Unit5 - Subjective Questions

System Hacking is the process of exploiting vulnerabilities in a system or network to gain unauthorized access, escalate privileges, maintain access, and hide malicious activities.

Primary Goals:

• To gain access to the system.
• To bypass security controls.
• To acquire confidential information.

Methodology Steps:

1. Gaining Access: Attackers use techniques like password cracking, buffer overflows, or session hijacking to enter the system.
2. Escalating Privileges: Once user-level access is gained, the attacker attempts to acquire Administrative or Root privileges (Vertical Escalation).
3. Maintaining Access (Persistence): Installing backdoors, rootkits, or Trojans to retain access even after a reboot.
4. Clearing Logs (Covering Tracks): Modifying or deleting system logs (Event Viewer, Syslog) to hide evidence of the intrusion.

Salting involves adding a unique, random string of characters (the salt) to a password before it is hashed.

Mathematical Representation:
Instead of storing , the system stores:

Mitigation of Rainbow Tables:

1. Uniqueness: Even if two users have the same password (), their salts () will be different. Therefore, $H(P_1 + S_1)
   eq H(P_2 + S_2)$.
2. Invalidating Pre-computation: Rainbow tables are pre-computed for unsalted hashes (e.g., pure MD5 or SHA-256). Because the input to the hash function changes with the salt, the pre-computed chains in the Rainbow Table do not match the salted hash found in the database.
3. Computational Cost: To crack salted passwords, an attacker must generate a new Rainbow Table for every unique salt, which is computationally infeasible.

Unquoted Service Path constitutes a vulnerability where a service executable path containing spaces is not enclosed in quotation marks. Windows parses file paths in a specific order.

The Mechanism:
If a service path is C:\Program Files\My Service\service.exe, Windows interprets it in this order:

1. C:\Program.exe
2. C:\Program Files\My.exe
3. C:\Program Files\My Service\service.exe

Exploitation:

• If an attacker has write permissions in C:\, they can place a malicious executable named Program.exe.
• When the service restarts (often with SYSTEM privileges), Windows executes the malicious Program.exe first because of the space ambiguity.
• This grants the attacker a shell with the privileges of the service (usually SYSTEM).

SUID (Set User ID) is a special permission bit in Linux. When an executable with the SUID bit set is run, it executes with the privileges of the file owner rather than the user running it.

Identification:
SUID files can be found using: find / -perm -u=s -type f 2>/dev/null

Abuse/Exploitation:
If a binary owned by root has the SUID bit set and allows shell escapes or arbitrary file writes, it can be exploited.

• Example (Nmap): Older versions of Nmap allowed interactive mode. If Nmap is SUID root, a user can enter interactive mode and spawn a shell (!sh), resulting in a root shell.
• Example (Find): The find command with SUID root can execute commands: find . -exec /bin/sh -p \; to gain root access.

Static Analysis:

• Definition: Analyzing the code or binary without executing it.
• Method: Disassembling the code to assembly, checking file headers, strings, imports/exports, and metadata.
• Tools: IDA Pro (Disassembler), Ghidra, strings, objdump.
• Safety: Safer as the malicious code is not run.

Dynamic Analysis:

• Definition: Analyzing the behavior of the code while it is running.
• Method: Monitoring system calls, registry changes, network traffic, and memory modification in a sandbox or debugger.
• Tools: OllyDbg, x64dbg, Wireshark, Process Monitor.
• Safety: Riskier; requires an isolated environment (Sandbox/VM) to prevent infection.

Remote Access Tools (RATs) are software programs used to remotely control a victim's computer. In penetration testing, they simulate the capabilities of a C2 (Command and Control) infrastructure.

Role in Post-Exploitation:

• Command Execution: Running shell commands remotely.
• File Management: Uploading exploit kits or downloading sensitive data.
• Surveillance: Keylogging, screen capture, and webcam activation.
• Persistence: Establishing mechanisms to reconnect automatically.

Difference from Viruses:

• Control: Viruses are generally autonomous and focus on self-replication and damage. RATs are designed for stealthy, interactive control by a human operator.
• Purpose: Viruses aim to spread; RATs aim to maintain a foothold and exfiltrate data.

DLL Hijacking is a technique where an attacker tricks a legitimate application into loading a malicious Dynamic Link Library (DLL) instead of the intended system DLL.

