Hacking Fundamentals - Jen Johnson , Miria Grunick

Slide 1: The Fundamentals of Hacking: An 0/3r/!3vv Jen Johnson Miria Grunick

Slide 2: Five Phases of an Attack • Phase 1: Reconnaissance • Phase 2: Scanning • Phase 3: Gaining Access • Phase 4: Maintaining Access • Phase 5: Covering Attacks and Hiding

Slide 3: Phase 1: Reconnaissance • Takes place before the attack. • Investigate the target using publicly available information • Types: Low-Technology Reconnaissance, Searching the Web, Whois Databases, Using the DNS, and General Purpose Tools

Slide 4: Low-Technology Reconnaissance • Social Engineering: An attacker calls the target organization and fools an employee into revealing sensitive information. Often, the attacker calls and pretends to be a new employee, customer, system administrator, or business partner.

Slide 5: Low-Technology Reconnaissance • Physical Break-In: Physically breaking into the building to try to gain access to the network from the inside. This is often accomplished by walking into the building with a group of employees or being hired as an employee or temp.

Slide 6: Low-Technology Reconnaissance • Dumpster Diving: Going through an organization’s discarded documents to find sensitive information. Often, employees will throw out papers that reveal critical information (i.e. – old Post-It® notes with user ID’s and passwords).

Slide 7: Searching the Web • Organization’s Web Site: Can reveal important information, such as the employees’ contact information, clues about the corporate culture and language, business partners, recent mergers and acquisitions, and what technologies the organization uses.

Slide 8: Searching the Web • Search Engines: Can reveal information about the company’s history, current events, future plans, financial status, business partners, technologies in use. • Usenet: Employees may submit questions to technical newsgroups that reveal information about the particular products that the organization uses.

Slide 9: Whois Databases • Whois databases contain information about the assignment of Internet addresses, domain names, registrars, and individual contacts. • First, find out who the registrar is. The Internet Network Information Center (InterNIC) whois database system lists the registrars of websites based on the organization’s name or domain name for sites with the .net, .org or .com extensions. The InterNIC whois database is avaliable online at: www.internic.net/whois.html

Slide 10: Whois Databases • If you are researching an organization without the .com, .net, or .org extensions (i.e. – international websites), try the Allwhois site at: www.allwhois.com/home.html • Once you have the registrar’s name, you can go to the registrar’s site and get more information, such as names and numbers of administrators, email and postal addresses, registration dates, and the addresses of the organization’s DNS servers.

Slide 11: American Registry for Internet Numbers (ARIN) • Contains all IP addresses assigned to a particular organization. Search by company or domain names. • For North American, South American, Caribbean, and sub-Saharan African organizations: www.arin.net/whois/arinwhois.html • For European organizations: www.ripe.net • For Asian organizations: www.apnic.net

Slide 12: Domain Name System (DNS) • DNS – a world-wide hierarchical database that stores information about domain names and IP addresses. This database is searched to get information about a given domain name, most commonly the corresponding IP address. • Once an attacker knows one of the DNS servers, the attacker can begin interrogating the name servers.

Slide 13: DNS • To interrogate DNS servers, first invoke a nslookup program on any UNIX or Windows NT/2000 environment by typing nslookup at the command prompt. • Try to do a zone transfer. In a zone transfer, the nslookup program asks the DNS server to transmit all information it has about a given domain.

Slide 14: DNS • To do a zone transfer, the nslookup must be instructed to use the target’s DNS server, using the server [target_DNS_server] command • Next, specify to search for any type of DNS record by typing set type=any • Initiate the zone transfer by typing ls –d [target_domain] • Output can give useful information, such as system names, IP addresses of the systems, and sometimes even operating system types. • More information about nslookup: www.zoneedit.com/doc/nslookup.html

Slide 15: General Reconnaissance Tools • Sam Spade (freeware avaliable at www.samspade.org/ssw/ ) • Many reconnaissance tools in one: ping, whois, IP block whois, nslookup, dig, DNS zone transfer, traceroute, finger, SMTP VRFY, Web browser. • Other general-purpose reconnaissance tools: CyberKit, NetScan Tools, iNetTools

Slide 16: Web-Based Reconnaissance Tools • Research and Attack portals: sites that allow a user to enter the target site and research or initiate an attack against the target (via denial- of-service attacks or vulnerability scans) • Difference between Web-based tools and general reconnaissance tools: now the traffic comes from the Web server, not the attacker machine. Thus, the attacker can remain more anonymous.

