you can see that Root was the username and Tor was the password. You can see just how quickly John can go through and decrypt these hashes back into something that’s usable for us, which is the password. And now I could log into the system, system as root with password tour with no problem.

• Category: Uncategorized