Nonelectronic Attacks

Nonelectronic—or nontechnical attacks—are attacks that do not employ any technical knowledge. This kind of attack can include social engineering, shoulder surfing, keyboard sniffing, and dumpster diving.
Social engineering is the art of interacting with people either face to face or over the telephone and getting them to give out valuable information such as passwords. Social engineering relies on people's good nature and desire to help others. Many times, a help desk is the target of a social-engineering attack because their job is to help people—and recovering or resetting passwords is a common function of the help desk. The best defense against social-engineering attacks is security-awareness training for all employees and security procedures for resetting passwords.

Shoulder surfing involves looking over someone's shoulder as they type a password. This can be effective when the hacker is in close proximity to the user and the system. Special screens that make it difficult to see the computer screen from an angle can cut down on shoulder surfing. In addition, employee awareness and training can virtually eliminate this type of attack.
Dumpster diving hackers look through the trash for information such as passwords, which may be written down on a piece of paper. Again, security awareness training on shredding important documents can prevent a hacker from gathering passwords by dumpster diving.

Offline Attacks | System Hacking

Offline attacks are performed from a location other than the actual computer where the passwords reside or were used. Offline attacks usually require physical access to the computer and copying the password file from the system onto removable media. The hacker then takes the file to another computer to perform the cracking. Several types of offline password attacks exist, as you can see in Table 1.
Table 1: Offline attacks 
Type of attack
Example password
Dictionary attack
Attempts to use passwords from a list of dictionary words
Hybrid attack
Substitutes numbers of symbols for password characters
Brute-force attack
Tries all possible combinations of letters, numbers, and special characters
A dictionary attack is the simplest and quickest type of attack. It's used to identify a password that is an actual word, which can be found in a dictionary. Most commonly, the attack uses a dictionary file of possible words, which is hashed using the same algorithm used by the authentication process. Then, the hashed dictionary words are compared with hashed passwords as the user logs on, or with passwords stored in a file on the server. The dictionary attack works only if the password is an actual dictionary word; therefore, this type of attack has some limitations. It can't be used against strong passwords containing numbers or other symbols.
A hybrid attack is the next level of attack a hacker attempts if the password can't be found using a dictionary attack. The hybrid attack starts with a dictionary file and substitutes numbers and symbols for characters in the password. For example, many users add the number 1 to the end of their password to meet strong password requirements. A hybrid attack is designed to find those types of anomalies in passwords.
The most time-consuming type of attack is a brute-force attack, which tries every possible combination of uppercase and lowercase letters, numbers, and symbols. A brute-force attack is the slowest of the three types of attacks because of the many possible combinations of characters in the password. However, brute force is effective; given enough time and processing power, all passwords can eventually be identified.
rainbow table is a list of dictionary words that have already been hashed. Rainbow tables can speed up the discovery and cracking of passwords by pre-computing the hashes for common strings of characters. For example, a rainbow table can include characters from a to z or A to Z. Essentially, rainbow table tools are hash crackers. A traditional brute-force cracker will try all possible plaintext passwords one by one in order. It is time consuming to break complex passwords in this way. The idea of rainbow tables is to do all cracking-time computation in advance.

Active Online Attacks | System Hacking

The easiest way to gain administrator-level access to a system is to guess a simple password assuming the administrator used a simple password. Password guessing is an active online attack. It relies on the human factor involved in password creation and only works on weak passwords.
When we discussed the Enumeration phase of system hacking, you learned the vulnerability of NetBIOS enumeration and null sessions. Assuming that the NetBIOS TCP 139 port is open, the most effective method of breaking into a Windows NT or Windows 2000 system is password guessing. This is done by attempting to connect to an enumerated share (IPC$ or C$) and trying a username and password combination. The most commonly used Administrator account and password combinations are words like Admin, Administrator, Sysadmin, or Password, or a null password.
A hacker may first try to connect to a default Admin$C$, or C:\Windows share. To connect to the hidden C: drive share, for example, type the following command in the Run field (Start ð Run):
    \\ip_address \c$
Automated programs can quickly generate dictionary files, word lists, or every possible combination of letters, numbers, and special characters and then attempt to log on using those credentials. Most systems prevent this type of attack by setting a maximum number of login attempts on a system before the account is locked.
In the following sections, we'll discuss how hackers can perform automated password guessing more closely, as well as countermeasures to such attacks.

