Intro To Hacking

6,592 views

Published on

Published in: Technology
1 Comment
3 Likes
Statistics
Notes
No Downloads
Views
Total views
6,592
On SlideShare
0
From Embeds
0
Number of Embeds
23
Actions
Shares
0
Downloads
421
Comments
1
Likes
3
Embeds 0
No embeds

No notes for slide
  • Intro To Hacking

    1. 1. Hacking Primer
    2. 2. Outline <ul><li>Internet footprinting </li></ul><ul><li>Hacking Windows </li></ul><ul><li>Hacking Unix/Linux </li></ul><ul><li>Hacking the network </li></ul>
    3. 3. Internet Footprinting © 2004 Cisco Systems, Inc. All rights reserved. mnystrom
    4. 4. Internet Footprinting Outline <ul><li>Review publicly available information </li></ul><ul><li>Perform network reconnaissance </li></ul><ul><li>Discover landscape </li></ul><ul><li>Determine vulnerable services </li></ul>
    5. 5. Review publicly available information <ul><li>News: Look for recent news </li></ul><ul><ul><li>news.google.com </li></ul></ul><ul><ul><li>SEC filings </li></ul></ul><ul><ul><li>Search for phone numbers, contacts </li></ul></ul><ul><li>Technical info: Look for stupid postings </li></ul><ul><ul><li>Router configs </li></ul></ul><ul><ul><li>Admin pages </li></ul></ul><ul><ul><li>Nessus scans </li></ul></ul><ul><li>Netcraft </li></ul><ul><li>Whois/DNS info </li></ul><ul><ul><li>SamSpade </li></ul></ul><ul><ul><li>dig </li></ul></ul>
    6. 6. Network reconnaissance <ul><li>Use traceroute to find vulnerable servers </li></ul><ul><ul><li>Trout </li></ul></ul><ul><li>Can also query BGP tools </li></ul><ul><ul><li>http://nitrous.digex.net/mae/equinix.html </li></ul></ul><ul><ul><li>Look up ASNs </li></ul></ul>
    7. 7. Landscape discovery <ul><li>Ping sweep: Find out which hosts are alive </li></ul><ul><ul><li>nmap, fping, gping, SuperScan, etc. </li></ul></ul><ul><li>Port scans: Find out which ports are listening </li></ul><ul><ul><li>Don’t setup a full connection – just SYN </li></ul></ul><ul><ul><li>Netcat </li></ul></ul><ul><ul><ul><li>can be run in encrypted mode – cryptcat </li></ul></ul></ul><ul><ul><li>nmap advanced options </li></ul></ul><ul><ul><ul><li>XMAS scan sends all TCP options </li></ul></ul></ul><ul><ul><ul><li>Source port scanning sets source port (e.g., port 88 to scan Windows systems) </li></ul></ul></ul><ul><ul><ul><li>Time delays </li></ul></ul></ul><ul><li>Banner grab & O/S guess </li></ul><ul><ul><li>telnet </li></ul></ul><ul><ul><li>ftp </li></ul></ul><ul><ul><li>netcat </li></ul></ul><ul><ul><li>nmap </li></ul></ul>
    8. 8. Hacking Windows © 2004 Cisco Systems, Inc. All rights reserved. mnystrom
    9. 9. Hacking Windows outline <ul><li>Scan </li></ul><ul><li>Enumerate </li></ul><ul><li>Penetrate </li></ul><ul><li>Escalate </li></ul><ul><li>Pillage </li></ul><ul><li>Get interactive </li></ul><ul><li>Expand influence </li></ul>
    10. 10. Scanning Windows <ul><li>Port scan, looking for what’s indicative of Windows </li></ul><ul><ul><li>88 – Kerberos </li></ul></ul><ul><ul><li>139 – NetBIOS </li></ul></ul><ul><ul><li>445 – SMB/CIFS </li></ul></ul><ul><ul><li>1433 – SQL Server </li></ul></ul><ul><ul><li>3268, 3269 – Active Directory </li></ul></ul><ul><ul><li>3389 – Terminal Services </li></ul></ul><ul><li>Trick: Scan from source port = 88 to find IPSec secured systems </li></ul>
