SecAttackBanner.jpg

Introduction


With the introduction of wide spread internet access security attacks have become more and more wide spread. In this article we will discuss two common types of attacks and what you can do with the information you gain from these attacks.
Disclaimer: This article is presented as entirely educational in nature and is not meant to be used for malicious purposes. Learning how these types of attacks work is the only way that we can defend against them. Use all programs at your own risk as many programs discussed here will come up as false positives on virus scanners. A specific algorithm used in the program is identified by the scanner and flagged as a virus where it may not be. If you are uncomfortable allowing said programs you may want to research into using a linux distro instead of Windows for these attacks.

Cross-Site Scripting (James)


Cross-Site Scripting (or XSS as it is known) is a huge problem, with roughly 80% of all security vulnerabilities documented by Symantec as of 2007 being XSS based attacks. We've all seen it happen too. Too often have we seen peoples facebook pages go awry with information that doesn't sound anything like the friends we know. They are likely the victim of XSS. Specifically XSS "is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users." In other words, you click a link and go to a web page you think is legit, but in reality, clicking the link let a whole bunch of bad code into your browser.

The majority off all XSS hacks happen over social networking sites like MySpace and Facebook, where unwitting users click links all the time without thinking about what might be lurking behind that hyperlink.

Here is a scenario that happens far too often:
  1. Janna often visits a particular website, which is hosted by George. Bob's website allows Alice to log in with a username/password pair and stores sensitive data, such as billing information.
  2. Mallory observes that Bob's website contains a reflected XSS vulnerability.
  3. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, enticing her to click on a link for the URL under false pretenses. This URL will point to Bob's website, but will contain Mallory's malicious code, which the website will reflect.
  4. Alice visits the URL provided by Mallory while logged into Bob's website.
  5. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server (this is the actual XSS vulnerability). The script can be used to send Alice's session cookie to Mallory. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc.) without Alice's knowledge.

That's right, Alice is boned. All because she followed a link she thought was safe. This is the way that most people get XSS hacked, and until people learn to identify the subtle differences between legitimate links and fakes people will continue to succumb to these faux-links.

http://en.wikipedia.org/wiki/Cross-site_scripting
(feel free to click this link... if you dare)

Man-in-the-Middle attacks (Sean)

external image BlackHat.jpg

external image Main_the_middle.JPG


MITM or Man In The Middle is a type of security attack that can be very serious. An attack like this can allow another person to intercept your information and input their own. A simple version of this could be if someone was talking to a friend online the attacker could intercept your conversation and write the person something completely different, example.


Computer1
C2: Hi
C2: Room 63 at 8:45pm

MITM
C1-C2: Hello
C2-C1: Hi
C1-C2: Where are we going to study tonight?
C2-C1: Room 38 at 6:30pm (MITM changes message to Room 63 at 8:45pm)
Computer2
C1: Hello
C1: Where are we going to study tonight?




Now this is just a inconvenience at best that they two people are going to have to fine each other to study since they are going to different rooms but if they sent any private information such as passwords or social security codes then this could have some major repercussions. The easiest way to avoid this is to just have a password for your network and to make the password not something easy like 12345 or for more info about ways to stop it http://en.wikipedia.org/wiki/Man-in-the-middle_attack#Defenses_against_the_attack.

Password Vulnerabilities and Cracking (Greg)


You are not always able to intercept a password via some sort of attack method and if you still need to get the password this may pose a problem. This is where password cracking attacks come into play. I will discuss firstly, how passwords are stored and then an example of using an attack known as a Brute-force attack to crack a basic password in a controlled environment.

An introduction to password storage on Windows systems
Passwords are never stored in plain text. Meaning that your password to log into your computer is never actually stored anywhere (if you were to search every bit on your computer you would never find your password). So how do passwords actually get stored? Well that is where hashing comes into play. You may have heard of hashing before but may not really understand what it does. Basically, hashing (for passwords) is a process in which your password is converted into an encrypted string of [seemingly] random characters by a hash function. When you log into your system, as soon as you type in your password and hit enter it is converted to its hash value and then that value is compared against the stored hash value for your account. If that value matches then you are granted access, if not, you are denied. Current Windows operating systems use two different types of hashing methods for storing user passwords, LAN Manager (LM) and NT LAN Manager version 2 (NTLMv2). LM is used for older systems like Windows XP, whereas more a more modern operating system like Windows 7 uses the more complicated and secure NTLMv2.

