Sembang2 Keselamatan It 2004

1,793 views

Published on

Sembang2 Keselamatan It 2004 Pokleyzz, wyse, obelicks, pengalir by SK from Scan Associates

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,793
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
38
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Sembang2 Keselamatan It 2004

  1. 1. Sembang2 Keselamatan It [email_address]
  2. 2. S pea K er <ul><li>Call me S.K. </li></ul><ul><li>While in UTM: </li></ul><ul><ul><li>Modify virus source code and spread it to Tar College, crack Virus Buster™ for fun </li></ul></ul><ul><li>After UTM: </li></ul><ul><ul><li>Start up SCAN Associates </li></ul></ul><ul><ul><li>Legally do pen-test for many agencies </li></ul></ul><ul><ul><li>Document hacking tricks and share with friends </li></ul></ul>Advertisement
  3. 3. Publications <ul><li>SQL Injection Walkthrough , published in more than a dozen security web site </li></ul><ul><li>Win32 Buffer Overflow Walkthrough , details the process of buffer overflow </li></ul><ul><li>Thanks from Microsoft™ for finding bug in their software </li></ul><ul><li>Creating firewall proof shellcode in Blackhat and soon in Ruxcon conference </li></ul><ul><li>Winner of Blackhat Hacking game ! </li></ul>Advertisement
  4. 4. Wat we wanna do today? <ul><li>Appetizer has: </li></ul><ul><ul><li>some new terminologies </li></ul></ul><ul><ul><li>a bit of concepts </li></ul></ul><ul><ul><li>a few easy to use tools </li></ul></ul><ul><li>Main course: </li></ul><ul><ul><li>Treat </li></ul></ul><ul><ul><li>Vulnerability </li></ul></ul><ul><ul><li>Exploitation </li></ul></ul><ul><ul><li>A bit of SQL injection </li></ul></ul><ul><li>Dessert: </li></ul><ul><ul><ul><li>demo on some tricks/tools </li></ul></ul></ul>TOC
  5. 5. Threat <ul><li>If there is a computer, there is a threat… </li></ul><ul><li>If there are 2 computers, there are 2 times threats… </li></ul><ul><li>If there are N computers, there are N x threats… </li></ul><ul><li>The more computers you hafta manage, the more risk there is… </li></ul>Threat
  6. 6. Threat, seriously… <ul><li>Running background services </li></ul><ul><ul><li>Services running all the time </li></ul></ul><ul><ul><li>Allow direct connection from anywhere </li></ul></ul><ul><ul><li>Favorite targets: </li></ul></ul><ul><ul><ul><li>HTTP (port 80) </li></ul></ul></ul><ul><ul><ul><li>FTP (port 21) </li></ul></ul></ul><ul><ul><ul><li>NetBIOS (port 135, 445) </li></ul></ul></ul><ul><ul><ul><li>HTTPS (port 443) </li></ul></ul></ul><ul><ul><ul><li>SSH (port 22), etc </li></ul></ul></ul>Threat
  7. 7. More threats… <ul><li>Mistake and Configuration errors: </li></ul><ul><ul><li>No password </li></ul></ul><ul><ul><li>User name = password </li></ul></ul><ul><ul><li>Write access allowed </li></ul></ul><ul><ul><li>Default Public/Private community string </li></ul></ul><ul><ul><li>Poor Access Control in proxy server </li></ul></ul><ul><ul><li>Testing server in public network </li></ul></ul><ul><ul><li>Existing of default account </li></ul></ul>Threat
  8. 8. Threats from within… <ul><li>End-user attacks: </li></ul><ul><ul><li>Email attachments </li></ul></ul><ul><ul><li>User download trojan horse </li></ul></ul><ul><ul><li>File sharing tool like Kazaa </li></ul></ul><ul><ul><li>Not to mention Instant Messaging and IRC </li></ul></ul><ul><ul><li>Unprotected Wi-Fi Access Point </li></ul></ul>Threat
  9. 9. Vulnerability <ul><li>Software bug leads to vulnerability, vulnerability leads to system hack </li></ul><ul><li>Thus, software bug is our friend </li></ul><ul><li>Find the bug, you will find the way in </li></ul><ul><li>Fortunate for us, security experts publish new vulnerability everyday </li></ul><ul><li>Our objective is to find a system with any vulnerability </li></ul>Vulnerability