    11. 11. Enumerating Windows <ul><li>Accounts </li></ul><ul><ul><li>USER account used by most code, but escalates to SYSTEM to perform kernel-level operations </li></ul></ul><ul><ul><li>System accounts tracked by their SIDs </li></ul></ul><ul><ul><ul><li>RID at end of SID identifies account type </li></ul></ul></ul><ul><ul><ul><li>RID = 500 is admin account </li></ul></ul></ul><ul><ul><li>Need to escalate to Administrator to have any real power </li></ul></ul><ul><ul><li>Tools </li></ul></ul><ul><ul><ul><li>userdump – enumerates users on a host </li></ul></ul></ul><ul><ul><ul><li>sid2user & user2sid translates account names on a host </li></ul></ul></ul><ul><ul><li>SAM </li></ul></ul><ul><ul><ul><li>Contains usernames, SIDs, RIDs, hashed passwords </li></ul></ul></ul><ul><ul><ul><li>Local account stored in local SAM </li></ul></ul></ul><ul><ul><ul><li>Domain accounts stored in Active Directory (AD) </li></ul></ul></ul><ul><ul><li>Trusts </li></ul></ul><ul><ul><ul><li>Can exist between AD domains </li></ul></ul></ul><ul><ul><ul><li>Allows accounts from one domain to be used in ACLs on another domain </li></ul></ul></ul>
    12. 12. Enumerating Windows (cont.) <ul><li>Need access to ports 135, 139, 445 </li></ul><ul><li>Enumerate hosts in a domain </li></ul><ul><ul><li>net view /domain:<domain name> </li></ul></ul><ul><li>Find domain controller(s) </li></ul><ul><ul><li>nltest /dsgetdc:<domain name> /pdc </li></ul></ul><ul><ul><li>nltest /bdc_query:<domain name> </li></ul></ul><ul><ul><li>nbtstcan – fast NetBIOS scanner </li></ul></ul><ul><ul><li>null sessions are an important way to get info </li></ul></ul><ul><ul><ul><li>Runs over 445 </li></ul></ul></ul><ul><ul><ul><li>Not logged by most IDS </li></ul></ul></ul><ul><ul><ul><li>net use lt;target>ipc$ “” /u:”” </li></ul></ul></ul><ul><ul><ul><li>“ local” (from ResKit) or Dumpsec can then enumerate accounts </li></ul></ul></ul><ul><ul><li>Countermeasures </li></ul></ul><ul><ul><ul><li>Block UDP/137 </li></ul></ul></ul><ul><ul><ul><li>Set RestictAnonymous registry value </li></ul></ul></ul>
    13. 13. Enumerating Windows (cont.) <ul><li>Look for hosts with 2 NICs </li></ul><ul><ul><li>“ getmac” from Win2K resource kit </li></ul></ul><ul><li>Enumerate trusts on domain controller </li></ul><ul><ul><li>nltest /server:amer /trusted_domains </li></ul></ul><ul><li>Enumerate shares with DumpSec </li></ul><ul><ul><li>Hidden shares have “$” at the end </li></ul></ul><ul><li>Enumerate with LDAP </li></ul><ul><ul><li>LDAPminer </li></ul></ul>
    14. 14. Penetrating Windows <ul><li>3 methods </li></ul><ul><ul><li>Guess password </li></ul></ul><ul><ul><li>Obtain hashes </li></ul></ul><ul><ul><ul><li>Emergency Repair Disk </li></ul></ul></ul><ul><ul><li>Exploit a vulnerable service </li></ul></ul><ul><li>Guessing passwords </li></ul><ul><ul><li>Review vulnerable accounts via dumpsec </li></ul></ul><ul><ul><li>Use NetBIOS Auditing Tool to guess passwords </li></ul></ul>
