UCCSL304: Penetration Testing

Credit: 3 Examination Scheme: TAE: 10 Marks ,CAE: 15 Marks, ESE :50 Marks

Unit-03- SYSTEM PENETRATION:-

Password Cracking in Penetration Testing:
Password cracking plays a very important role in hacking. We are not always lucky to get
credentials during enumeration. There are two types of password cracking.
● Online password cracking
● Offline password cracking
Online Password cracking: - There are many techniques used in online password cracking.
Some of them are,
Dictionary Attack: Dictionary password attack is a password cracking attack where each word
in a dictionary (or a file having a lot of words) is tried as password until access is gained. This
method will be successful when simple passwords are set. By simple, I mean common passwords
which can be found in a dictionary like “password”, “iloveyou” etc. This type of attack
consumes less time but is not bound to be successful always especially if the password is not
present in the dictionary.
Brute force Attack: Brute Force attack is a password cracking attack similar to dictionary
attack. The only difference is in this attack, each and every possible combination is tried until the
password is successfully cracked. For example, if there are two words say “abc” and “123” in a
wordlist, other combinations like “abc1”, “abc2” and “abc3” are also tried. Brute force attack
will definitely succeed even if it means it will take years to do that.
An attacker may use a computer or a cluster of computers to attempt every possible variation.
The longer the password, the more difficult and time-consuming the cracking process becomes.
As an example of times, here are some recent findings from the 2023 Hive report on how long,
passwords with lowercase and uppercase letters verses more complex passwords (i.e., numbers,
upper and lowercase letters, and symbols in an MD5 hash) take to crack.

