Hacking Primer

Outline Internet footprinting Hacking Windows Hacking Unix/Linux Hacking the network

Internet footprinting

Hacking Windows

Hacking Unix/Linux

Hacking the network

Internet Footprinting © 2004 Cisco Systems, Inc. All rights reserved. mnystrom

Internet Footprinting Outline Review publicly available information Perform network reconnaissance Discover landscape Determine vulnerable services

Review publicly available information

Perform network reconnaissance

Discover landscape

Determine vulnerable services

Review publicly available information News: Look for recent news news.google.com SEC filings Search for phone numbers, contacts Technical info: Look for stupid postings Router configs Admin pages Nessus scans Netcraft Whois/DNS info SamSpade dig

News: Look for recent news

news.google.com

SEC filings

Search for phone numbers, contacts

Technical info: Look for stupid postings

Router configs

Admin pages

Nessus scans

Netcraft

Whois/DNS info

SamSpade

dig

Network reconnaissance Use traceroute to find vulnerable servers Trout Can also query BGP tools http://nitrous.digex.net/mae/equinix.html Look up ASNs

Use traceroute to find vulnerable servers

Trout

Can also query BGP tools

http://nitrous.digex.net/mae/equinix.html

Look up ASNs

Landscape discovery Ping sweep: Find out which hosts are alive nmap, fping, gping, SuperScan, etc. Port scans: Find out which ports are listening Don’t setup a full connection – just SYN Netcat can be run in encrypted mode – cryptcat nmap advanced options XMAS scan sends all TCP options Source port scanning sets source port (e.g., port 88 to scan Windows systems) Time delays Banner grab & O/S guess telnet ftp netcat nmap

Ping sweep: Find out which hosts are alive

nmap, fping, gping, SuperScan, etc.

Port scans: Find out which ports are listening

Don’t setup a full connection – just SYN

Netcat

can be run in encrypted mode – cryptcat

nmap advanced options

XMAS scan sends all TCP options

Source port scanning sets source port (e.g., port 88 to scan Windows systems)

Time delays

Banner grab & O/S guess

telnet

ftp

netcat

nmap

Hacking Windows © 2004 Cisco Systems, Inc. All rights reserved. mnystrom

Hacking Windows outline Scan Enumerate Penetrate Escalate Pillage Get interactive Expand influence

Scan

Enumerate

Penetrate

Escalate

Pillage

Get interactive

Expand influence

Scanning Windows Port scan, looking for what’s indicative of Windows 88 – Kerberos 139 – NetBIOS 445 – SMB/CIFS 1433 – SQL Server 3268, 3269 – Active Directory 3389 – Terminal Services Trick: Scan from source port = 88 to find IPSec secured systems

Port scan, looking for what’s indicative of Windows

88 – Kerberos

139 – NetBIOS

445 – SMB/CIFS

1433 – SQL Server

3268, 3269 – Active Directory

3389 – Terminal Services

Trick: Scan from source port = 88 to find IPSec secured systems

Enumerating Windows Accounts USER account used by most code, but escalates to SYSTEM to perform kernel-level operations System accounts tracked by their SIDs RID at end of SID identifies account type RID = 500 is admin account Need to escalate to Administrator to have any real power Tools userdump – enumerates users on a host sid2user & user2sid translates account names on a host SAM Contains usernames, SIDs, RIDs, hashed passwords Local account stored in local SAM Domain accounts stored in Active Directory (AD) Trusts Can exist between AD domains Allows accounts from one domain to be used in ACLs on another domain

Accounts

USER account used by most code, but escalates to SYSTEM to perform kernel-level operations

System accounts tracked by their SIDs

RID at end of SID identifies account type

RID = 500 is admin account

Need to escalate to Administrator to have any real power

Tools

userdump – enumerates users on a host

sid2user & user2sid translates account names on a host

SAM

Contains usernames, SIDs, RIDs, hashed passwords

Local account stored in local SAM

Domain accounts stored in Active Directory (AD)

Trusts

Can exist between AD domains

Allows accounts from one domain to be used in ACLs on another domain

Enumerating Windows (cont.) Need access to ports 135, 139, 445 Enumerate hosts in a domain net view /domain:<domain name> Find domain controller(s) nltest /dsgetdc:<domain name> /pdc nltest /bdc_query:<domain name> nbtstcan – fast NetBIOS scanner null sessions are an important way to get info Runs over 445 Not logged by most IDS net use \<target>ipc$ “” /u:”” “ local” (from ResKit) or Dumpsec can then enumerate accounts Countermeasures Block UDP/137 Set RestictAnonymous registry value

Need access to ports 135, 139, 445

Enumerate hosts in a domain

net view /domain:<domain name>

Find domain controller(s)

nltest /dsgetdc:<domain name> /pdc

nltest /bdc_query:<domain name>

nbtstcan – fast NetBIOS scanner

null sessions are an important way to get info

Runs over 445

Not logged by most IDS

net use \<target>ipc$ “” /u:””

