• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Intro To Hacking
 

Intro To Hacking

on

  • 7,219 views

 

Statistics

Views

Total Views
7,219
Views on SlideShare
7,208
Embed Views
11

Actions

Likes
3
Downloads
404
Comments
1

1 Embed 11

http://www.slideshare.net 11

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Intro To Hacking Intro To Hacking Presentation Transcript

  • Hacking Primer
  • Outline
    • Internet footprinting
    • Hacking Windows
    • Hacking Unix/Linux
    • Hacking the network
  • Internet Footprinting © 2004 Cisco Systems, Inc. All rights reserved. mnystrom
  • Internet Footprinting Outline
    • Review publicly available information
    • Perform network reconnaissance
    • Discover landscape
    • Determine vulnerable services
  • Review publicly available information
    • News: Look for recent news
      • news.google.com
      • SEC filings
      • Search for phone numbers, contacts
    • Technical info: Look for stupid postings
      • Router configs
      • Admin pages
      • Nessus scans
    • Netcraft
    • Whois/DNS info
      • SamSpade
      • dig
  • Network reconnaissance
    • Use traceroute to find vulnerable servers
      • Trout
    • Can also query BGP tools
      • http://nitrous.digex.net/mae/equinix.html
      • Look up ASNs
  • Landscape discovery
    • Ping sweep: Find out which hosts are alive
      • nmap, fping, gping, SuperScan, etc.
    • Port scans: Find out which ports are listening
      • Don’t setup a full connection – just SYN
      • Netcat
        • can be run in encrypted mode – cryptcat
      • nmap advanced options
        • XMAS scan sends all TCP options
        • Source port scanning sets source port (e.g., port 88 to scan Windows systems)
        • Time delays
    • Banner grab & O/S guess
      • telnet
      • ftp
      • netcat
      • nmap
  • Hacking Windows © 2004 Cisco Systems, Inc. All rights reserved. mnystrom
  • Hacking Windows outline
    • Scan
    • Enumerate
    • Penetrate
    • Escalate
    • Pillage
    • Get interactive
    • Expand influence
  • Scanning Windows
    • Port scan, looking for what’s indicative of Windows
      • 88 – Kerberos
      • 139 – NetBIOS
      • 445 – SMB/CIFS
      • 1433 – SQL Server
      • 3268, 3269 – Active Directory
      • 3389 – Terminal Services
    • Trick: Scan from source port = 88 to find IPSec secured systems
  • Enumerating Windows
    • Accounts
      • USER account used by most code, but escalates to SYSTEM to perform kernel-level operations
      • System accounts tracked by their SIDs
        • RID at end of SID identifies account type
        • RID = 500 is admin account
      • Need to escalate to Administrator to have any real power
      • Tools
        • userdump – enumerates users on a host
        • sid2user & user2sid translates account names on a host
      • SAM
        • Contains usernames, SIDs, RIDs, hashed passwords
        • Local account stored in local SAM
        • Domain accounts stored in Active Directory (AD)
      • Trusts
        • Can exist between AD domains
        • Allows accounts from one domain to be used in ACLs on another domain
  • Enumerating Windows (cont.)
    • Need access to ports 135, 139, 445
    • Enumerate hosts in a domain
      • net view /domain:<domain name>
    • Find domain controller(s)
      • nltest /dsgetdc:<domain name> /pdc
      • nltest /bdc_query:<domain name>
      • nbtstcan – fast NetBIOS scanner
      • null sessions are an important way to get info
        • Runs over 445
        • Not logged by most IDS
        • net use lt;target>ipc$ “” /u:””
        • “ local” (from ResKit) or Dumpsec can then enumerate accounts
      • Countermeasures
        • Block UDP/137
        • Set RestictAnonymous registry value
  • Enumerating Windows (cont.)
    • Look for hosts with 2 NICs
      • “ getmac” from Win2K resource kit
    • Enumerate trusts on domain controller
      • nltest /server:amer /trusted_domains
    • Enumerate shares with DumpSec
      • Hidden shares have “$” at the end
    • Enumerate with LDAP
      • LDAPminer
  • Penetrating Windows
    • 3 methods
      • Guess password
      • Obtain hashes
        • Emergency Repair Disk
      • Exploit a vulnerable service
    • Guessing passwords
      • Review vulnerable accounts via dumpsec
      • Use NetBIOS Auditing Tool to guess passwords
  • Escalating privileges in Windows
    • getadmin
      • getad
      • getad2
      • pipeupadmin
    • Shatter
      • Yields system-level privileges
      • Works against Windows Server 2003
  • Pillaging Windows
    • Clear logs
      • Some IDS’s will restart auditing once it’s been disabled
    • Grab hashes
      • Remotely with pwdump3
      • Backup SAM: c:winnt epairsam._
    • Grab passwords
      • Sniff SMB traffic
    • Crack passwords
      • L0phtcrack
      • John the Ripper
  • Getting interactive with Windows
    • Copy rootkit over a share
    • Hide rootkit on the target server
      • Low traffic area such as winntsystem32OS2dll oolz
      • Stream tools into files
    • Remote shell
