3rd & 4th Phase of Penetration Testing

WinPassword
John the Ripper
PasswordsPro
Password Unlocker Bundle
Password Cracker
Cloud Cracker
etc
 Privilege Escalation
(hackers use to gain unauthorized access to a network)
Successful privilege escalation attacks grant hackers privileges that normal users
don't have. There are two common types of privilege escalation — horizontal and
vertical.

Privileges are a security feature of most programs and operating systems. they
limit the access that different kinds of users have to files and codes. The more
privileges a user has, the more he or she can modify or interact with a system or
application.

To prevent unauthorized users from gaining access to advanced operations —

such as changing code, deleting files or viewing sensitive data — developers
typically employ the principle of least privilege.

When a hacker wants greater privileges than the typical user, he or she has to find
a way around this security feature, which can result in a privilege escalation
attack.
 Vertical Privileges
Attacker grants himself privileges usually reserved for higher-access users.

In most privilege escalation attacks, the hacker first logs in with a low-end user
account. Then he can search for exploitable flaws in the system that can be used
to elevate his privileges. If the hacker successfully exploits such flaws, he may
be able to authorize network activity, create new system users, access files or
change the system settings. Such an attack can result in the theft of sensitive
data or the hijacking of an entire network.

Example: vertical privilege escalation attacks are lock screen bypasses on many
of today's popular smartphones. Android and iOS have both been affected by
such vulnerabilities, which allow an unauthorized user to gain access to
someone else's contacts and apps just by performing a simple hack.
 Preventions
Vertical privilege escalation attacks are difficult, but not
impossible, to prevent. The easiest way to keep such
attacks at bay is to keep antivirus software up to date and
install new patches and software fixes as soon as they
become available.
The more secure your system, the less likely a hacker is to
find an exploitable hole. Employing data execution
prevention (DEP) is another way to avoid these kinds of
attacks.
 Horizontal Privileges

The attacker is a normal, low-end user who accesses the information of other
normal users. In other words, the attacker doesn't gain any advanced
privileges; he simply assumes someone else's identity to gain access he would
not otherwise have.

Example, if a hacker logs into her own online bank account and then, by
some flaw in the banking application, is able to also gain access to another
user's account, she has just pulled off a horizontal privilege escalation attack.

Malware that employs keystroke logging or tracking cookies can be used to

steal passwords and facilitate future privilege escalation attacks.
Prevention

One of the most effective ways to prevent horizontal privilege escalation

attacks is to choose passwords that won't be easily guessed by hackers.
Always choose unique passwords for every account you create, and be sure
to follow a few basic guidelines when creating passwords to ensure security.
Include at least eight characters, for example, and be sure to include upper
and lower case letters as well as special characters and numbers.

Keeping antivirus software up to date can also help prevent horizontal

privilege escalation attacks.

Maintaining patched and updated web browsers is also particularly

important in avoiding these kind of attacks.
Privilege Escalation using DLL Hijacking
Reset password of target system using Cmd
prmt
Privilege Escalation Tools
Window Password Reset Kit
Trinity Rescue Kit
Window Password Recovery tool
etc
Key loggers are the program or hardware
which monitors the keystroke as user types
on the keyboard and logs into the file or
transmit it to the remote location
It allows the attacker to gather confidential
information about the victim (email,
password, banking details etc)
Physical loggers are placed between the
keyboard hardware and operating system.
Many keylogger software are available and
many are free
It is program which records user’s interaction
with the computer and internet without the
knowledge of the user and sends it to the remote
location
Spyware hides its process, files and other
objects
It allows attacker to gather victim’s information
(email id, login details, banking, credit card,
password etc)
It sees all keystrokes
Reveals all website visits
Records online chat (skype, yahoo msger, Google talk
etc)
See emails
Many spyware software's are available
A backdoor is a technique in which a system security
mechanism is bypassed undetectably to access a computer
or its data. The backdoor access method is sometimes
written by the programmer who develops a program.
A Trojan horse provides access at the application level, but to
gain it, the user needs to install the piece of malware locally.
In Windows-run systems, the majority of Trojans proceed to
install themselves as a service and then run as a local system,
having administrative access.
Furthermore, the pentester can mount Trojans tosneak out
passwords, credentials, and any other sensitive information
stored on the system.
 Much like remote access Trojans
(RATs), backdoors are installed in target
systems and come with built-in
upload/download functionality.