“ local” (from ResKit) or Dumpsec can then enumerate accounts

Countermeasures

Block UDP/137

Set RestictAnonymous registry value

Enumerating Windows (cont.) Look for hosts with 2 NICs “ getmac” from Win2K resource kit Enumerate trusts on domain controller nltest /server:amer /trusted_domains Enumerate shares with DumpSec Hidden shares have “$” at the end Enumerate with LDAP LDAPminer

Look for hosts with 2 NICs

“ getmac” from Win2K resource kit

Enumerate trusts on domain controller

nltest /server:amer /trusted_domains

Enumerate shares with DumpSec

Hidden shares have “$” at the end

Enumerate with LDAP

LDAPminer

Penetrating Windows 3 methods Guess password Obtain hashes Emergency Repair Disk Exploit a vulnerable service Guessing passwords Review vulnerable accounts via dumpsec Use NetBIOS Auditing Tool to guess passwords

3 methods

Guess password

Obtain hashes

Emergency Repair Disk

Exploit a vulnerable service

Guessing passwords

Review vulnerable accounts via dumpsec

Use NetBIOS Auditing Tool to guess passwords

Escalating privileges in Windows getadmin getad getad2 pipeupadmin Shatter Yields system-level privileges Works against Windows Server 2003

getadmin

getad

getad2

pipeupadmin

Shatter

Yields system-level privileges

Works against Windows Server 2003

Pillaging Windows Clear logs Some IDS’s will restart auditing once it’s been disabled Grab hashes Remotely with pwdump3 Backup SAM: c:winnt
epairsam._ Grab passwords Sniff SMB traffic Crack passwords L0phtcrack John the Ripper

Clear logs

Some IDS’s will restart auditing once it’s been disabled

Grab hashes

Remotely with pwdump3

Backup SAM: c:winnt
epairsam._

Grab passwords

Sniff SMB traffic

Crack passwords

L0phtcrack

John the Ripper

Getting interactive with Windows Copy rootkit over a share Hide rootkit on the target server Low traffic area such as winntsystem32OS2dll oolz Stream tools into files Remote shell remote.exe (resource kit tool) netcat How to fire up remote listener? trojan Leave a CD in the bathroom titled, “pending layoffs”  Schedule it for remote execution at scheduler psexec

Copy rootkit over a share

Hide rootkit on the target server

Low traffic area such as winntsystem32OS2dll oolz

Stream tools into files

Remote shell

remote.exe (resource kit tool)

netcat

How to fire up remote listener?

trojan

Leave a CD in the bathroom titled, “pending layoffs” 

Schedule it for remote execution

at scheduler

psexec

Windows – Expand influence Get passwords Keystroke logger with stealth mail FakeGINA intercepts Winlogon Plant stuff in registry to run on reboot Hide files “ attrib +h <directory>” Stream files Tripwire should catch this stuff

Get passwords

Keystroke logger with stealth mail

FakeGINA intercepts Winlogon

Plant stuff in registry to run on reboot

Hide files

“ attrib +h <directory>”

Stream files

Tripwire should catch this stuff

Hacking Unix/Linux © 2004 Cisco Systems, Inc. All rights reserved. mnystrom

Hacking Unix/Linux outline Discover landscape Enumerate systems Attack Remote Local Get beyond root

Discover landscape

Enumerate systems

Attack

Remote

Local

Get beyond root

Discover landscape Goals Discover available hosts Find all running services Methodology ICMP and TCP ping scans Find listening services with nmap and udp_scan Discover paths with ICMP, UDP, TCP Tools nmap SuperScan (Windows) udp_scan (more reliable than nmap for udp scanning)

Goals

Discover available hosts

Find all running services

Methodology

ICMP and TCP ping scans

Find listening services with nmap and udp_scan

Discover paths with ICMP, UDP, TCP

Tools

nmap

SuperScan (Windows)

udp_scan (more reliable than nmap for udp scanning)

Enumerate systems Goal: Discover the following… Users Operating systems Running programs Specific software versions Unprotected files Internal information Tools OS/Application: telnet, ftp, nc, nmap Users: finger, rwho,rusers, SMTP RPC programs: rpcinfo NFS shares: showmount File retrieval: TFTP SNMP: snmpwalk snmpget

Goal: Discover the following…

Users

Operating systems

Running programs

Specific software versions

Unprotected files

Internal information

Tools

OS/Application: telnet, ftp, nc, nmap

Users: finger, rwho,rusers, SMTP

RPC programs: rpcinfo

NFS shares: showmount

File retrieval: TFTP

SNMP: snmpwalk snmpget

Enumerate services Users finger SMTP vrfy DNS info dig RPC services rpcinfo NFS shares showmount Countermeasures Turn off un-necessary services Block IP addresses with router ACLs or TCP wrappers

