· 6 years ago · Jan 24, 2020, 11:02 AM
1
2
3
4
5
6SAM file : security account manager
7is a DB that stores credentials and other account parameters such as passwd in hashed form .
8
9file is located in :
10c:\windows\system32\config\sam
11
12Linux --> shadow file
13
14/etc/shadow
15
16
17windows 10 login bypass
18--> osk.exe
19
20--> utilman.exe
21
22--> sethc.exe
23
24Windows 7 OS login bypass
25---------------------------------------
26current paaswd 1234
27switch on the system , shutdown abruptly
28switch it on again --> select recovery method --> restore pop will appear click cancel --> wait for new startuprepair pop up
29--> click on down arrow popup--> scroll down select view offline report --> notepad will open --> click file --> open -->select filetype any-->
30browse to c/windows/system32/
31look for file named utilman and rename it to utilman1
32now search for cmd executable and rename it to utilman
33cancel eveyrthing and exit everything --> let the windows reboot --> once the login screen comes --> tap on bottom left utility icon -->
34cmd will pop up --> type following cmd to change passwd
35whoami
36net user [[ this is going to list all the users on the device ]]
37net user "a/c name" *
38press enter and then enter passwd here
39
40
41
42wind 10 OS login bypass current passwd 123456789
43-------------------------------------------------------------
44abruptly switch off wind 2-3 times until repair options appear while booting
45
46poweron -->abrupt poweroff
47again power on --> again poweroff
48
49again power on [ now you will see diagnosing problem/repairing ]
50
51let it boot
52
53select advance option --> troubleshoot-->advance options --> system image recovery--> cancel--> next -->advcd--> install a driver --> ok-->
54
55navigate to my computer first
56navigate to C:/windows/system32/
57look for file named utilman or sethc (both are going to work fine )and rename it to utilman1/sethc1
58now search for cmd executable and rename it to utilman
59cancel eveyrthing and exit everything -->reboot
60
61 once the login screen comes --> tap on bottom right utility icon (ease of access icon)-->
62cmd will pop up --> type following cmd to change passwd
63whoami
64net user [[ this is going to list all the users on the device ]]
65net user "a/c name" *
66press enter and then enter passwd here
67-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
68
69kali linux os login bypass
70cureent password 123456
71
72power on machine -->advance linux gnu options-->
73
74-->kali gnu/linux, with linux 4.19.0 kaliamd64 (recovery mode) [don't press enter ]
75
76-->press e while selecting above --> scroll down using arrow and look for line starting with linux
77
78-->replace ro with rw
79
80-->and also add
81-->in the end of same line
82
83init=/bin/bash
84
85-->press f10
86-->whoami
87-->passwd root
88-->enter newpswd
89-->reboot -f
90
91----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
92stickykeys replacement
93browse to windows system32\sethc
94rename this to sethc1
95cmd
96copy and paste cmd here only
97refresh
98rename copy cmd to
99sethc
100that's it
101cancel everything
102and restart the machine
103once booted
104press sticky key
1055x shift
106cmd will open
107control userpasswords2
108select admin
109click reset passwrd
110set passwd
111-----------------
112
113---------------------------------------------------------------------------------------------------------------------------------------
114Malware
115---------------------------------------------------------------------------------------------------------------------------------------
116what is ?
117mal + ware = malicious software
118
119designed to infiltirate and damage computers without the user consent.
120the term malware encompasses all the diff. types of threats to your computer such as :
121viruses, spywares , worms ,trojans etc.
122
123Purpose of Malware !!
124why do we need malware ? why were they created at first place ?
125> to do things without user's permission
126> to Steal files
127> to steal stored passwords
128> to hijack into computer
129> to hijack core computing functions
130> to monitor the activity of the user
131> to delete sensitive personal data
132> to encrypt sensitive data
133> to extort money
134
135Types of Malwares :
136
1371. Virus: vital info resource under sieze
138 disrupts the normal functionality of computer
139
140 they are genearlly masked with executable files (i.e attached to exe files)
141 the virus may exist on a system but will not be active or able to spread until a user runs or opens the malicious program.
142 Normally, the host program keeps functioning after it is infected by the virus.
143 although they can not replicate themselves outside the network . but has the ability to replicate and attach itself to other files locally
144 Viruses spread when the software or document they are attached to is transferred from one computer to another using the network,
145 a disk, file sharing, or infected email attachments.
146
1472. Worm:
148similar to viruses , replicate itself outside the n/w as well
149self replicating without host program and spreads without any human interaction or directives from the malware authors.
150worms are standalone software and do not require a host program or human help to propagate
151A worm enters a computer through a vulnerability in the system and takes advantage of
152file-transport or information-transport features on the system, allowing it to travel unaided
153
1543. Trojan
155malicious s/w represents as valid
156> A Trojan is another type of malware named after the wooden horse that the Greeks used to infiltrate Troy.
157> It is a harmful piece of software that looks legitimate. Users are typically tricked into loading and executing it on their systems.