Performing Automated Password Guessing

To speed up the guessing of a password, hackers use automated tools. An easy process for automating password guessing is to use the Windows shell commands based on the standard NET USE syntax. To create a simple automated password-guessing script, perform the following steps:
  1. Create a simple username and password file using Windows Notepad. Automated tools such as the Dictionary Generator are available to create this word list. Save the file on the C: drive as credentials.txt.
  2. Pipe this file using the FOR command:
      C:\> FOR /F "token=1, 2*" %i in (credentials.txt)
  3. Type net use \\targetIP\IPC$ %i /u: %j to use the credentials.txt file to attempt to log on to the target system's hidden share.
Another example of how the FOR command can be used by an attacker is to wipe the contents of the hard disk with zeros using the command syntax ((i=0; i<11; i++)); do dd if=/dev/random of=/dev/hda && dd if=/dev/zero of=dev/hda done. The wipe command could also be used to perform the wiping of data from the hard disk using the command $ wipe -fik /dev/hda1.

Defending against Password Guessing

Two options exist to defend against password guessing and password attacks. Both smart cards and biometrics add a layer of security to the insecurity that's inherent when users create their own passwords.
A user can also be authenticated and validated using biometrics. Biometrics use physical characteristics such as fingerprints, hand geometry scans, and retinal scans as credentials to validate users.
Both smart cards and biometrics use two-factor authentication, which requires two forms of identification (such as the actual smart card and a password) when validating a user. By requiring something the user physically has (a smart card, in this instance) and something the user knows (their password), security is increased, and the authentication process isn't susceptible to password attacks.
RSA Secure ID is a two-factor authentication system that utilizes a token and a password.

Types of Passwords

Several types of passwords are used to provide access to systems. The characters that form a password can fall into any of these categories:
  • Only letters
  • Only numbers
  • Only special characters
  • Letters and numbers
  • Only letters and special characters
  • Only numbers and special characters
  • Letters, numbers, and special characters
A strong password is less susceptible to attack by a hacker. The following rules, proposed by the EC-Council, should be applied when you're creating a password, to protect it against attacks:
  • Must not contain any part of the user's account name
  • Must have a minimum of eight characters
  • Must contain characters from at least three of the following categories:
    • Nonalphanumeric symbols ($,:”%@!#)
    • Numbers
    • Uppercase letters
    • Lowercase letters
A hacker may use different types of attacks in order to identify a password and gain further access to a system. The types of password attacks are as follows:
  • Passive Online Eavesdropping on network password exchanges. Passive online attacks include sniffing, man-in-the-middle, and replay attacks.
  • Active Online Guessing the Administrator password. Active online attacks include automated password guessing.
  • Offline Dictionary, hybrid, and brute-force attacks.
  • Nonelectronic Shoulder surfing, keyboard sniffing, and social engineering.

Windows 2000 DNS Zone Transfer

In a Windows 2000 domain, clients use service (SRV) records to locate Windows 2000 domain services, such as Active Directory and Kerberos. This means every Windows 2000 Active Directory domain must have a DNS server for the network to operate properly.
A simple zone transfer performed with the nslookup command can enumerate lots of interesting network information. The command to enumerate using the nslookupcommand is as follows:
nslookup ls -d domainname
Within the nslookup results, a hacker looks closely at the following records, because they provide additional information about the network services:
  • Global Catalog service (_gc._tcp_)
  • Domain controllers (_ldap._tcp)
  • Kerberos authentication (_kerberos._tcp)
As a countermeasure, zone transfers can be blocked in the properties of the Windows DNS server.
An Active Directory database is a Lightweight Directory Access Protocol (LDAP)-based database. This allows the existing users and groups in the database to be enumerated with a simple LDAP query. The only thing required to perform this enumeration is to create an authenticated session via LDAP. A Windows 2000 LDAP client called the Active Directory Administration Tool (ldp.exe) connects to an Active Directory server and identifies the contents of the database. You can find ldp.exe on the Windows 2000 CD-ROM in the Support\Reskit\Netmgmt\Dstool folder.
To perform an Active Directory enumeration attack, a hacker performs the following steps:
  1. Connect to any Active Directory server using ldp.exe on port 389. When the connection is complete, server information is displayed in the right pane.
  2. On the Connection menu, choose Authenticate. Type the username, password, and domain name in the appropriate boxes. You can use the Guest account or any other domain account.
  3. Once the authentication is successful, enumerate users and built-in groups by choosing the Search option from the Browse menu.