    15. 15. Escalating privileges in Windows <ul><li>getadmin </li></ul><ul><ul><li>getad </li></ul></ul><ul><ul><li>getad2 </li></ul></ul><ul><ul><li>pipeupadmin </li></ul></ul><ul><li>Shatter </li></ul><ul><ul><li>Yields system-level privileges </li></ul></ul><ul><ul><li>Works against Windows Server 2003 </li></ul></ul>
    16. 16. Pillaging Windows <ul><li>Clear logs </li></ul><ul><ul><li>Some IDS’s will restart auditing once it’s been disabled </li></ul></ul><ul><li>Grab hashes </li></ul><ul><ul><li>Remotely with pwdump3 </li></ul></ul><ul><ul><li>Backup SAM: c:winnt epairsam._ </li></ul></ul><ul><li>Grab passwords </li></ul><ul><ul><li>Sniff SMB traffic </li></ul></ul><ul><li>Crack passwords </li></ul><ul><ul><li>L0phtcrack </li></ul></ul><ul><ul><li>John the Ripper </li></ul></ul>
    17. 17. Getting interactive with Windows <ul><li>Copy rootkit over a share </li></ul><ul><li>Hide rootkit on the target server </li></ul><ul><ul><li>Low traffic area such as winntsystem32OS2dll oolz </li></ul></ul><ul><ul><li>Stream tools into files </li></ul></ul><ul><li>Remote shell </li></ul><ul><ul><li>remote.exe (resource kit tool) </li></ul></ul><ul><ul><li>netcat </li></ul></ul><ul><li>How to fire up remote listener? </li></ul><ul><ul><li>trojan </li></ul></ul><ul><ul><li>Leave a CD in the bathroom titled, “pending layoffs”  </li></ul></ul><ul><ul><li>Schedule it for remote execution </li></ul></ul><ul><ul><ul><li>at scheduler </li></ul></ul></ul><ul><ul><ul><li>psexec </li></ul></ul></ul>
    18. 18. Windows – Expand influence <ul><li>Get passwords </li></ul><ul><ul><li>Keystroke logger with stealth mail </li></ul></ul><ul><ul><li>FakeGINA intercepts Winlogon </li></ul></ul><ul><li>Plant stuff in registry to run on reboot </li></ul><ul><li>Hide files </li></ul><ul><ul><li>“ attrib +h <directory>” </li></ul></ul><ul><ul><li>Stream files </li></ul></ul><ul><ul><li>Tripwire should catch this stuff </li></ul></ul>
    19. 19. Hacking Unix/Linux © 2004 Cisco Systems, Inc. All rights reserved. mnystrom
    20. 20. Hacking Unix/Linux outline <ul><li>Discover landscape </li></ul><ul><li>Enumerate systems </li></ul><ul><li>Attack </li></ul><ul><ul><li>Remote </li></ul></ul><ul><ul><li>Local </li></ul></ul><ul><li>Get beyond root </li></ul>
    21. 21. Discover landscape <ul><li>Goals </li></ul><ul><ul><li>Discover available hosts </li></ul></ul><ul><ul><li>Find all running services </li></ul></ul><ul><li>Methodology </li></ul><ul><ul><li>ICMP and TCP ping scans </li></ul></ul><ul><ul><li>Find listening services with nmap and udp_scan </li></ul></ul><ul><ul><li>Discover paths with ICMP, UDP, TCP </li></ul></ul><ul><li>Tools </li></ul><ul><ul><li>nmap </li></ul></ul><ul><ul><li>SuperScan (Windows) </li></ul></ul><ul><ul><li>udp_scan (more reliable than nmap for udp scanning) </li></ul></ul>