  10. 10. Finding vulnerability <ul><li>The easy way: </li></ul><ul><ul><li>nessus – general purpose vuln scanner </li></ul></ul><ul><ul><li>nikto – web attack scanner </li></ul></ul><ul><li>The semi-automatic approach: </li></ul><ul><ul><li>nmap – port scanner </li></ul></ul><ul><ul><li>sl – port scanner for windoze </li></ul></ul><ul><li>The free-styler: </li></ul><ul><ul><li>netcat </li></ul></ul><ul><ul><li>your favorite browser </li></ul></ul>Vulnerability
  11. 11. nessus <ul><li>General purpose vulnerability scanner </li></ul><ul><li>http://www.nessus.org </li></ul><ul><li>GNU Public License </li></ul><ul><li>Test hundreds of vulnerabilities effortlessly </li></ul><ul><li>Can write your own plug-in using NASL </li></ul><ul><li>Test only, will not let you control the server </li></ul>Vulnerability - The easy way
  12. 12. nessus client-server Nessus Client (Unix) Nessus Server (Unix) Targets Nessus Client (Windows) Targets Vulnerability - The easy way
  13. 13. nikto <ul><li>Web scanner </li></ul><ul><li>http://www.cirt.net/code/nikto.shtml </li></ul><ul><li>Open source (GPL) </li></ul><ul><li>Over 2600 vulnerabilities specific to Web only </li></ul><ul><li>Support HTTPS connection to avoid IDS detection </li></ul><ul><li>Test only, will not let you control the server </li></ul>Vulnerability - The easy way
  14. 14. Other Tools <ul><li>General purpose scanner </li></ul><ul><ul><li>Internet Security Scanner ( www.iss.net) </li></ul></ul><ul><ul><li>Eeye’s Retina ( www.eeye.com) </li></ul></ul><ul><li>Web Server Scanner </li></ul><ul><ul><li>Stealth HTTP Scan ( www.hideaway.net) </li></ul></ul><ul><ul><li>Whisker ( www.wiretrip.net/rfp/p/doc.asp/i2/d21.htm ) </li></ul></ul>Vulnerability - The easy way
  15. 15. Port Scanner <ul><li>Tell you what type of services are running in a server </li></ul><ul><li>Indirectly tell you the OS too </li></ul><ul><li>nmap </li></ul><ul><ul><li>www.insecure.org/nmap/ </li></ul></ul><ul><ul><li>Versatile port scanner for *nix </li></ul></ul><ul><li>sl </li></ul><ul><ul><li>www.foundstone.com </li></ul></ul><ul><ul><li>easy to use port scanner for windoze </li></ul></ul>Vulnerability - semi-automatic
  16. 16. Favorite targets <ul><li>Port 53 – try bind exploit </li></ul><ul><li>Port 21 – try anonymous login, simple passwd or exploits for Pro-Ftp, Wu-ftp, serv-u, etc </li></ul><ul><li>Port 22 – try simple passwd and x2 exploit </li></ul><ul><li>Port 25 – sendmail exploit for slackware or exchange exploit </li></ul><ul><li>Port 80 – Apache chunked bug, IIS .printer, unicode, ASP chunked, Webdav, Frontpage, etc. </li></ul><ul><li>Port 135, 445 – try netbios sharing with simple passwd or Locator, Dcom, messenger, workstation, Lsass exploits </li></ul><ul><li>Port 443 – SSL-too-open, THCISSLame.c </li></ul><ul><li>Port 1433, 1434 – MS Sql Server Resolution Bug, HelloBug or SA without password </li></ul>Vulnerability - semi-automatic
  17. 17. Free styler <ul><li>Using netcat to connect to popular services and backdoor port: </li></ul><ul><ul><li>port 22 review SSH version </li></ul></ul><ul><ul><li>port 1080 might allow you to connect to internal IP </li></ul></ul><ul><ul><li>port 5554 might drop you a shell </li></ul></ul><ul><li>Use your favorite browser to surf around the target web server, look for: </li></ul><ul><ul><li>Hidden info in HTML code </li></ul></ul><ul><ul><li>Web attack via SQL injection, PHP, Perl, etc </li></ul></ul>Vulnerability