      • remote.exe (resource kit tool)
      • netcat
    • How to fire up remote listener?
      • trojan
      • Leave a CD in the bathroom titled, “pending layoffs” 
      • Schedule it for remote execution
        • at scheduler
        • psexec
  • Windows – Expand influence
    • Get passwords
      • Keystroke logger with stealth mail
      • FakeGINA intercepts Winlogon
    • Plant stuff in registry to run on reboot
    • Hide files
      • “ attrib +h <directory>”
      • Stream files
      • Tripwire should catch this stuff
  • Hacking Unix/Linux © 2004 Cisco Systems, Inc. All rights reserved. mnystrom
  • Hacking Unix/Linux outline
    • Discover landscape
    • Enumerate systems
    • Attack
      • Remote
      • Local
    • Get beyond root
  • Discover landscape
    • Goals
      • Discover available hosts
      • Find all running services
    • Methodology
      • ICMP and TCP ping scans
      • Find listening services with nmap and udp_scan
      • Discover paths with ICMP, UDP, TCP
    • Tools
      • nmap
      • SuperScan (Windows)
      • udp_scan (more reliable than nmap for udp scanning)
  • Enumerate systems
    • Goal: Discover the following…
      • Users
      • Operating systems
      • Running programs
      • Specific software versions
      • Unprotected files
      • Internal information
    • Tools
      • OS/Application: telnet, ftp, nc, nmap
      • Users: finger, rwho,rusers, SMTP
      • RPC programs: rpcinfo
      • NFS shares: showmount
      • File retrieval: TFTP
      • SNMP: snmpwalk snmpget
  • Enumerate services
    • Users
      • finger
      • SMTP vrfy
    • DNS info
      • dig
    • RPC services
      • rpcinfo
    • NFS shares
      • showmount
    • Countermeasures
      • Turn off un-necessary services
      • Block IP addresses with router ACLs or TCP wrappers
  • Attack remotely
    • 3 primary methods
      • Exploit a listening service
      • Route through a system with 2 or more interfaces
      • Get user to execute it for you
        • Trojans
        • Hostile web site
    • Brute-force against service
      • http://packetstormsecurity.nl/Crackers/
      • Countermeasure: strong passwords, hide user names
    • Buffer-overflow attack
      • Overflow the stack with machine-dependent code (assembler)
      • Usually yields a shell – shovel it back with netcat
      • Prime targets: programs that run as root or suid
      • Countermeasures
        • Disable stack execution
        • Code reviews
        • Limit root and suid programs
  • Attack remotely (cont.)
    • Buffer overflow example
      • echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25
      • Replace this with something like this…
      • char shellcode[] = “xebxlfx5ex89x76x08…”
    • Input validation attacks
      • PHF CGI – newline character
      • SSI passes user input to O/S
    • Back channels
      • X-Windows
        • Send display back to attacker’s IP
        • Reverse telnet
  • Attack remotely (cont.)
    • Countermeasures against back channels
      • Get rid of executables used for this (x-windows, telnet, etc.)
    • Commonly attacked services
      • Sendmail
      • NFS
      • RPC
      • X-windows (sniffing session data)
      • ftpd (wu-ftpd)
      • DNS
        • Guessable query IDs
        • BIND vulnerabilities
        • Countermeasures
          • Restrict zone transfers
          • Block TCP/UDP 53
          • Don’t use HINFO records
  • Attack locally
    • Buffer overflow
    • Setuid programs
    • Password guessing/cracking
    • Mis-configured file/dir permissions
  • Get beyond root
    • Map the network (own more hosts)
    • Install rootkit
      • crypto checksum is the only way to know if it’s real
      • Create backdoors
      • Sniff other traffic
        • dsniff
        • arpredirect
        • loki
        • Hunt
        • Countermeasures
          • Encrypt all traffic
          • Switched networks (not a panacaea)
      • Clean logs
      • Session hijacking
  • Hacking the Network © 2004 Cisco Systems, Inc. All rights reserved. mnystrom
    • Vulnerabilities
    • Dealing with firewalls
  • Vulnerabilities
    • TTY access – 5 to choose from
    • SNMP V2 community strings
    • HTTP (Everthing is clear-text)
    • TFTP
      • No auth
      • Easy to discern router config files “<router-name>.cfg
    • Countermeasures
      • ACLs
      • TCP wrappers
      • Encrypt passwords
  • Vulnerabilities: routing issues
    • Path integrity
      • Source routing reveals path through the network
      • Routing updates can be spoofed (RIP, IGRP)
    • ARP spoofing
      • Easy with dsniff
  • Dealing with firewalls
    • Enumerate with nmap or tcpdump
      • Can show you which ports are filtered (blocked)
    • Some proxies return a banner
      • Eagle Raptor
    • TCP traffic itself may provide signature
    • Ping the un-pingable
      • hping
      • Look for ICMP type 13 (admin prohibited)
  • Dealing with firewalls (cont.)
    • ACLs may allow scanning if source port is set
      • nmap with “-g” option
    • Port redirection
      • fpipe
      • netcat
  • Questions?