First let us discuss how passwords are actually stored and the vulnerabilities present in their storage. LM, which is the older and more basic storage techniques uses a 6 step process to store the password, and after reading it should be apparent why this method of hashing is extremely vulnerable to brute-force and dictionary attacks.
For example, let us assume that your password is GregPassword (12 characters long):
  1. First, this password is converted to all Caps: GREGPASSWORD
  2. Then it is padded with 0's until it is 14 characters long: GREGPASSWORD00
  3. Then the password is split up into two 7 character long strings: GREGPAS and SWORD00
  4. A single parity bit is added at the end of each string: GREGPAS1 and SWORD001
  5. These strings are then hashed into the following: D2A9B4B5E4DB1BB3 and 76FDE78389BE2CE2.
  6. These two strings are concatenated to the final hash: D2A9B4B5E4DB1BB376FDE78389BE2CE2 (This is the actual hash value of GregPassword)

So while this process may seem secure, consider that if you were to use an long password (8+ characters) it wouldn't actually be increasing it complexity as much as you may think, considering that your password would be split into two separate 7 character long halves. When it is split like this is reduces the complexity exponentially (for every character that you add to a password it increases the exponential value of the equation x^y where x is the available characters and y is the length of the password) thus making it easier for a cracker to calculate the first half, then the second half, whereas if it were hashed as a single string it would be much longer and thus exponentially more complex. Consider if you were only able to enter lower case letters (26 letters). Using the LM method you would have to do:
(26^7) + (26^7) = 16063620352 different combinations
Whereas if it were just one long password (14 characters), the complexity would be:
26^14 = 64509974703297150976 different combinations. That is over 4015905088 times more complex. This shows one major flaw in the LM password hashing method.

With that being said now let us discuss how NTLMv2 stores passwords. Where LM used the DES hash, NTLMv2 uses the more advanced MD4 hash. Interestingly enough, despite being much more complex and powerful the NTLMv2 is actually quite a simple hashing method and only involves 3 steps.
  1. Using the password GregPassword again, we use the MD4 hash to get: b639b2d790d6f614f445609abec275c3
  2. Now we hash this hash value again and get: b7df31ca3ab0cebb31083cffd1c54d40
  3. And we hash this value one last time and get our final hash value: 8d566d1b009fe2691df1615e7c76bdf4

Now we have our hash. Notice that the password was never split up or converted to all caps. This means that case and length do increase the complexity of the password.

How do we crack these hashes? Now that we know how these passwords are stored we have now want to crack the hash to reveal to us what the password is. There are 3 methods of cracking a hash, they are:
  1. Brute-forcing, in which every combination of every letter up to a certain length is guessed. This is the most basic method and requires a lot of time and processing power.
  2. Dictionary-attack, in which, like the title, a list of words (aka a dictionary) is used and every word is guessed. These lists are often very long and you can also modify them to add certain keywords that you think may be involved.
  3. Rainbow tables, which are tables of stored hash values for every single character combination up to a certain length of characters. This method is almost always only used with NTLMv2.


With these 3 methods, let us look at the tools and approaches we can use to cracking a Windows password. (For the sake of time we will just focus on cracking the password for a computer that you have physical access too. The following was done on a Windows XP SP3 virtual machine with all Windows updates.) For this process we will be using two tools: fgdump and an extremely powerful tool called Cain. I have created an account "greg" with the password "gregpw" (for the purpose of showing these tools I did not use a complex or long password). First we want to run fgdump to get the hash out of the SAM file that is stored on the currently running system. You are unable to open the SAM file manually while the computer is booted so you have to use a 3rd party program like fgdump or boot to a linux live CD to read the SAM file.
fgdump.jpg

Fgdump will produce 3 files and we will be using 127.0.0.1.pwdump.

Using Cain we will run a brute-force attack on the of the account "greg" which as I said, has the password "gregpw". I manually set the character length to min and max of 6 to reduce the time it takes. Here is the attack in progress.
cain1.jpg And here is the password that it cracked. Because of the simplicity and length of the password it was able to crack the password quite quickly (keep in mind this is also cpu limited, this was run on an Intel i7-920 at stock frequency).

cain2.jpg

As you can guess with more complex and lengthy passwords this process can take time (sometimes weeks, yes weeks). A great way to test if your password is complex is to try to crack it with all 3 methods. Brute-force is most likely going to be the last attempt to crack the password as it takes the longest, so you should start with Dictionary or Rainbow first.
How do we defend against these kind of password attacks? Password cracking is impossible to defend against. If someone has the will power to crack your password they WILL crack it. The purpose of complexity is to make it so complex that the benefit of cracking the password is not worth the long time it would take to crack it. There are 3 simple things that we can do to help defend against these attacks:
  1. Change your password often. If you have a slightly complex password and someone is trying to crack it and you change it then they most likely will have to start over. This is also a good security measure when it comes to malware infections.
  2. Use complex and lengthy passwords. Use lower and upper case, numbers, symbols and do not use dictionary words.
  3. Disable LM hashing (default on Windows 7). As discussed above you can see how using NTLMv2 can drastically increase your ability to keep your password secure.
I hope this guide has been interesting and educational. Please remember that this was written for purely educational reasons. Thank you for reading!