    22. 22. Enumerate systems <ul><li>Goal: Discover the following… </li></ul><ul><ul><li>Users </li></ul></ul><ul><ul><li>Operating systems </li></ul></ul><ul><ul><li>Running programs </li></ul></ul><ul><ul><li>Specific software versions </li></ul></ul><ul><ul><li>Unprotected files </li></ul></ul><ul><ul><li>Internal information </li></ul></ul><ul><li>Tools </li></ul><ul><ul><li>OS/Application: telnet, ftp, nc, nmap </li></ul></ul><ul><ul><li>Users: finger, rwho,rusers, SMTP </li></ul></ul><ul><ul><li>RPC programs: rpcinfo </li></ul></ul><ul><ul><li>NFS shares: showmount </li></ul></ul><ul><ul><li>File retrieval: TFTP </li></ul></ul><ul><ul><li>SNMP: snmpwalk snmpget </li></ul></ul>
    23. 23. Enumerate services <ul><li>Users </li></ul><ul><ul><li>finger </li></ul></ul><ul><ul><li>SMTP vrfy </li></ul></ul><ul><li>DNS info </li></ul><ul><ul><li>dig </li></ul></ul><ul><li>RPC services </li></ul><ul><ul><li>rpcinfo </li></ul></ul><ul><li>NFS shares </li></ul><ul><ul><li>showmount </li></ul></ul><ul><li>Countermeasures </li></ul><ul><ul><li>Turn off un-necessary services </li></ul></ul><ul><ul><li>Block IP addresses with router ACLs or TCP wrappers </li></ul></ul>
    24. 24. Attack remotely <ul><li>3 primary methods </li></ul><ul><ul><li>Exploit a listening service </li></ul></ul><ul><ul><li>Route through a system with 2 or more interfaces </li></ul></ul><ul><ul><li>Get user to execute it for you </li></ul></ul><ul><ul><ul><li>Trojans </li></ul></ul></ul><ul><ul><ul><li>Hostile web site </li></ul></ul></ul><ul><li>Brute-force against service </li></ul><ul><ul><li>http://packetstormsecurity.nl/Crackers/ </li></ul></ul><ul><ul><li>Countermeasure: strong passwords, hide user names </li></ul></ul><ul><li>Buffer-overflow attack </li></ul><ul><ul><li>Overflow the stack with machine-dependent code (assembler) </li></ul></ul><ul><ul><li>Usually yields a shell – shovel it back with netcat </li></ul></ul><ul><ul><li>Prime targets: programs that run as root or suid </li></ul></ul><ul><ul><li>Countermeasures </li></ul></ul><ul><ul><ul><li>Disable stack execution </li></ul></ul></ul><ul><ul><ul><li>Code reviews </li></ul></ul></ul><ul><ul><ul><li>Limit root and suid programs </li></ul></ul></ul>
    25. 25. Attack remotely (cont.) <ul><li>Buffer overflow example </li></ul><ul><ul><li>echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25 </li></ul></ul><ul><ul><li>Replace this with something like this… </li></ul></ul><ul><ul><li>char shellcode[] = “xebxlfx5ex89x76x08…” </li></ul></ul><ul><li>Input validation attacks </li></ul><ul><ul><li>PHF CGI – newline character </li></ul></ul><ul><ul><li>SSI passes user input to O/S </li></ul></ul><ul><li>Back channels </li></ul><ul><ul><li>X-Windows </li></ul></ul><ul><ul><ul><li>Send display back to attacker’s IP </li></ul></ul></ul><ul><ul><ul><li>Reverse telnet </li></ul></ul></ul>