Slide 17: Web-Based Reconnaissance Tools • Examples: www.network-tools.com privacy.net/analyze

Slide 18: Phase 2: Scanning The premise of scanning is to probe as many ports as possible, keeping track of open and useful ports that would be receptive to hacking. Scanners send multiple packets over a communication medium then listen and record each response. The following are techniques for inspecting ports and protocols.

Slide 19: War Dialing • War Dialing: Dialing large pools of telephone numbers in an effort to find unprotected modems. Done with an automated tool, such as THC-Scan 2.0, available at: www.thc.org/releases.php. • This tool will return a list of all of the modems discovered in the range of the phone numbers it was given. • The hacker can then check all of the modems and see if any have no passwords, allowing them access to the network.

Slide 20: FIN Probe • A FIN packet is sent (Or any packet without an ACK or SYN flag) to an open port and one waits for a response. • The correct RFC793 behavior is to not respond. Many broken implementations (i.e MS Windows) send a RESET back.

Slide 21: Network Mapping • A hacker first tries to determine which addresses have active hosts by pinging all possible addresses in the network. • Once a hacker knows which hosts are alive, he or she will try to determine the network topology. This is done by a method called tracerouting.

Slide 22: Network Mapping • Tracerouting: Send a series of packets with different Time-To-Live (TTL) values in the IP header and check the source address of the Time Exceeded message returned. • Example: Send a packet with a TTL of 1. The Time Exceeded message will have the source address of the first router. Now send a packet with a TTL of 2. The Time Exceeded message returned will have the source address of the second router, and so on.

Slide 23: Tracerouting

Slide 24: Network Mapping • Windows 2000/NT and UNIX have tools that do this for us • Windows 2000/NT: tracert • UNIX: traceroute • Another network mapping tool: Cheops (available at: www.marko.net/cheops ) This tool does the ping sweep and traceroute and draws a picture of the topology of the network.

Slide 25: Screenshot of Cheops

Slide 26: How Cheops Works • Sequentially send ARP messages to every IP address in the range. • Traceroute to every IP address that responds to the ARP message.

Slide 27: Scanning Involves 3 Steps • Locating Nodes • Performing Service Discoveries • Testing Services for Known Security Holes

Slide 28: TCP Port Scanning • Most basic form of scanning. Attempts to open a full TCP port connection to determine if that port is active. • This method leaves an easier to spot trail than partial open scanning.

Slide 29: Stealth Port Scanning • All the operating systems now honor the tradition of permitting only the super-user to open the ports numbered 0 to 1023. These standard ports are assigned to services by the IANA (Internet Assigned Numbers Authority, www.iana.org). • Attempts to open a port in the range of 0..1023 by an unprivileged user program will fail. A user program can open any unallocated port higher than 1023.

Slide 30: • On Unix, the text file named /etc/ services (on Windows 2000 the file named %windir% system32 drivers etc services) lists these service names and the ports they use. Here are a few lines extracted from this file:

Slide 31: echo 7/tcp Echo ftp-data 20/udp File Transfer (default) ftp 21/tcp File Transfer (control) ssh 22/tcp SSH Remote Login Protocol telnet 23/tcp Telnet domain 53/udp Domain Name Server www-http 80/tcp WWW HTTP

Slide 32: Non Standard Ports wins 1512/tcp Microsoft Windows Internet Name Service Radius 1812/udp RaDIUS authentication protocol yahoo 5010 Yahoo! Messenger X11 6000-6063/tcp X Window System

Slide 33: Stealth Scanning Includes Some/All of the Following • Setting individual flags (ACK, FIN, RST, .. ) • NULL flags set • All flags set • Bypassing filters, firewalls, routers • Appearing as casual network traffic • Varied packet dispersal rates

Slide 34: Fragmented Packets • The scanner splits the TCP header into several IP fragments. This bypasses some packet filter firewalls because they cannot see a complete TCP header that can match their filter rules.

Slide 35: • Some packet filters and firewalls do queue all IP fragments (e.g., the CONFIG _IP _ALWAYS _DEFRAG option in Linux enables it in the kernel), but many networks cannot afford the performance loss caused by the queuing.

Slide 36: TCP Fragmenting • TCP fragmenting is not a scan method so to speak, although it employs a method to obscure scanning implementations by splitting the TCP header into smaller fragments.

Slide 37: • A minimally allowable fragmented TCP header must contain a destination and source port for the first packet (8 octect, 64 bit), typically the initialized flags in the next, allowing the remote host to reassemble the packet upon arrival.