Characters Lower & Uppercase Letters Complex Passwords

 8 Characters 22 minutes 8 hours

9 Characters 19 hours 3 weeks

10 Characters 1 month 5 years

11 Characters 5 years 500 years

12 Characters 300 years 34k years

Hybrid Attack: As the name suggests, it uses a combination of both dictionary and brute force
password attacks to crack the password.
Rainbow Table: Since hashing algorithms are publicly known, it is possible to create massive
lists of pre-computed password hashes that a stolen hash can be compared against. Instead of
generating a new hash for every variation, look up the stolen hash against a table to see if it
matches.
There are many different hash methods and near-infinite password variations, which can quickly
make managing and storing tables like this very difficult. There is another technique known as
password salting that can also throw a wrench in this technique. If the server adds random values
to the front and end of a hash (values known only to the server), then the resulting hashes won’t
match known values anymore.
Credential Stuffing: Users commonly use the same root password across multiple services. If
one password is broken on a service, an attacker can quickly try that same password or variations
on other services to which the user may have access.
Known as credential stuffing, attackers will try the cracked password on multiple services to try
different passwords on the same service. This can result in all of the user's services being
compromised.
 Weak (Insecure) Password Hashes: Of course, not all password hashing schemes are created
equal. As technology evolves, what was once considered secure may no longer be so. This is true
for hash algorithms like MD5 or SHA-1, which can be cracked quickly.
A system that stores user password hashes with one of these algorithms could have its entire
database cracked quickly.
Modern systems recommend more secure algorithms, such as bcrypt, which uses salted password
hashes.
Password Cracking Tools
Though the techniques themselves are essential to know, many password crackers rely on readily
available tools.
Though three standard tools are listed below, many more are available. All of the below are
open-source and community-developed, which means they are ever-evolving.
John the Ripper - Supports hundreds of hash types across many applications and is available on
multiple platforms.
Hashcat - Works with the CPU and GPU to provide a high-speed command-line password-
cracking tool supporting many hash types.
Ophcrack - A tool based around rainbow tables focused on LM and NTLM passwords used in
Windows environments.
Definition of Key loggers: A key logger or keystroke logger/keyboard capturing is a form of
malware or hardware that keeps track of and records your keystrokes as you type. It takes the
information and sends it to a hacker using a command-and-control (C&C) server. The hacker
then analyzes the keystrokes to locate usernames and passwords and uses them to hack into
otherwise secure systems.
Types of key loggers
There are two types Software and Hardware. A software key logger is a form of malware that
infects your device and, if programmed to do so, can spread to other devices the computer comes
in contact with. While a hardware key logger cannot spread from one device to another, like a
software key logger, it transmits information to the hacker or hacking organization, which they
will then use to compromise your computer, network, or anything else that requires
authentication to access.
How are key loggers Constructed?
An attacker can also put a hardware bug inside the keyboard itself. This would record each
stroke made and send the information to be stored, either on a server or nearby physical device.
It is possible for a keylogger to be placed within the wiring or inside the computer—as long as it
is between the keyboard and the monitor.
Additionally, keylogger software can be designed to intercept all input that comes from the
keyboard. This can be done using a few different methods:
1. The driver that facilitates the interaction between the keyboard and the computer can be
replaced with one that logs each keystroke.
2. A filter driver can be positioned within the keyboard stack.
3. Kernel functions, which use similarities between data to assist machine learning, can be
intercepted by software keyloggers and then used to derive the necessary keystrokes to
perform authentication functions.
4. The functions of the dynamic link library (DLL), which stores code used by more than
one program, can be intercepted.
The software, which is recognized as a form of spyware, is built using a few different methods.
Here are the most common:
1. A system hook, which is a technique for altering the operating system's behavior, is used
to intercept each notification generated whenever a key is pressed. This kind of software
is typically built using the coding language C.
2. A cyclical information request is set up that gathers information from the keyboard.
These kinds of keyloggers are typically written using Visual Basic or Borland Delphi.
3. A filter driver is written in C and installed inside the computer.
What Is Privilege Escalation?
A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access
into a system. Attackers exploit human behaviors, design flaws or oversights in operating
systems or web applications. This is closely related to lateral movement — tactics by which a
cyberattacker moves deeper into a network in search of high-value assets.
The Types of Privilege Escalation Attacks.
There are two types of privilege escalation attacks including vertical and horizontal.
Vertical Privilege Escalation
Vertical privilege escalation occurs when an attacker gains access directly to an account with the
intent to perform actions as that person. This type of attack is easier to pull off since there is no
desire to elevate permissions.
We analyze numerous phishing emails that attempt to perform this attack. Whether it’s a “bank”,
“Amazon”, or any other countless number of ecommerce sites, the attack is the same. “Your
account will be deactivated due to inactivity. Please click this link and login to keep your
account active.”
Horizontal Privilege Escalation
Horizontal privilege escalation is a bit tricky to pull off as it requires the attacker to gain access
to the account credentials as well as elevating the permissions. This type of attack tends to
require a deep understanding of the vulnerabilities that affect certain operating systems or the use
of hacking tools.
Phishing campaigns have been used to perform the first part of the attack to gain access to the
account. When it comes to elevating permissions, the attacker has a few options to choose from.
One option is to exploit vulnerabilities in the operating system to gain system or root-level
access. The next option would be to use hacking tools, like Metasploit, to make the job a bit
easier.
More Types of Privilege Escalation Technique
● Cybersquatting or typosquatting: Hijacking a URL or creating a false URL to entice
clicks. Attackers might employ a false top-level domain (e.g., Sample.co, .cm or .org
instead of .com) or subtly misspell a name (e.g., Sampe.com, Sarnple.com or
Samp1e.com).
● Password exposure: Sometimes users expose their passwords voluntarily, sharing them
with friends or coworkers. More often they do so unwittingly. They might keep
passwords written down somewhere obvious in their workspaces or have passwords that
are easy to guess.
● Security question exposure: It’s not unusual for users to forget passwords. When they
do, they often must answer security questions to create new passwords. Thanks to social
media, the answers to security questions are easier than ever to discover. (Beware the
viral quizzes or posts asking for the “Top 5 Things No One Knows about You.”)
 ● Vishing, or “voice phishing”: Attackers might call an employee and impersonate an
authority figure, tricking the employee into providing privileged information or installing
malware.
● Brute force attacks: These involve systematic automated guessing of passwords and can
be especially effective in systems with insufficient password requirements.
● Credential dumping: In these attacks, attackers gain illegal access to a network and steal
multiple credentials all at once.
● Shoulder surfing: This involves stealing an individual’s credentials through an insecure
network or by hacking into an individual’s devices.
● Dictionary attacks: In this type of attack, bad actors combine common words into
possible passwords based on a network’s password length and requirements.
● Password spraying: This type of attack utilizes automated attempts to gain access to
many accounts at once using a few common passwords (e.g., “password,” “qwerty,”
“123456” and the like).
● Credential stuffing: Here, attackers try to use credentials from one system on a different
system. This works because so many people reuse passwords across multiple networks.
● Pass the hash or rainbow table attacks: This attack type involves algorithms that
“hash” or scramble passwords.
● Password changes and resets: Sophisticated attackers can find ways to exploit the
process of setting new passwords. They can even request new passwords themselves if
they know answers to security questions.
Examples of Privilege Escalation Attacks
Privilege escalation attacks commonly involve infecting a network or application with malware,
a broad category that includes the following:

● Worms: Self-contained programs that replicate themselves and spread copies to other
computers.
● Rootkits: Collections of software designed to give actors control of a network or
application. Once activated, they set up a backdoor to deliver additional malware and
may remain for years because they are hard to detect.
 ● Trojans: Malware disguised as legitimate software, designed to trick users through social
engineering techniques such as phishing or bait websites.
● Fileless malware: Unlike traditional malware, this does not require an attacker to install
malicious code on a target’s system, making it hard to detect.
● Spyware: Surveillance software that collects information about users’ web activity
without their knowledge or consent. (Adware is a type of spyware that watches a user’s
online activity to determine which ads to show them.)
● Keyloggers: Spyware that monitors user activity, typically installed through phishing.
Once installed, keyloggers can steal passwords, user IDs, banking details and other
information.
● Scareware: Programs (usually pop-up warnings) that trick users into believing their
computer is infected, persuading them to install fake antivirus software that is actually
malware.
● Ransomware: When an adversary encrypts a victim’s data and offers a decryption key in
exchange for a payment. Attackers can launch these attacks through social engineering
techniques or by using unpatched vulnerabilities and policy misconfigurations.

Hiding Files
Rootkits
Rootkits are programs that hackers use in order to evade detection while trying to gain
unauthorized access to a computer. Rootkits when installing on a computer, are invisible to the
user and also take steps to avoid being detected by security software.
A rootkit is a set of binaries, scripts and configuration files that allows someone to covertly
maintain access to a computer so that he can issue commands and scavenge data without alerting
the system’s owner.
Depending on where they are installed there are various types of rootkits:
● Kernel Level Rootkits