    26. 26. Attack remotely (cont.) <ul><li>Countermeasures against back channels </li></ul><ul><ul><li>Get rid of executables used for this (x-windows, telnet, etc.) </li></ul></ul><ul><li>Commonly attacked services </li></ul><ul><ul><li>Sendmail </li></ul></ul><ul><ul><li>NFS </li></ul></ul><ul><ul><li>RPC </li></ul></ul><ul><ul><li>X-windows (sniffing session data) </li></ul></ul><ul><ul><li>ftpd (wu-ftpd) </li></ul></ul><ul><ul><li>DNS </li></ul></ul><ul><ul><ul><li>Guessable query IDs </li></ul></ul></ul><ul><ul><ul><li>BIND vulnerabilities </li></ul></ul></ul><ul><ul><ul><li>Countermeasures </li></ul></ul></ul><ul><ul><ul><ul><li>Restrict zone transfers </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Block TCP/UDP 53 </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Don’t use HINFO records </li></ul></ul></ul></ul>
    27. 27. Attack locally <ul><li>Buffer overflow </li></ul><ul><li>Setuid programs </li></ul><ul><li>Password guessing/cracking </li></ul><ul><li>Mis-configured file/dir permissions </li></ul>
    28. 28. Get beyond root <ul><li>Map the network (own more hosts) </li></ul><ul><li>Install rootkit </li></ul><ul><ul><li>crypto checksum is the only way to know if it’s real </li></ul></ul><ul><ul><li>Create backdoors </li></ul></ul><ul><ul><li>Sniff other traffic </li></ul></ul><ul><ul><ul><li>dsniff </li></ul></ul></ul><ul><ul><ul><li>arpredirect </li></ul></ul></ul><ul><ul><ul><li>loki </li></ul></ul></ul><ul><ul><ul><li>Hunt </li></ul></ul></ul><ul><ul><ul><li>Countermeasures </li></ul></ul></ul><ul><ul><ul><ul><li>Encrypt all traffic </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Switched networks (not a panacaea) </li></ul></ul></ul></ul><ul><ul><li>Clean logs </li></ul></ul><ul><ul><li>Session hijacking </li></ul></ul>
    29. 29. Hacking the Network © 2004 Cisco Systems, Inc. All rights reserved. mnystrom <ul><li>Vulnerabilities </li></ul><ul><li>Dealing with firewalls </li></ul>
    30. 30. Vulnerabilities <ul><li>TTY access – 5 to choose from </li></ul><ul><li>SNMP V2 community strings </li></ul><ul><li>HTTP (Everthing is clear-text) </li></ul><ul><li>TFTP </li></ul><ul><ul><li>No auth </li></ul></ul><ul><ul><li>Easy to discern router config files “<router-name>.cfg </li></ul></ul><ul><li>Countermeasures </li></ul><ul><ul><li>ACLs </li></ul></ul><ul><ul><li>TCP wrappers </li></ul></ul><ul><ul><li>Encrypt passwords </li></ul></ul>
    31. 31. Vulnerabilities: routing issues <ul><li>Path integrity </li></ul><ul><ul><li>Source routing reveals path through the network </li></ul></ul><ul><ul><li>Routing updates can be spoofed (RIP, IGRP) </li></ul></ul><ul><li>ARP spoofing </li></ul><ul><ul><li>Easy with dsniff </li></ul></ul>
    32. 32. Dealing with firewalls <ul><li>Enumerate with nmap or tcpdump </li></ul><ul><ul><li>Can show you which ports are filtered (blocked) </li></ul></ul><ul><li>Some proxies return a banner </li></ul><ul><ul><li>Eagle Raptor </li></ul></ul><ul><li>TCP traffic itself may provide signature </li></ul><ul><li>Ping the un-pingable </li></ul><ul><ul><li>hping </li></ul></ul><ul><ul><li>Look for ICMP type 13 (admin prohibited) </li></ul></ul>
    33. 33. Dealing with firewalls (cont.) <ul><li>ACLs may allow scanning if source port is set </li></ul><ul><ul><li>nmap with “-g” option </li></ul></ul><ul><li>Port redirection </li></ul><ul><ul><li>fpipe </li></ul></ul><ul><ul><li>netcat </li></ul></ul>
    34. 34. Questions?

    ×