158> After it is activated, it can achieve any number of attacks on the host, from irritating the user (popping up windows or changing desktops)
159 to damaging the host (deleting files, stealing data, or activating and spreading other malware, such as viruses).
160> Trojans are also known to create backdoors to give malicious users access to the system.
161> Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.
162> Trojans must spread through user interaction such as opening an email attachment or downloading and running a file from the Internet.
163
1644. Spyware
165Software that aims to gather information about a person or organization without their knowledge, that may send such information to another entity without the consumer's consent,
166 or that asserts control over a device without the consumer's knowledge.
167
1685. Ransomware
169kind of malware that is used to extort money by infecting the user.
170it encrypt all the files on a user's system using a strong encryption algoritham. Then demands for ranson to issue a decrypting key to retrieve / decrypt the user data .
171
1726. Rootkit
173Programs that hide the existence of malware by intercepting (i.e., "Hooking") and modifying operating system API calls that supply system information.
174Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower to include a hypervisor, master boot record, or the system firmware.
175 Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.
176 Rootkits have been seen for Windows, Linux, and Mac OS X systems.
177
1787. keyloggers
179special kind of Spyware
180The action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored.
181Data can then be retrieved by the person operating the logging program. A keylogger can be either software or hardware
182-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
183
184What are shells?
185Shell can simply be described as a piece of code or program which can be used to gain code or command execution on a device (like servers, mobile phones, etc.).
186
187Types of shells
1881. Reverse shell
1892. Bind shell
190
191Reverse shell
192A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.
193
194Figure 1: Reverse TCP shell
195
196
197Bind shell
198Bind shell is a type of shell in which the target machine opens up a communication port or a listener on the victim machine and waits for an incoming connection.
199The attacker then connects to the victim machine’s listener which then leads to code or command execution on the server.
200
201Figure 2: Bind TCP shell
202There are a number of popular shell files. To name a few: Reverse TCP Meterpreter, C99 PHP web shell, JSP web shell, Netcat, etc.
203 One thing which is common between all these shells is that they all communicate over a TCP protocol.
204-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
205
206Creating Malware
207RAT: Remote Administration tool
208Dark Comet Example
209
210
211
212
213---------------------------------------------------------------------------------------------------------------------------------------
214sniffing
215---------------------------------------------------------------------------------------------------------------------------------------
216
217sniffing aka wiretapping
218---------------------------------------------------------------------------------------------------------------------------------------
219action of secretly listening to other people conversation , extending the definition to computers and n/w
220
221Sniffing is the process of monitoring and capturing all the packets passing through a given network using sniffing tools
222
223sniffing can be done through h/w , s/w
224
225h/w when sniffing very high speed n/w eg. 10Gbps
226
227kinds of info we can gather through sniffing
228*usernames
229*passwords
230*Replay
231*Chat
232*watch some one surf website
233*ftp/telnet
234
235
236attack types
237passive sniffing
238
239hub : n/w device that shares broadcast domain
240
241tap: h/w it sits inline with commu. media replicates bits on the wire
242hosts . are not aware of this
243
244[ref hub image ]
245
246
247active sniffing
248in lay 2 n/w
249[ref switch image ]
250
251swithced n/w : bydefault you can not recieve the data in switching
252
253manipulate the switch to get a copy
254
255attacker poisons protocols to redirect traffic
256attacks that you can do against swithed n/w
257
258MITM techniques
259{{
260
261*MAC flood
262*MAC duplication
263*ARP spoof
264*DHCP starvation
265
266}}
267
268Promiscous mode tells NIC to not discard frames
269by default when NIC rcvs a layer 2 frame it reads des. mac add , if dest . mac is not as of yours the frame is discarded
270
271
272Protocols that provide usernames and passwords in cleartext
273
274Telnet
275POP
276SMTP
277FTP
278HTTP
279IMAP
280
281Hence Encryption is important
282
283MAC Flooding
284editing CAM table : mapping of mac address to physical ports
285
286CAM tables are finite : often 64k to 128k entries
287what happens when table is full : flooding occurs
288send 130k arp rqst and randomise source mac address [ cam table will be flooded ]
289once flooded switch will start broadcasting
290
291# macof -n 130000 -d 192.168.0.1
292-n for number of packets to send
293-d for switch ip address that you want to flood
294-e for target mac address
295
296
297MAC Spoofing
298impersonating other user
299technitium MAC address changer for windows used to modify MAC address of NIC
300https://technitium.com/tmac/
301
302How Does It Work?
303
304This software just writes a value into the windows registry.
305 When the Network Adapter Device is enabled, windows searches for the registry value 'NetworkAddress' in the key
306HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1- 08002bE10318}\[ID of NIC e.g. 0001].
307 If a value is present, windows will use it as MAC address, if not, windows will use the hard coded manufacturer provided MAC address. Some Network Adapter drivers have this facility built-in.
308 It can be found in the Advance settings tab in the Network Adapter's Device properties in Windows Device Manager.