Your SlideShare is downloading. ×
0
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Seminar Hacking & Security Analysis
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Seminar Hacking & Security Analysis

683

Published on

Seminar security analyst, vulnerability analysis. …

Seminar security analyst, vulnerability analysis.
UIN 21 Jun 2014

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
683
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
85
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Hacking | Information Security Analysis Hacking Security Analysis -- Build security with creativity Danang Heriyadi (danang@hatsecure.com)
  • 2. Hacking | Information Security Analysis Hello World
  • 3. Hacking | Information Security Analysis Today Hacking Incidents Assets Vulnerability Analysis
  • 4. Hacking | Information Security Analysis Top 3 - Hacking in action Cyber Spying Fraud or Forgery Illegal Access
  • 5. Hacking | Information Security Analysis Cyber Spying
  • 6. Hacking | Information Security Analysis Fraud or Forgery
  • 7. Hacking | Information Security Analysis Illegal Access
  • 8. Hacking | Information Security Analysis How they can do that? • Sensitive information disclosure – Search Engine (google, bing, yahoo) – Magazine – etc • Social engineering attacks – The knowledge and attitude members of an organization possess regarding the protection of the information assets. • Vulnerability on your system – Attacker exploit the vulnerability to gaining access.
  • 9. Hacking | Information Security Analysis Google Hacking
  • 10. Hacking | Information Security Analysis What are you trying to protect? • Senstive personal data • Your network infrastructure • Your assets
  • 11. Hacking | Information Security Analysis Common Vulnerabilities • Web – XSS – Database Injection – OS command Injection – Local File Disclosure – File Inclusion – Path Disclosure – CSRF – Dir. Traversal • Low level Vulnerability – Stack Overflow – Heap Overflow – Integer Overflow – Memory Corruption – Etc
  • 12. Hacking | Information Security Analysis Buffer Overflow • Low level vulnerability – Stack Overflow ( Very easy ) – Integer Overflow ( easy ) – Heap Overflow ( medium ) – Memory Corruption ( easy - medium ) – .....
  • 13. Hacking | Information Security Analysis Impact of buffer overflow • Application – Crash and terminated – Arbitary code execution • Operating System – Crash, hang, or reboot – Arbitary code execution – Privilege escalation
  • 14. Hacking | Information Security Analysis Basic Knowledge • CPU Register – EAX EDI – EBX ESI – ECX EBP – EDX ESP – EIP
  • 15. Hacking | Information Security Analysis Basic Knowledge • Assembly Language – mov ret – push – pop – shr – jmp
  • 16. Hacking | Information Security Analysis Windows Memory Allocation 0x00000000 0xFFFFFFFF Stack Heap Program Image • PE Header • .text, .rdata, .data, ... Can be allocated as heap or stack for other threads DLL PEB Shared User Page No Access 0x00400000 0x7FFE1000 0x7FFE0000 0x7FFDF000
  • 17. Hacking | Information Security Analysis C++ from beginner #include <stdio.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; }
  • 18. Hacking | Information Security Analysis Run it !!
  • 19. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } CPU Register (Example) • EIP = 0x01234567 => address of main() 0x00000000 Top of Stack
  • 20. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234571 => address of vulnerable()
  • 21. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234585 => stack_data[128]
  • 22. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x01234544 => address of strcpy() <Space for stack_data> ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237
  • 23. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ABCD ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237 CPU Register (Example) • EIP = 0x01234548 => address of printf()
  • 24. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237 CPU Register (Example) • EIP = 0x01234552 => restore saved EIP -> EIP
  • 25. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP <ptr to argv[1]> CPU Register (Example) • EIP = 0x01234599 => exit(0)
  • 26. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack
  • 27. Hacking | Information Security Analysis Stack Allocation (Stack Overflow)
  • 28. Hacking | Information Security Analysis Stack Allocation (Stack Overflow) #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack CPU Register (Example) • EIP = 0x012345 => address of strcpy() <Space for stack_data> ESP <ptr to argv[1]> Saved EBP 0x00112233 Saved EIP 0x00112237
  • 29. Hacking | Information Security Analysis Stack Allocation (Stack Overflow) #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x41414141 ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 CPU Register (Example) • EIP = 0x01234548 => address of printf()
  • 30. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 Saved EBP 0x41414141 Saved EIP 0x41414141 CPU Register (Example) • EIP = 0x41414141 => restore saved EIP -> EIP
  • 31. Hacking | Information Security Analysis Stack Allocation #include <stdio.h> #include <string.h> void vulnerable(char *Buffer){ char stack_data[128]; strcpy (stack_data, Buffer); printf( " Isi variabel stack_data : %s ", stack_data); } int main(int argc, char **argv){ vulnerable(argv[1]); return 0; } 0x00000000 Top of Stack ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 CPU Register (Example) • EIP = 0x41414141 Access Volation when executing 0x41414141
  • 32. Hacking | Information Security Analysis Stack Exploitation
  • 33. Hacking | Information Security Analysis Stack Exploitation (Stack Overflow) 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x41414141 ESP 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 414141414141414141414141 0x00112233 0x00112237 0x00000000 Top of Stack 414141414141414141414141 414141414141414141414141 414141414141414141414141 Saved EBP 0x41414141 Saved EIP 0x80221122 ESP 31c031db31c931d2eb16bfea 07457e50535150ffd75950684 141414189e3ebeae8f0ffffff48 656c6c6f776f726c64 0x00112233 0x00112237 Shellcode Address for JMP ESP
  • 34. Hacking | Information Security Analysis Shellcode • Small piece of code used as the payload in the exploitation of a software vulnerability • Why is our shellcode not working? – bad character – Big size
  • 35. Hacking | Information Security Analysis • Fuzzing Technique – Detecting Buffer Overflow – Find offset to overwrite EBP and EIP register • Find -> JMP ESP windbg command > lm muser32 windbg command > s -b 7xxxxx 7xxxxx ff e4 • Generate shellcode – msfvenom – manual :-P • Finishing Exploit Stack Exploitation (Stack Overflow)
  • 36. Hacking | Information Security Analysis Mitigation and Technique • Windows XP – Hardware DEP -> ROP shellcode • Windows Vistra – ASLR -> Static address on shared data memory – DEP -> ROP shellcode • Windows 7 – ASLR + DEP -> ROP / JIT ROP / JIT ROP Spraying
  • 37. Hacking | Information Security Analysis Mitigation and Technique • Windows 8 – ASLR + DEP (new) -> ROP / JIT ROP

×