CompTIA Pentest+ PT0-002 – Section 10: Network Attacks Part 4

93. On-path Attack (OBJ 3.1)

In this lesson, we’re going to very briefly cover the concept of an on-path attack. Now, an on-path attack is an attack where the penetration tester is able to put their workstation logically between two hosts during the communication in order to transparently capture, monitor and relay the communications between those hosts. By placing themselves in the path between the and the server, the attacker can intercept the authorization packet being sent and received and then use those to take over the authorized session between the client and the server. Now, there are many different ways of conducting an on-path or interception attack, including ARP poisoning, DNS poisoning, introducing a rogue wireless access point or introducing a rogue hub or switch. Once an on-path or interception attack has begun, you can then decide to replay or relay the attack. Replay of the data occurs when valid data is captured by the attacker and is then repeated immediately or is delayed and then repeated.

Replay is a common technique in wireless network attacks, but it can also be used in wired networks, too. For example, if we can capture an authentication handshake between two hosts, we can then replay it to the authentication server so that it will think we are an authenticated client, too, and give us access to the network or its resources. Relay, on the other hand, occurs when an attacker is able to become a part of the conversation by inserting themself in between the two hosts. In this case, the attacker essentially becomes a proxy between two hosts, and they can read or modify any communications between them.

When this occurs, anytime the client tries to get to the server, it is instead going from the client to the attacker and from the attacker to the server. From this position, we can capture everything that’s being sent between them, including the user names, passwords and even bank balances. We can even change the data if we so desire. Remember, relay involves getting the information and then passing it on, or you can intercept it, change it and then pass it on. The big challenge, though, with replay and relay occurs when encryption is enforced by the host. If the server, for example, is using a strong encryption scheme like TLS 1.3, it’s going to be very difficult or even impossible for us to intercept and crack the communication between these two hosts.

To try and overcome this encryption, a technique known as SSL stripping was created. Since a lot of websites use SSL and TLS as a way to encrypt data between the client and the server, we could attempt to attack this by tricking the encryption application into presenting the user with an HTTP connection instead of an HTTPS connection. For instance, let’s say you go to facebook.com using HTTPS, but an attacker was able to redirect or downgrade the request to use the regular HTTP connection instead. This would be considered SSL stripping because now there is no encryption being used in that connection, and we can then capture all the data and read it. Now, if SSL stripping is impossible, then we can attempt to perform a downgrade attack instead. In a downgrade attack, the attacker attempts to have a client or server abandon its higher security mode in favor of a lower security mode. For example, if the client tries to connect to a server and negotiate a higher level encryption like TLS 1.2 or 1.3, but they’re connected through an intermediary attacker who’s in an on-path position, that attacker may allow encryption to occur so they’ll see that little lock in their web browser, but only at a lower level, such as using SSL 2.0, which is much easier for the attacker to crack.

So that way the attacker can remain in the middle of the communications between the client and server and see everything that’s going on. Now, it’s important to mention that downgrade attacks don’t only affect SSL and TLS, though. It can actually be used with any kind of encryption or protection, such as Wi-Fi, VPNs and others. Anytime we have a client negotiate to a lower level of security that is still technically backwards compatible with that higher level, this is considered a downgrade attack.

94. Password Attacks (OBJ 3.1)

In this lesson, we’re going to discuss the different types of password attacks, including dictionary attacks, brute force attacks, hash cracking, password spraying, and credential stuffing attacks. Now, before we move into our different types of attacks, though, it’s important for us to do a quick review of how passwords are used in a server’s authentication system, because passwords are by far, the most is popular mechanism used for authentication in systems and web applications. Now, when a password is stored in the system or application’s database it isn’t actually the password itself that’s being stored. But instead it’s a hash of that password, since a hash digest is a result of a one-way hashing algorithm this protects the passwords that are stored in the database since they can’t be recovered from the hash value directly. So when the user sets up their account and they choose their password, it’s going to be hashed and sometimes stretched or salted before it’s stored in the authentication systems database. While this protects the password if the database was compromised, it doesn’t protect the password from the password guessing or other types of password attacks that you may use. For example, if I wanted to guess your password and login as you, I could simply go to the login screen of the website, enter your email as the username and whatever guess I have for your password.