The Vulnerability:
When an application requests a DLL without specifying the full path, Windows searches for the DLL in a specific order (the search order depends on the SafeDllSearchMode setting, but generally follows this pattern):

1. The directory from which the application loaded.
2. The System directory (C:\Windows\System32).
3. The 16-bit System directory.
4. The Windows directory.
5. The current working directory.
6. Directories listed in the PATH environment variable.

The Attack:
If an attacker places a malicious DLL with the same name as a required system DLL in the application's directory (Priority 1), the application will load the malicious code first, executing the attacker's payload with the privileges of the application.

Maintaining Persistence is the phase where the penetration tester (or attacker) establishes a mechanism to regain access to the compromised system after interruptions such as restarts, logoffs, or network changes.

Techniques in Windows:

1. Registry Run Keys: Adding entries to HKCU\Software\Microsoft\Windows\CurrentVersion\Run or HKLM\...\Run. Programs listed here execute automatically at login.
2. Scheduled Tasks: Using the schtasks command to create a task that runs a malicious binary at specific intervals or system events (e.g., schtasks /create /sc minute /mo 1 ...).
3. Services: Creating a backdoor service using sc create or modifying an existing service to point to a malicious binary. Services often run with SYSTEM privileges.

The Golden Ticket attack involves creating a forged Kerberos Ticket Granting Ticket (TGT). This allows an attacker to request service tickets for any service on the domain, effectively granting domain controller privileges.

Mechanism:
In Kerberos, the KDC (Key Distribution Center) signs TGTs using the hash of the krbtgt account. If an attacker obtains this hash, they can sign their own tickets.

Required Data to Forge a Golden Ticket:

1. Domain Name (FQDN).
2. Domain SID (Security Identifier).
3. User Name to impersonate (usually Administrator or a non-existent user).
4. krbtgt NTLM Hash: The most critical component, usually dumped from the Domain Controller using tools like Mimikatz.

Impact:
Provides persistence that lasts for up to 10 years (or until the krbtgt password is changed twice).

Importance of Scripting:

• Customization: Public exploits often fail due to environment differences; scripting allows modification of payloads.
• Efficiency: Automating repetitive tasks (like scanning subnets or parsing logs) saves time.
• Stealth: Scripts can often run in memory (Fileless malware using PowerShell) avoiding antivirus detection compared to dropping compiled binaries.
• Living off the Land: Using native interpreters (Bash/PowerShell) avoids bringing external tools that might trigger alarms.

Example of Automated Task:
Ping Sweep: Instead of manually pinging IPs, a simple Bash script loop can identify live hosts:
bash
for i in {1..254}; do ping -c 1 192.168.1.$i | grep "64 bytes"; done

Rootkits are malicious software designed to hide the existence of other malware, processes, or the intruder themselves while maintaining privileged access.

User-mode Rootkits (Ring 3):

• Operate in the same memory space as applications.
• Technique: They hook Application Programming Interfaces (APIs) (e.g., modifying FindNextFile in Windows to omit malicious files).
• Detection: Easier to detect by kernel-level antivirus tools because they rely on the underlying OS kernel which is unmodified.

Kernel-mode Rootkits (Ring 0):

• Operate at the deepest level of the OS (Kernel/Driver level).
• Technique: They modify kernel data structures (like the System Call Table). They can intercept hardware requests directly.
• Detection: Extremely difficult to detect and remove because the OS itself is compromised and cannot be trusted to report the truth. Often requires booting from external media to detect.

Buffer Overflow occurs when a program writes more data to a fixed-length block of memory (buffer) than it can hold. The extra data overwrites adjacent memory locations.

Stack-Based Mechanism:

1. Memory Layout: The stack contains local variables (Buffer), the Saved Frame Pointer (SFP), and the Return Address (RET) which tells the CPU where to go after a function finishes.
2. The Overflow: An attacker inputs data larger than the allocated buffer size.
3. Overwriting EIP: The overflow fills the buffer, crosses the SFP, and overwrites the Return Address.
4. Control Flow Hijacking: When the function returns, the CPU loads the corrupted Return Address into the EIP (Extended Instruction Pointer).
5. Payload Execution: If the attacker replaces the Return Address with the memory address of their malicious code (Shellcode), the CPU jumps to that code and executes it.

Mimikatz is a leading post-exploitation tool used to extract plain-text passwords, hashes, PINs, and Kerberos tickets from memory.

