Escalate Privileges:
Once an attacker has compromised a system they may only be rewarded with standard user privileges, since hackers require complete control over the system to cover their tracks and gather sensitive information they must escalate their privileges to the system, root, or administrator level. This can be accomplished a number of ways, including exploiting another application within the system, searching for cleartext passwords, and cracking passwords that are encrypted. If this is not the target system the attacker will search for trusted relationships between this system and the target system. Trusted relationships allow the attacker to possibly gain access to the remote machine without the use of usernames or passwords.
If this is the target system the hacker will first attempt to download and crack the system passwords, which are often stored in a single file within the system. If the hacker can download that file it is only a matter of time before the passwords can be decrypted and used to further compromise the server.
The hacker may also try to upload password sniffers, and search for cleartext passwords. A sniffer waits on a system and records any user name and password pairs that are sent over the system. The hacker may attempt to sniff network usernames and passwords since many times a user will use the same password on many different systems. Cleartext passwords may be able to be discovered in unsecured home directories, or other locations the users of the system don't expect others to look.
If the passwords are not available for download the hacker will attempt to exploit certain applications on the system. There are many applications which may be vulnerable including some that a hacker may upload to help gain administrator or root access.
If this is not the target system the hacker may attempt to gain root or administrator privileges to remove any trace of their attack, or the hacker may move on to discover other trusted relationships or weak internal security. Often the perimeter of the network is secured using firewalls and strong encryption, but internal security is very simplistic and weak. This means if a hacker is able to gain access to a single machine the rest of the network may be compromised.
At this point the hacker will begin looking for weak security between systems or trusted relationships which will grant internal access without credentials. Trusted relationships can be Database connections, which would allow the hacker to discover the data within the database, open shares, which may include company secrets, intellectual property or source code and more.
Techniques:
Technique |
Information Gathered |
Password Cracking |
Username and password pairs |
Password Sniffing |
Username and password pairs |
Exploit Applications within the system |
Root or Administrator Access |
Cleartext passwords |
Username and Password pairs |
Trusted Relationships |
Network shares, Databases, access to other internal computers. |
Tools:
John the Ripper – a fast command line password cracker.
L0phtcrack – a fast Windows based password auditing application, which can be used easily for malicious password cracking.
Pwddump – a quick tool that copies the password file to a local location for future cracking.
Getadmin – a application that can be uploaded to the system to help a hacker to gain administrator privileges.
| <<Previous | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | Next>> |
Provided by: Security Innovation, The Application Security Company