● Hardware/Firmware Rootkits

● Hypervisor (Virtualized) Level Rootkits

● Boot loader Level (Bootkit) Rootkits

NTFS DATA Stream
Alternative Data Stream support was added to NTFS (Windows NT, Windows 2000 and
Windows XP) to help support Macintosh Hierarchical File System (HFS) which uses resource
forks to store icons and other information for a file. Using Alternative Data Streams a user can
easily hide files that can go undetected unless close inspection.
Steganography
The art of hiding a data inside another data/medium is called steganography.
For eg: hiding data within an image file
The secret message is called overt file and the covering file is called covert file.
Types of Steganography
1. Image Steganography
2. Network or Protocol Steganography
3. Video Steganography
4. Audio Steganography
5. Text Steganography
1. Text Steganography − There is steganography in text files, which
entails secretly storing information. In this method, the hidden data
is encoded into the letter of each word.
2. Image Steganography − the second type of steganography is image
steganography, which entails concealing data by using an image of a
different object as a cover. Pixel intensities are the key to data
concealment in image steganography.
Since the computer description of an image contains multiple bits, images are frequently used as
a cover source in digital steganography.
The various terms used to describe image steganography include:
Cover-Image - Unique picture that can conceal data.
Message - Real data that you can mask within pictures. The message may be in the form of
standard text or an image.
Stego-Image − A stego image is an image with a hidden message.
Stego-Key - Messages can be embedded in cover images and stego-images with the help of a
key, or the messages can be derived from the photos themselves.
3. Audio Steganography − It is the science of hiding data in sound. Used
digitally, it protects against unauthorized reproduction.
Watermarking is a technique that encrypts one piece of data (the
message) within another (the "carrier"). Its typical uses involve
media playback, primarily audio clips.
4. Video Steganography − Video steganography is a method of secretly
embedding data or other files within a video file on a computer. Video
(a collection of still images) can function as the "carrier" in this
scheme. Discrete cosine transform (DCT) is commonly used to insert
values that can be used to hide the data in each image in the video,
which is undetectable to the naked eye. Video steganography
typically employs the following file formats: H.264, MP4, MPEG, and
AVI.
5. Network or Protocol Steganography − It involves concealing data by using
a network protocol like TCP, UDP, ICMP, IP, etc., as a cover object.
Steganography can be used in the case of covert channels, which
occur in the OSI layer network model.
Steganography Techniques Explained
Now that we have a better grasp on what steganography is, what forms it comes in, and who uses
it, let’s take a closer look at a sample of the available techniques.
Secure Cover Selection
Secure Cover Selection involves finding the correct block image to carry malware. Then, hackers
compare their chosen image medium with the malware blocks. If an image block matches the
malware, the hackers fit it into the carrier image, creating an identical image infected with the
malware. This image subsequently passes quickly through threat detection methods.
Least Significant Bit
That phrase almost sounds like a put-down, doesn’t it? However, in this case, it refers to pixels.
Grayscale image pixels are broken into eight bits, and the last bit, the eighth one, is called the
Least Significant Bit. Hackers use this bit to embed malicious code because the overall pixel
value will be reduced by only one, and the human eye can’t detect the difference in the image.
So, no one is even aware that anything is amiss, and that the image is carrying something
dangerous within.
Palette-Based Technique
Like the Least Significant Bit technique, the Palette-Based Technique also relies on images.
Hackers embed their message in palette-based images such as GIF files, making it difficult for
cybersecurity threat hunters or ethical hackers to detect the attack.
Steganography Tools
Various tools or software that supports steganography are now readily accessible. Though most
hide information, some provide additional security by encrypting it beforehand. You can find the
following free steganography resources online:
Steghide: Steghide is a free tool that uses steganography to conceal information in other files,
such as media or text.
Stegosuite: It is a Java-based, free steganography tool. Stegosuite makes it simple to obfuscate
data in pictures for covert purposes.
OpenPuff: It is a high-quality steganographic tool that allows you to conceal data in other media
types like images, videos, and Flash animations.
Xiao Steganography: To conceal information in BMP images or WAV files, use the free Xiao
Steganography tool.
SSuite Picsel: The free portable program SSuite Picsel is yet another option for hiding text
within an image file; however, it uses a somewhat different method than other programs.
These are only a few of the steganography tools available. However, these instruments will help
you achieve your goals.
Advantages of Steganography
Steganography is a method that makes it easy to conceal a message within another to keep it
secret. The result is that the hidden message remains hidden. A steganography approach can
benefit images, videos, and audio files. Further advantages include:
Unlike other methods, steganography has the added benefit of hiding communications so well
that they receive no attention. However, in countries where encryption is illegal, sending an
encrypted message that you can easily decipher will raise suspicion and may be risky.
Steganography is a form of encryption that protects the information within a message and the
connections between sender and receiver.
The three essential elements of steganography—security, capacity, and robustness—make it
worthwhile to covert information transfer via text files and develop covert communication
channels.
You can store an encrypted copy of a file containing sensitive information on the server without
fear of unauthorized parties gaining access to the data.
Government and law enforcement agencies can communicate secretly with the help of
steganography corporations.
Steganography Examples Include
● Writing with invisible ink

● Embedding text in a picture (like an artist hiding their initials in a painting they’ve done)

● Backward masking a message in an audio file (remember those stories of evil messages
recorded backward on rock and roll records?)
● Concealing information in either metadata or within a file header

● Hiding an image in a video, viewable only if the video is played at a particular frame rate