They upload gathered files of interest and

then rely on ports like port 53 (for DNS) and
80 and 443 (for HTTP and HTTPS,
respectively) to cover up their traffic.
A covert channel is when data is being sent
through secret communication tunnels. VoIP,
DNS tunnels, ICMP tunnels, and HTTP tunnels
are such paths for data extraction from the
inside of a network. All of these covert channels
can transport encrypted data as well.(Although
detecting covert channels is difficult but not
impossible)

To detect a covert tunnel is one thing, but to

block it is a completely different matter.
Rootkit
Stegnography
A rootkit is a collection of computer software, typically malicious, designed to
enable access to a computer or areas of its software that is not otherwise
allowed and often masks its existence or the existence of other software.

The term rootkit is a concatenation of "root" (the traditional name of the privileged
account on Unix-like operating systems) and the word "kit" (which refers to the
software components that implement the tool).

Rootkit installation can be automated, or an attacker can install it after having

obtained root or Administrator access. Obtaining this access is a result of direct
attack on a system, i.e. exploiting a known vulnerability (such as privilege
escalation) or a password (obtained by cracking or social engineering tactics like
"phishing”.

Detection of rootkit is difficult. Detection methods include using an

alternative and trusted operating system, behavioral-based methods,
signature scanning, difference scanning, and memory dump analysis.

Removal can be complicated or practically impossible, especially in cases where

the rootkit resides in the kernel; reinstallation of the operating system may be the
only available solution to the problem.

Example: rootkit keyloggers are designed to record words the victim types
without his knowledge. It has plenty of time to steal sensitive information given
If we split a computer system into three basic layers, they are
hardware,
kernel,
and operating system level.

In essence, the kernel is the core of the operating systems.

• user- level rootkits use low-priority processes to subvert security software.
• Kernel-level rootkits are far stealthier and dangerous than their other
levels counterparts because of
the following reasons:

 they have the ability to camouflage their presence when they

add their code to portions of the operating system’s kernel;
 they run earlier than the operating system
 they can circumvent encryption and create secret channels
for unrestricted access to the penetrated system
 It is difficult to remove kernel-level and boot-level rootkits.

 Rootkits residing in the kernel memory normally leave no trace on

the hard disk. Also, they may modify files, parts of the disk, and
even alter the kernel so that they can resist reboots.
 Stegnography
It is the hiding of a secret message within an ordinary message and the extraction of it at its destination.
Steganography takes cryptography a step farther by hiding an encrypted message so that no one
suspects it exists.

Steganography is data hidden within data. Steganography is an encryption technique that can be used
along with cryptography as an extra-secure method in which to protect data. Ideally, anyone scanning
your data will fail to know it contains encrypted data.

In modern digital steganography, data is first encrypted by the usual means and then inserted, using a
special algorithm, into redundant (that is, provided but unneeded) data that is part of a particular file
format such as a JPEG image.. A trademark or other identifying symbol hidden in software code is
sometimes known as a watermark.

Stegware

Stegware is the use of steganography by malware to avoid detection. It can be used to penetrate a
system, to leak sensitive information and to run a command and control channel without detection.

Stegware cannot be stopped by defences based on detection, but can be defeated by Content Threat
Removal (business information is retrieved and other data is discarded), as this eliminates the
redundancy used by steganography to hide information.

It means a cyber attack can operate without detection, bypassing all defences that are based on
detection or analysis.
 is an unauthorized transfer of data from a
computer system or IT servers to an
external system or device. It can be
carried out manually (similar to a ‘copy-
paste’ command) or automatically via
malware spread across a network.
via direct electronic means
Or physical media, such as downloading data to a USB drive or stealing a
laptop
Using web protocols, tunneling protocols, email or file transfers. While
the file transfer protocol (FTP) is regarded as a standard network
protocol whose purpose is to transfer file.
Other protocols and techniques are applicable as well, for instance, routing
control packets, secure shell, peer-to-peer, instant messaging, Windows
Management Instrumentation, hiding data within video or images, and
VoIP. Webcams, microphones, and similar peripheral devices may be
rigged to monitor the target’s activities.
Pentester can also make use of HTTP file transfers or the Tor
anonymity network as a means to mask location and traffic.
Common traffic channels are a preferable route for smuggling data out
of the targeted system since the extraction will blend in with the noise of
the network.
is a software platform for developing,
testing, and executing exploits
It is one of the most popular penetration testing
tools
performs a very good vulnerability assessment in
network and web applications.
It has inbuilt plug-ins for some famous
vulnerability scanners, such as Nessus,
Nexpose, Open VAS, and WMAP.
Metasploit is a ruby driven environment.
It allows us to develop exploits in ruby
language and integrate them with existing
repositories.
Ruby language also allows us to use the
existing exploits within its file system to
carry out an attack.