And then click log in. Each time I do that, I’m conducting password guessing, and I could try this over and over again, as a form of brute force password attack against the authentication system, to try to attempt to bypass it by guessing your correct password. Now, as a cybersecurity analyst, you might see this in your logs appearing as multiple passwords being attempted against the same user account. In this example, you see six attempts to log in as the user Jason, each one, using a different password in an effort to guess the user’s password and gain access. To automate this process, I could also use a password cracker instead of manually attempting to log into your account. Password crackers are used to attempt to break a user’s password by either using a dictionary attack or by using brute force techniques.

Password crackers can also be using an online or offline cracking method depending on their configuration. Two of the most common password cracking tools out there are John the Ripper and Cain and Abel. Security analysts should routinely run these password crackers against their system files that contain hash passwords and then require the users to change their passwords if they’re cracked by the software. The first type of attack we’re going to talk about is a dictionary attack. Now, a dictionary attack uses a list of common passwords, words and phrases to attempt to guess the password. The password cracker, then hashes the value of the individual dictionary listing and compares it to the hash value of the password inside of the system file. If they match, then that program knows that it found the correct password. This is what an offline dictionary password attack looks like.

Many cyber security professionals have created very large dictionaries that you can download and use during your engagements. The biggest challenge with these dictionaries is the sheer size of them though. For example, a dictionary with a billion words would be roughly 10 gigabytes of text. To try each of those passwords could take a really, really long time. And if that word doesn’t happen to be in the dictionary you downloaded, you’re still not going to have cracked the password. Keep in mind password dictionaries don’t have just regular words in it like puppy or cupcake but they also have long and strange combinations of letters, numbers, and special characters that may be used as passwords by somebody. Brute force attacks on the other hand, don’t rely on dictionaries. Instead they attempt to break a password by guessing every single possible combination of numbers, letters, or special characters. The longer the length of the password the more time a brute force attack is going to take. Now, the thing out a brute force attack is that it will always be successful eventually but if you have a really long password, that’s 16 or 20 characters long, it might take me years to brute force that password. Brute force though is a great option if you’re trying to crack a pin or a password with a very limited key space, for example wifi protected setup pins are eight-digit number but they’re actually composed of two, four digit numbers.

Each of those four digit numbers can only be one of 10,000 possible combinations. So if I wanted to brute force the WPS pin, I could start out with 0 0 0 0, then go to 0 0 0 1, then 0 0 0 2 and keep adding one each time until I find either the pin or reach the end of the key space at 9 9 9 9. Now when either a dictionary or brute force attack is attempted though, the password cracker first needs to select the password guess it wants to use, hash it and then compare it against the password hash of the authorized account that was stolen by dumping the credential database, if you’re going to to be doing an offline attack. To speed up this process, hash cracking can be performed using a rainbow table. Now a rainbow table is a precomputed hash value table that contains known passwords for use with offline password cracking. One of my favorite websites for cracking non-salted hashes is CrackStation.net which uses a rainbow table and can return a reply in a matter of seconds from its 15 billion entry rainbow table.

You can actually download their word list and use it offline if you want to as well. But it’s actually 190 gigabytes in size just for the MD5 and SHA1 rainbow tables. To combat our password crackers, cybersecurity professionals are always 10 attempting to implement strong password security policies that include things like long minimum length requirements, complex passwords that are comprised of numbers, letters and special characters, passwords that are changed at least every 60 days, and a lockout or delay policy that set after three or more failed login attempts. These mitigations are all quite effective at stopping online line password attacks using either dictionary or brute force methods. To overcome these defenses, many penetration testers will instead rely on password spraying. Password spraying is a form of password guessing that focuses on using the same few commonly used passwords across multiple accounts in an attempt to bypass the authentication mechanisms.

For example, if my research has shown that the most commonly used passwords are password and pass1234, then I could attempt to log in using different user names or emails and attempt each one using one of those two passwords to try and guess your user’s password. Since I’m only using one or two passwords for each account, I’m unlikely to lock out the user’s account and become discovered. Now, if you’re working as a cybersecurity analyst you’re going to see my attempts in your logs but only one or two attempts per user. And then I’m going to switch to another account and try the same passwords again. In this example you can see two attempts to log in as Jason. Then two is Tim. Two is Tamera, and all these attempts are using the same two passwords. This is an indication of password spraying that’s being used instead of a dictionary or brute force attack. Now the last type of password attack we need to cover is known as credential stuffing. Credential stuffing is a type of password attack in which stolen user account names and passwords are going to be tested against multiple websites in an effort to bypass their authentication. Now credential stuffing is used by attackers and penetration testers because many users often will use the same user names and passwords on many different websites. So if an attacker gains access to the usernames and passwords of the users from the Yahoo data breach, they can then try those same usernames and passwords at Facebook, Gmail, MSN, and other websites to try and access the accounts on those sites too. In order to prevent credential stuffing, cyber security professionals need to train their users, not to reuse any passwords across different website.