SNMP Enumeration

SNMP enumeration is the process of using SNMP to enumerate user accounts on a target system. SNMP employs two major types of software components for communication: the SNMP agent, which is located on the networking device, and the SNMP management station, which communicates with the agent.
Almost all network infrastructure devices, such as routers and switches and including Windows systems, contain an SNMP agent to manage the system or device. The SNMP management station sends requests to agents, and the agents send back replies. The requests and replies refer to configuration variables accessible by agent software. Management stations can also send requests to set values for certain variables. Traps let the management station know that something significant has happened in the agent software, such as a reboot or an interface failure. Management Information Base (MIB) is the database of configuration variables that resides on the networking device.
SNMP has two passwords you can use to access and configure the SNMP agent from the management station. The first is called a read community string. This password lets you view the configuration of the device or system. The second is called the read/write community string; it's for changing or editing the configuration on the device. Generally, the default read community string is public and the default read/write community string is private. A common security loophole occurs when the community strings are left at the default settings: a hacker can use these default passwords to view or change the device configuration.
If you have any questions about how easy it is to locate the default passwords of devices, look at the website

SNMP Enumeration Countermeasures

The simplest way to prevent SNMP enumeration is to remove the SNMP agent on the potential target systems or turn off the SNMP service. If shutting off SNMP isn't an option, then change the default read and read/write community names.
In addition, an administrator can implement the Group Policy security option Additional Restrictions For Anonymous Connections, which restricts SNMP connections.
Group Policy is implemented on a Windows domain controller. Network administrators should be familiar with how to do this. It's outside the scope of this book, because many steps are involved in performing this task.

Null Sessions | Enumeration

A null session occurs when you log in to a system with no username or password. NetBIOS null sessions are a vulnerability found in the Common Internet File System (CIFS) or SMB, depending on the operating system.
Microsoft Windows uses SMB, and Unix/Linux systems use CIFS.
Once a hacker has made a NetBIOS connection using a null session to a system, they can easily get a full dump of all usernames, groups, shares, permissions, policies, services, and more using the Null user account. The SMB and NetBIOS standards in Windows include APIs that return information about a system via TCP port 139.
One method of connecting a NetBIOS null session to a Windows system is to use the hidden Inter-Process Communication share (IPC$). This hidden share is accessible using the net use command. As mentioned earlier, the net use command is a built-in Windows command that connects to a share on another computer. The empty quotation marks (" ") indicate that you want to connect with no username and no password. To make a NetBIOS null session to a system with the IP address with the built-in anonymous user account and a null password using the net use command, the syntax is as follows:
    net use \\ \IPC$ "" /u: ""
Once the net use command has been successfully completed, the hacker has a channel over which to use other hacking tools and techniques.
As a CEH, you need to know how to defend against NetBIOS enumeration and null sessions. We'll discuss that in the following section.

NetBIOS Enumeration and Null Session Countermeasures

The NetBIOS null session uses specific port numbers on the target machine. Null sessions require access to TCP ports 135, 137,139, and/or 445. One countermeasure is to close these ports on the target system. This can be accomplished by disabling SMB services on individual hosts by unbinding the TCP/IP WINS client from the interface in the network connection's properties. To implement this countermeasure, perform the following steps:
  1. Open the properties of the network connection.
  2. Click TCP/IP and then the Properties button.
  3. Click the Advanced button.
  4. On the WINS tab, select Disable NetBIOS Over TCP/IP.
A security administrator can also edit the Registry directly to restrict the anonymous user from login. To implement this countermeasure, follow these steps:
  1. Open regedt32 and navigate to HKLM\SYSTEM\CurrentControlSet\LSA.
  2. Choose Edit ð Add Value. Enter these values:
    • Value Name: RestrictAnonymous
    • Data Type: REG_WORD
    • Value: 2
Finally, the system can be upgraded to Windows XP and the latest Microsoft security patches, which mitigates the NetBIOS null session vulnerability from occurring.

Popular Posts