Slide 38: • The actual reassembly is established through an IPM (internet protocol module) that identifies the fragmented packets by the field equivalent values of: – source – destination – protocol – identification

Slide 39: Using TCP Fragmenting - FragRouter • Program which fragments TCP packets – 35 different ways to fragment • Called a router because it is a software implementation of a router – data from other programs is sent through the FragRouter • FragRouter fragments the packets and then forwards the packets to their destination

Slide 40: SYN Scanning • Also called half-open scanning, as TCP connection is not completed. • A SYN packet is sent and the target host responds with a SYN+ACK, indicating the port is listening • RST indicates a non-listener • The server process is never informed by the TCP layer because the connection did not complete.

Slide 41: A demonstration of this technique is necessary to show a half open transaction: client -> SYN server -> SYN|ACK client -> RST

Slide 42: • This example has shown the target port was open, since the server responded with SYN|ACK flags. • The RST bit is kernel oriented, that is, the client need not send another packet with this bit, since the kernel's TCP/IP stack code automates this.

Slide 43: Inversely, a closed port will respond with RST|ACK. client -> SYN server -> RST|ACK This combination of flags is indicative of a non- listening port.

Slide 44: FIN Scanning • The typical TCP scan attempts to open connections (at least part way). Another technique sends erroneous packets at a port, expecting that open listening ports will send back different error messages than closed ports.

Slide 45: • The scanner sends a FIN packet, which should close a connection that is open. Closed ports reply to a FIN packet with a RST. Open ports, on the other hand, ignore the packet in question. • If no service is listening at the target port, the operating system will generate an error message. • If a service is listening, the operating system will silently drop the incoming packet. Therefore, silence indicates the presence of a service at the port.

Slide 46: This is the negotiation for open/closed port recognition client -> FIN server -> - No reply signaled by the server is iconic of an open port. The server's operating system silently dropped the incoming FIN packet to the service running on that port.

Slide 47: RST Reply • Opposing this is the RST reply by the server upon a closed port reached. • Since, no service is bound on that port, issuing a FIN invokes a reset (RST) response from the server. client -> FIN server -> RST

Slide 48: • Other techniques that have been used consist of XMAS scans where all flags in the TCP packet are set, or NULL scans where none of the bits are set. However, different operating systems respond differently to these scans, and it becomes important to identify the OS and even its version and patch level.

Slide 49: Reverse Ident Scanning • This technique involves issuing a response to the ident/auth daemon, usually port 113 to query the service for the owner of the running process. • The main reason behind this is to find daemons running as root, this result would entice an intruder to find a vulnerable overflow and instigate other suspicious activities involving this port.

Slide 50: • Alternatively, a daemon running as user nobody (httpd) may not be as attractive to a user because of limited access privileges. • identd could release miscellaneous private information such as: – user info – entities – objects – processes

Slide 51: FTP Bounce

Slide 52: Background • FTP session consists of two connections between the client and the server. • The high port server connection is enabled by the client that allows the FTP server to send data to the client. • When the client wants to transfer data to or from the server, it issues a PORT command. The PORT command instructs the server to open a data connection which is used to transfer the data.

Slide 53: Problem • An outside attacker can use the FTP server to open connections which appear to originate from the server. This could be used to bypass the access control restrictions.

Slide 55: How To Use FTP Bounce Attacks

Slide 56: Port Scanning • An attacker can run the attck from a third-party FTP server acting as a stage for the scan. The victim site sees the scan as coming from the FTP server rather than the true source (the FTP client). • When the victim site is on the same subnet as the FTP server, or when it does not filter traffic from the FTP server, the attacker can use the server machine as the source of the port scan rather than the client machine

Slide 57: Bypassing Basic Packet Filtering Devices • An attacker may bypass a firewall in certain network configurations. – Example; a site has its anonymous FTP server behind a firewall. Using the technique above, an attacker determines that an internal web server at that site is available on port 8080, a port normally blocked by a firewall.

Slide 58: • By connecting to the public FTP server at the site, the attacker initiates a further connection between the FTP server and an arbitrary port on a non-public machine at that site . • (for instance the internal web server at port 8080). • As a result, the attacker establishes a connection to a machine that would otherwise be protected by the firewall.

Slide 59: Bypassing Dynamic Packet Filtering Devices • Example – victim site houses all of its systems behind a firewall that uses dynamic packet filters – person at victim site browses web pages and downloads a Java applet constructed by attacker. – Java applet then opens an outbound FTP connection to attacker's machine. – applet then issues an FTP PORT command, instructing server machine to open a connection to some otherwise protected system behind the victim firewall.

Slide 60: • Dynamic packet filtering firewall examines outboun