● Embedding a secret message in either the green, blue, or red channels of an RRB image
Steganography can be used both for constructive and destructive purposes. For example,
education and business institutions, intelligence agencies, the military and certified ethical
hackers use steganography to embed confidential messages and information in plain sight.
On the other hand, criminal hackers use steganography to corrupt data files or hide malware in
otherwise innocent documents. For example, attackers can use BASH and PowerShell scripts to
launch automated attacks, embedding scripts in Word and Excel documents. When a poor,
unsuspecting user clocks one of those documents open, they activate the secret, hidden script and
chaos ensues. This process is a favored ransomware delivery method.
Steganography has a huge advantage over standard cryptographic methods. When someone uses
cryptography, they’re passively calling attention to the fact that there’s secret information
present in the medium in question. Thus, the very presence of encrypted data tells intruders,
“Aha! Here’s some secret information!” Steganography, however, hides the sensitive
information in an otherwise innocuous document. Therefore, would-be hackers have no idea that
there is anything secret and enticing in the first place.
What is Sniffing?
Sniffing is a process of monitoring and capturing all data packets passing through given network.
Sniffers are used by network/system administrator to monitor and troubleshoot network traffic.
Attackers use sniffers to capture data packets containing sensitive information such as password,
account information etc. Sniffers can be hardware or software installed in the system. By placing
a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze
all of the network traffic.
There are two types:
Active Sniffing:
Sniffing in the switch is active sniffing. A switch is a point to point network device. The switch
regulates the flow of data between its ports by actively monitoring the MAC address on each
port, which helps it pass data only to its intended target. In order to capture the traffic between
target sniffers has to actively inject traffic into the LAN to enable sniffing of the traffic. This can
be done in various ways.
Passive Sniffing:
This is the process of sniffing through the hub. Any traffic that is passing through the non-
switched or unbridged network segment can be seen by all machines on that segment. Sniffers
operate at the data link layer of the network. Any data sent across the LAN is actually sent to
each and every machine connected to the LAN. This is called passive since sniffers placed by the
attackers passively wait for the data to be sent and capture them.
ARP and CAM Table
ARP Table

Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to
a physical machine address that is recognized in the local network. A table is used to maintain a
correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules
for making this correlation and providing address conversion in both directions.
Source: www.pnj.ac.id

CAM Table

Content Addressable Memory (CAM) table is a system memory construct used by Ethernet switch logic
which stores information such as MAC addresses available on physical ports with their associated VLAN
Parameters. The CAM table, or content addressable memory table, is present in all switches for layer 2
switching. This allows switches to facilitate communications between connected stations at high speed
and in full-duplex regardless of how many devices are connected to the switch. Switches learn MAC
addresses from the source address of Ethernet frames on the ports, such as Address Resolution Protocol
(ARP) response packets.
Source: http://www.ciscopress.com/articles/article.asp?p=2348265&seqNum=2

Protocols vulnerable to sniffing

Telnet and Rlogin: Keystrokes including usernames and passwords.

● HTTP: Data sent in clear text.

● SMTP: Passwords and data sent in clear text.
● NNTP: Passwords and data sent in clear text.
● POP: Passwords and data sent in clear text.
● FTP: Passwords and data sent in clear text.
● IMAP: Passwords and data sent in clear text.

Active Sniffing Attacks

Mac-Attacks:
MAC-flooding is an attack where the CAM table is flooded with fake MAC-IP pairs, so CAM
table overflows causing traffic to flood all ports on switch (i.e) changing switch to behave like a
hub
ARP Spoofing:
In this case, an attacker can spoof the MAC address of a trusted host and forge ARP
request/replies to overload the Switch. Then the switch is set in “forward mode” an attacker can
now sniff the packets on the traffic.
ARP Poisoning:
Attacker chooses targets and floods their ARP cache with forged entries thus replacing the MAC
address of targets with MAC address of attacker. ARP poisoning is used in Man in the middle
attack.
Source:http://www.shortestpathfirst.net/2010/11/18/man-in-the-middle-mitm-attacks-explained-
arp-poisoining/
Man-in-the-middle Attack:
It’s a targeted attack, where the attacker sniffs the traffic and chooses targets. It uses ARP
poisoning method to forge fake ARP request/reply to targets forcing them to update their ARP
cache with MAC address of the Attacker machine in the place of the genuine target. So the
traffic between target’s will be split into two. One connection between target1 and attacker and
other between target2 and attacker. So the attacker being the man in the middle can
modify/replay the traffic. He will be able to capture sensitive information between the targets.
Source: www.gregsowell.com