Credential Dumping:
It interacts with the LSASS (Local Security Authority Subsystem Service) process in Windows. It can extract credentials stored in the WDigest provider (often cleartext in older Windows) or NTLM hashes.

Pass-the-Hash (PtH):

• Concept: Windows authentication (NTLM) often doesn't require the plaintext password, only the hash.
• Mimikatz Role: Using the sekurlsa::pth module, an attacker can inject a captured NTLM hash into their current session.
• Result: The attacker can authenticate to remote servers (SMB, WMI) as the victim user without ever cracking the hash to reveal the actual password.

Once a shell is obtained on a Linux system, enumeration is vital to understand the environment and plan privilege escalation:

1. System Information:
   • uname -a (Kernel version/Architecture)
   • cat /etc/*-release (OS Distribution)
2. User Enumeration:
   • whoami (Current user)
   • id (Group memberships, specifically sudo/wheel)
   • cat /etc/passwd (List all users)
   • w or last (Currently logged in or previous users)
3. Network Enumeration:
   • ip a or ifconfig (Interfaces)
   • netstat -antup (Open ports and connections)
4. Process/Service Enumeration:
   • ps aux (Running processes, look for root processes)
5. Configuration/File Enumeration:
   • Checking .bash_history for credentials.
   • Searching for SUID files.

Importance: Covering tracks is essential to remain undetected, avoid legal attribution, and prevent security administrators from patching the vulnerability used for entry.

Windows Methods:

• Clear Event Logs: Using the command wevtutil cl <LogName> (e.g., wevtutil cl System) or via PowerShell Clear-EventLog.
• Disable Auditing: auditpol /set /category:"System" /success:disable.
• Timestomping: Modifying file timestamps (MACE - Modified, Accessed, Created, Entry) to hide newly created malware files.

Linux Methods:

• History File: export HISTSIZE=0 or unset HISTFILE to stop logging commands. rm ~/.bash_history.
• Log Cleaning: Shredding log files like /var/log/auth.log or /var/log/syslog (e.g., shred -zu /var/log/auth.log).
• Log Modification: Using sed to delete specific lines referencing the attacker's IP without deleting the whole file (stealthier).

Steganography is the practice of concealing a file, message, image, or video within another file, message, image, or video. The goal is to hide the existence of the communication.

Context in Hacking:
Attackers use steganography to exfiltrate data (hiding stolen text inside a JPEG image) or to hide command-and-control payloads inside innocent-looking traffic or files to bypass IDS/IPS.

Difference from Cryptography:

• Cryptography: Scrambles the message so it cannot be read without a key. The communication is obvious but unreadable.
• Steganography: Hides the message so it appears that no secret communication is taking place. The communication is invisible.

Running unverified code is dangerous. A tester must analyze:

1. Target Architecture: Verify if the exploit is for x86 or x64 and if it matches the target OS version.
2. Shellcode: Check the hex shellcode. Is it a reverse shell? Does it connect to a specific IP/Port? Attackers often put hardcoded IPs in shellcode that need changing.
3. Dependencies: Does the script require specific libraries or interpreters (Python 2 vs 3)?
4. Malicious Intent: Ensure the 'exploit' isn't actually a trap (e.g., rm -rf / or sending hash files to a third party).
5. Return Addresses/Offsets: Check if memory offsets (JMP ESP addresses) align with the specific patch level of the target application.

Horizontal Privilege Escalation:

• Definition: An attacker takes over the account of another user who has the same level of privileges as the attacker.
• Scenario: A user Alice accesses the bank account of user Bob. Both are standard users.
• Goal: Accessing data specific to other users.

Vertical Privilege Escalation:

• Definition: An attacker elevates their privileges from a lower-privileged user to a higher-privileged user (e.g., User to Admin/Root).
• Scenario: A standard user exploits a kernel vulnerability to gain NT AUTHORITY\SYSTEM access.
• Goal: Full system control, installing software, modifying system configurations.

Keylogging (Keystroke Logging) is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored.

Purpose: To capture passwords, credit card numbers, and sensitive communications.

Types:

1. Hardware Keyloggers: Physical devices inserted between the keyboard cable and the USB/PS2 port. They are OS-independent but require physical access.
2. Software Keyloggers: Programs that run in the background. They hook into the OS input APIs (like SetWindowsHookEx in Windows) to intercept keystrokes before they reach the target application. They can be installed remotely via RATs.