Every website should have a different and unique password to ensure you have good security for your account. Even better though, you want to make sure you’re using two factor authentication for any logins you can, because this will force the users into a higher level of verification during that login process and prevent credential stuffing from being successful. Now, before we end this video, I want to do a quick demonstration of how you use a password cracker. So we’re going to use John the Ripper here, which is one of the most common password crackers out there. To do this, we’re going to try to crack the password for this Kali Linux machine. Now I’ll tell you right now, the password is T-O-O-R but we’re going to go ahead and go through the process of trying to crack that now. So before we can try to crack those hashes, we have to gather those hashes from the Kali Linux machine. Now by default inside Kali Linux, these passwords are stored inside the password file and as a shadow inside this shadow file. So we’re going to grab both of those and put those into a file for us called my password.

So we’ll do that by typing unshadow /etc/password and then /etc/shadow. And then we’ll pipe that over to the file, password.txt, and it’s done. So now, if I hit LS you’ll see that there is the password.txt file. So what does that password file look like now? Well, let’s go ahead and print it to the screen so that you can see it and I’m just do more password.txt. And you’ll see here, you have your usernames on the left and then what group they’re associated with it and how they’re going to be logging on. Now under root, you’ll see that long hash there at the top. That $6$U all the way through across the top, that is the shadowed password. The hash of it that we’ve captured. Now, how do we crack that? Well, that’s where John the Ripper’s going to come in handy. So let me go ahead and clear my screen here. And what we’re going to do is type john password.txt and hit enter. And John’s going to go through and try to crack that password. Now, it already says it found it. It was very, very quick.

And so to show that password we’ll just type in John -show, and then the file that we had used which was password.txt. And so you can see that root was the username and toor was the password. You can see just how quickly John can go through and decrypt these hashes back into something that’s usable for us, which is the password. And now I could log into the system as root with password toor with no problem.

95. Pass the Hash (OBJ 3.1)

In this lesson, we’re going to talk about the Pass the Hash attack and other Kerberos-based attacks. First, let’s talk about Pass the Hash. Pass the Hash is a network attack where the attacker, steals hash user credentials and attempts to use them as his, in order to try to authenticate to the same network that the hashed credentials originated on. This is a really complicated way of saying that the attacker can steal a password, without actually stealing the password. Instead they’re stealing the password hash and they’re using that to authenticate to the network. Now Pass the Hash is the common name for this type of attack. But it’s more accurately termed an NTLM Relay Attack, because NTLM is the New Technology LAN Manager which is used in the Window system, but presenting a hash credential for authentication. By using the Pass the Hash attack the penetration tester doesn’t have to spend time cracking the original password and instead they simply present the stolen hash to the various network protocols, on a Windows system for authentication such as SMB or Kerberos.

So how do does a past the hash attack actually work? First we have to target a regular user, who’s going to be the victim. When that user logs onto a Windows machine like their work laptop, the domain controllers need to verify their authentication and authorize them to use the network and its resources. This is usually done using Kerberos in the form of a username and password. Although many companies now use smart cards and pin numbers instead. Regardless of which method is used by the user, their user account credentials are going to be hashed and sent to the domain controller for verification. To speed up this process, Windows clients are set up to cash these credentials and store them in the Security Account Manager or SAM Database in conjunction with Kerberos. Now, instead of having to go back to the domain controller each time, the user can authenticate locally using the stored credentials, by comparing the username and password they just entered against the hash one that’s stored inside the credentials of the SAM Database.

