I welcome back to the course. So the last module we wrapped up our discussion on scanning an enumeration along with our discussion of vulnerabilities.
So in March of forward to talk about system hacking.
So we'll start off our discussion by talking about this sam file. So the sam file and it's sometimes called Osama Database file. Oh, our database. But basically, it's the Sam file or security accounts manager.
This is gonna store password hash is on Microsoft Windows Systems, and in later versions of it, the Sisk e came out. I believe in an anti four. If I remember correctly, basically, what that would do is allow you to partially encrypt the hash. So that way, Attackers potentially couldn't use it to crack your passwords.
So speaking of cracking or breaking into passwords, we have different times of passport attacks, and these are just a couple of them, So dictionary brute force rule based to ramble tables. Now, if you remember back to macho one when we did that quick lab with John the Ripper, that was a dictionary attack that we were using.
So dictionary attack is just gonna be ah Siri's of strings that were using so essentially, like a dictionary, right? So it's gonna be off password phrases. Or it could be by compounding dictionary words, that sort of stuff basically is gonna try to do the most common things that people probably combined together. You know, like love my cat or whatever the case might be,
And then try those first to see if it can break it.
Brute force, basically the Attackers trying every possible combination that they can d'oh. To just see if they can break the password. So here's an example here, where they were using, you know, different parts of the year, you know, follow summer, spring, et cetera. Different years. And they started doing passwords with different variations.
Roubaix. So this, uh, you know, again, your your password should not be just self seven characters long. But this is basically when we know the kind of stipulations of the company. Right? So the company might say like, Okay, you know, everyone's gonna have their character length of seven characters, and they gotta include at least one number. So what we can do weaken basically use our software to
incorporate that, and we could say Okay, well, we know it's only seven characters along, so I'm just gonna search for seven characters at length and figure out different. Hash is off. That means, but I know it's gonna contain a number so that can narrow down my algorithm. I need to use and and be able to crack it.
And then, of course, rainbow tables and these we can use a lot of flying as well. But these were basically just the
the, uh, excuse me, the cracked versions of Ah, password. So you know I'll have a hash. And then I also have my my actual password in this rain will table where the password for that hash. So that way you can quickly crack stuff. Now there's ways that toe to mitigate different types of password cracking.
Basically, in a nutshell, the rainbow table is kind of a pre computer table again. That's just computing the hash
to the actual word or character said, or whatever the case might be.
So one way we can protect against people cracking her password is by salting our passwords. And all that means is we're deciding some random characters into the actual hash on dhe. Then that way we can avoid anyone cracking her passion. So this example here has shown us kind of an extra step here. So basically, we're hashing our password, and then we're gonna
and then hash that as well. And that combined those two in a hash, and we finally get our final hash. So in theory, a least a an attacker wouldn't be able to get it from that point.
So a couple of password cracking tools that we can use air crack is gonna be for your wireless password, eh? So that's kind of the main tool that's out there in use for that
cane enables another popular tool out there. This one is mostly quote unquote, a password recovery tool for windows. However, we obviously see that you could do a lot of different attacks with this tool. I mean, it's used a lot with the pen testers that I know that work full time is spent in as pen testers,
John the rupture, which, uh, we used to model one. We used John Ripper. And so here is just another example that as well
and then hydra is another popular one out there. No more th see hide Ra's, as you'll see it called behind raises. Ah, good tool to use
hash cats, Another password cracker again, another popular one out there that's in use.
So a spectrum meltdown if you're not familiar with those, basically, that was that The huge panic, and I'm sure it's still going on. But basically they found vulnerabilities in the actual hardware of all computer systems for, like, the past 20 years. So basically the computer chips themselves contained security flaws.
So even though he had software running on top of it, you were still vulnerable.
So essentially, what happened? In a nutshell, we're not gonna really deep dive into milk thrown in a specter at all, but essentially the way Ah, the uh, the way these function is. Basically, it would allow protected memory to be stored in the sea if you cash.
And then there's the potential that that protected memory could be accessed by
an attacker. So a lot of things have had to be in place for this to ah, transpire. But it is a possibility, and since it's something that allows the attacker to get you at the hardware level, obviously people got freaked out and started patching and doing all sorts of stuff. So I think most,
most major carriers at least our patch now until there's another zero day found. But there was no I don't think there's any findings of that being exploited in the wild. It also it was researching versus excuse researchers that found it s so I don't again. I don't think it was exploded in the wild,
but most companies have patched against it already.
Root kit. So basically, what the's do? Root kits and and we'll talk about back back doors as well. But Rukh, it's basically provide us continued access to the computer, and we generally run those in the background. So nobody knows that we're in their computer, taking control of things now touching on back doors for a minute. Back doors may or may not be malicious, but they basically just provide an avenue
You know, past the user name of passwords who could better back to replace my software developer. Or it could be something nefarious as well, because we can use we can use a root kit has a backboard,
so it's a couple of different types of rockets. There's a ton of them out there of a horse pill and great fish are the ones we're gonna just touch on.
So her spill was actually develop our researcher and ah shared at Black Halfback in 2016 but basically what it does in infects limits during the boot process. So at the initial ram disk part of the boot process, it actually infects it. And then, from there, that allows it to essentially, you know, run
unabated on the system.
Now, gratefully, she's actually treated attributed back to the Equation Group, which is attributed to the NSA. Whether it's actually an essay, you're it or, you know, his partner with the NSA. I don't actually want to know that information just cause I don't want them to say coming to get my business, But But in any event,
it's attributed back to them in some capacity. So Kaspersky
listed as this destro jin doubt win 32 great fish. Not be, but again, it's just another former root kit,
some different steganography tools to again. Steganography is just kind of hiding information, so to speak, so we can hide it in an image file, a text file, you know, a word document, whatever the case might be, you know? Ah, music file. But we can hide it someplace. And the goal is so nobody knows that we hit it in there, right?
So a couple of things we can use our quick stagger, which I've used in the past. Open, stay, go and pee. Three, stay. Go. And also stables here. Now, to see many of the sticking on steganography tools out there are actually used for image files.
So, uh, one way we can cover tracks besides the leading loves, which is kind of common sense. And that's why I didn't include it here
or, you know, altering logs but covering our bash tracks. So the match stands for Born again Shell s so we could do a couple different ways. We can disable the history, or we can clear the history and there's some other things as well, because they're the common ones that you might do.
So basically, that commander, the export, his size zero, that's his size actually determines how many commander stores we would basically say, Hey, zero commands restored. So that disables. It's just history for us. We can also just easily here clear the history with history, Dashti.
So just one post assessment question again, What is bash stand for?
Correct. If you guessed. Born again Shell. That's what it stands for.
So again, in this video we just started on system hacking. Now we do have a lap coming up. We're gonna actually plant a back door and get some practice doing that.