  18. 18. Exploitation <ul><li>The process of taking advantage of a vulnerability to either: </li></ul><ul><ul><li>Get a shell (thus, control the victim) </li></ul></ul><ul><ul><li>Retrieve/modify information (source code, files, database) </li></ul></ul><ul><ul><li>Denial of Service (DOS), etc </li></ul></ul><ul><li>To get an exploit: </li></ul><ul><ul><li>Find/trade from www/irc/friends </li></ul></ul><ul><ul><li>Create it yourself </li></ul></ul><ul><ul><li>Purchase it from Core Impact or CANVAS </li></ul></ul>Exploitation
  19. 19. Find from Internet <ul><li>www.metasploit.com </li></ul><ul><li>Bugtraq Mailing list </li></ul><ul><li>Full Disclosure Mailing list </li></ul><ul><li>http:// packetstormsecurity.nl / </li></ul><ul><li>http:// www.security.nnov.ru/search/exploits.asp </li></ul><ul><li>#vuln, #badcode, #darknet, #phrack </li></ul>Exploitation
  20. 20. Creating it yourself <ul><li>Read and understand the vulnerability from the advisory: </li></ul><ul><ul><li>www.securitytracker.com </li></ul></ul><ul><ul><li>www.microsoft.com/security </li></ul></ul><ul><li>Might require different skill set in: </li></ul><ul><ul><li>Perl/PHP/SQL </li></ul></ul><ul><ul><li>Reverse engineering </li></ul></ul><ul><ul><li>C or ASM programming, etc </li></ul></ul>Exploitation
  21. 21. metasploit <ul><li>www.metasploit.com </li></ul><ul><li>Developed by HD Moore and a few ghettohackers (they won Defcon Ctf 3 times in a row) </li></ul><ul><li>Integrated many exploits in one easy to use package </li></ul><ul><li>Support command line and web interface </li></ul><ul><li>Packed with many useful component for exploit development </li></ul><ul><li>Its free! </li></ul>Exploitation
  22. 22. Web attack <ul><li>Developers are putting more functionality into Web (port 80) </li></ul><ul><li>There are many type of attacks specific to port 80 alone: </li></ul><ul><ul><li>SQL injection </li></ul></ul><ul><ul><li>Perl and CGI insecurities </li></ul></ul><ul><ul><li>PHP insecurities </li></ul></ul><ul><ul><li>Cross scripting (XSS) </li></ul></ul>Web attack
  23. 23. SQL Injection <ul><li>A technique to manipulate data in a way that it will change the original SQL statement </li></ul><ul><li>It could happened in the following manner: </li></ul><ul><ul><li>Program takes your input as a variable </li></ul></ul><ul><ul><li>It appends your input into an SQL statement </li></ul></ul><ul><ul><li>The program then pass the statement to the Database </li></ul></ul>Web attack
  24. 24. ...SQL Injection <ul><li>What if your input is an SQL command? </li></ul><ul><li>By carefully insert SQL command as your input, you can change the original SQL statement to something else and make the Database to execute your command </li></ul><ul><li>Usual command to test for SQL injection: </li></ul><ul><ul><li>Type a single quote as input (‘) </li></ul></ul><ul><ul><li>Type “ union select 1” to see if injection is possible </li></ul></ul>Web attack
  25. 25. Perl & CGI <ul><li>File access problem </li></ul><ul><li>User supply variable which in turn used by Perl/CGI to open a file </li></ul><ul><li>Manipulating this variable may allow you to open any file or even remote execution </li></ul>Web attack
  26. 26. PHP <ul><li>Just like Perl/CGI, only more powerful (in a sense of hacking) </li></ul><ul><li>Not only you may manipulate variable to open any file, you also can control it to open any file in the Internet </li></ul>Web attack
  27. 27. XSS <ul><li>Allow injection of HTML code (including Javascript/VBScript) into existing HTML page </li></ul><ul><li>If a user open the page, your code execute </li></ul><ul><li>Best used in Forum, to steal user cookie </li></ul>Web attack
  28. 28. Can we go now? <ul><li>Q & A Session </li></ul><ul><li>Thanks </li></ul>

×