Users

finger

SMTP vrfy

DNS info

dig

RPC services

rpcinfo

NFS shares

showmount

Countermeasures

Turn off un-necessary services

Block IP addresses with router ACLs or TCP wrappers

Attack remotely 3 primary methods Exploit a listening service Route through a system with 2 or more interfaces Get user to execute it for you Trojans Hostile web site Brute-force against service http://packetstormsecurity.nl/Crackers/ Countermeasure: strong passwords, hide user names Buffer-overflow attack Overflow the stack with machine-dependent code (assembler) Usually yields a shell – shovel it back with netcat Prime targets: programs that run as root or suid Countermeasures Disable stack execution Code reviews Limit root and suid programs

3 primary methods

Exploit a listening service

Route through a system with 2 or more interfaces

Get user to execute it for you

Trojans

Hostile web site

Brute-force against service

http://packetstormsecurity.nl/Crackers/

Countermeasure: strong passwords, hide user names

Buffer-overflow attack

Overflow the stack with machine-dependent code (assembler)

Usually yields a shell – shovel it back with netcat

Prime targets: programs that run as root or suid

Countermeasures

Disable stack execution

Code reviews

Limit root and suid programs

Attack remotely (cont.) Buffer overflow example echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25 Replace this with something like this… char shellcode[] = “xebxlfx5ex89x76x08…” Input validation attacks PHF CGI – newline character SSI passes user input to O/S Back channels X-Windows Send display back to attacker’s IP Reverse telnet

Buffer overflow example

echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25

Replace this with something like this…

char shellcode[] = “xebxlfx5ex89x76x08…”

Input validation attacks

PHF CGI – newline character

SSI passes user input to O/S

Back channels

X-Windows

Send display back to attacker’s IP

Reverse telnet

Attack remotely (cont.) Countermeasures against back channels Get rid of executables used for this (x-windows, telnet, etc.) Commonly attacked services Sendmail NFS RPC X-windows (sniffing session data) ftpd (wu-ftpd) DNS Guessable query IDs BIND vulnerabilities Countermeasures Restrict zone transfers Block TCP/UDP 53 Don’t use HINFO records

Countermeasures against back channels

Get rid of executables used for this (x-windows, telnet, etc.)

Commonly attacked services

Sendmail

NFS

RPC

X-windows (sniffing session data)

ftpd (wu-ftpd)

DNS

Guessable query IDs

BIND vulnerabilities

Countermeasures

Restrict zone transfers

Block TCP/UDP 53

Don’t use HINFO records

Attack locally Buffer overflow Setuid programs Password guessing/cracking Mis-configured file/dir permissions

Buffer overflow

Setuid programs

Password guessing/cracking

Mis-configured file/dir permissions

Get beyond root Map the network (own more hosts) Install rootkit crypto checksum is the only way to know if it’s real Create backdoors Sniff other traffic dsniff arpredirect loki Hunt Countermeasures Encrypt all traffic Switched networks (not a panacaea) Clean logs Session hijacking

Map the network (own more hosts)

Install rootkit

crypto checksum is the only way to know if it’s real

Create backdoors

Sniff other traffic

dsniff

arpredirect

loki

Hunt

Countermeasures

Encrypt all traffic

Switched networks (not a panacaea)

Clean logs

Session hijacking

Hacking the Network © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Vulnerabilities Dealing with firewalls

Vulnerabilities

Dealing with firewalls

Vulnerabilities TTY access – 5 to choose from SNMP V2 community strings HTTP (Everthing is clear-text) TFTP No auth Easy to discern router config files “<router-name>.cfg Countermeasures ACLs TCP wrappers Encrypt passwords

TTY access – 5 to choose from

SNMP V2 community strings

HTTP (Everthing is clear-text)

TFTP

No auth

Easy to discern router config files “<router-name>.cfg

Countermeasures

ACLs

TCP wrappers

Encrypt passwords

Vulnerabilities: routing issues Path integrity Source routing reveals path through the network Routing updates can be spoofed (RIP, IGRP) ARP spoofing Easy with dsniff

Path integrity

Source routing reveals path through the network

Routing updates can be spoofed (RIP, IGRP)

ARP spoofing

Easy with dsniff

Dealing with firewalls Enumerate with nmap or tcpdump Can show you which ports are filtered (blocked) Some proxies return a banner Eagle Raptor TCP traffic itself may provide signature Ping the un-pingable hping Look for ICMP type 13 (admin prohibited)

Enumerate with nmap or tcpdump

Can show you which ports are filtered (blocked)

Some proxies return a banner

Eagle Raptor

TCP traffic itself may provide signature

Ping the un-pingable

hping

Look for ICMP type 13 (admin prohibited)

Dealing with firewalls (cont.) ACLs may allow scanning if source port is set nmap with “-g” option Port redirection fpipe netcat

ACLs may allow scanning if source port is set

nmap with “-g” option

Port redirection

fpipe

netcat

Questions?