Next, the attacker needs to find a way to obtain a copy of that hash. This could be done by exploiting the domain controller, sniffing the network traffic, during the initial authentication process or compromising the Windows client, SAM Database. It really doesn’t matter how they get those hash credentials, as long as they get a valid copy of it. Most commonly, I’m going to compromise a Windows Client’s memory using a tool like Mimikatz. Now the attacker will then have the hash credentials and they’re going to use that hash on another computer to log in as that user or they’re going to use those credentials, to access other network resources like file servers, domain controllers, email servers or whatever those credentials are going to be authorized to access. Now you could see how simple the idea behind Pass the Hash is, right? First, you obtain the hash by stealing a a copy from the workstation’s memory, the registry or credential store. Second, you log into a target system or application using the hash of the password, instead of the password itself. This Pass the Hash attack can be used for a lot of different things. But one of the most common things that’s used for is to escalate privileges. This works because a lot of times, the local works stations that the attacker first gains access to, all ready have cash credentials for the local admin account. Because most of the time the local admin had to at some point log into that machine locally, to do some kind of troubleshooting or maintenance. Since those credentials are stored inside the SAM Database of the workstation.

You can dump them from the database and use them in a Pass the Hash attack. Now as a penetration tester, the most common tool for this purpose is Mimikatz. Mimikatz is an open source application, that allows a user to view and save authentication credentials in order to perform Pass the Hash attacks and other similar types of attacks. Mimikatz works by first scanning the system memory for any cash passwords it can find. All these passwords have been processed by the Local Security Authority Subsystem Service. Notice lsass.exe on a Windows system. Once those hashes have been stored in this cash memory, Mimikatz can grab those and find those and then pass those off to another system or service, whenever you want to log in. Mimikatz has been incorporated into a lot of different penetration testing tools including the Metaspoilt Framework.

Notice that with one simple command, use post/windows/gather/smart hashdump, we’re able to run this command and it’s going to run this module against a given target. In this case, it’s going against the Windows machine. It’s going through and grabbing any of the hashes it finds and dumps those to the screen and into a file. In this case we found an administrator’s hash. Using Mimikatz, we can then use the hash and login as that administrator and perform other malicious actions if we desired. the next attack we’re going to discuss is known as Kerberoasting . Now Kerberoasting is a way of messing with the Kerberos Ticketing System, to allow any domain user account with a service principal name, to set up a service granting ticket in the ticket granting system. These tickets can be requested by any user in the domain and allows for offline cracking of the service account, plain text password. So Kerberoasting is a technique that we can use to grab those passwords and if we can get that service account password, remember service accounts tend to operate at the lowest levels of the Operating System. So this can give us elevated permissions to use for other exploits and attacks too.

To conduct Kerberoasting. You first need to get the user service principle names or SPNs so you can identify all the different accounts that are good candidates for Kerberoasting. Second, you need to get a service ticket from one of the SPNs that looks like a good target, something like a server or a service. Third, you need to dump the service ticket to a file. This will usually be encrypted with the NLTLM Hash of the service account that you’re trying to use. Fourth, you need to crack the account’s plain text password, which can be done offline using the service ticket file. Now, if you’re able to obtain the password from this process of Kerberoasting, you now have it in plain text. So you can take control of that system by logging in using the account and the password you have. Most often the service accounts or server accounts are going to be the ones that are most vulnerable to Kerberoasting because administrators rarely change the passwords on these accounts. If you’re successfully able to conduct Kerberoasting on a target network during an engagement, you should recommend that their administrators changed the passwords for the server and service accounts, more frequently. This will minimize the threat of Kerberoasting and the damage that can be conducted if Kerberoasting is successful. Now the final two Kerberos Authentication Attacks you may come across, are known as the Golden Ticket and the Silver Ticket attacks.

Remember Kerberos Authentication is used heavily in Windows. It’s a system of tickets that grant devices permission to communicate with other devices, over non-secure networks. And this is how they identify themselves and their authorizations. With Kerberos Golden Tickets are a master ticket that come from the Kerberos ticket-granting ticket or TGT. This TGT or Ticket Granting Ticket can be used for any Kerberos service. Let’s pretend we went to the fair and we had a Golden Ticket. Well, that Golden Ticket means I can go on any ride I want, as much as I want. That is the idea of this Master Golden Ticket.

Now a Silver Ticket on the other hand, is a ticket granting service ticket and this is only good for certain Kerberos specific services. In my fair example, our Silver Ticket may grant us access to the roller coaster, but it doesn’t let us go on the Merry Go Round. Because those require different tickets, because they’re different services. Now, as a penetration tester, we obviously would rather get one of these Golden Tickets when attacking the Kerberos Authentication System. If we can break into a windows domain, run Mimikatz and acquire a golden ticket, we now essentially own the entire domain and all of its resources. This is what makes a successful golden ticket attack such a huge area of vulnerability, if we can successfully exploit it.

• Category: Uncategorized