Hacking primer
Download
1 / 35

- PowerPoint PPT Presentation


  • 267 Views
  • Uploaded on

Hacking Primer. Martin G. Nystrom, CISSP-ISSAP Security Architect, Cisco Systems, Inc. April 2005. Outline. Internet footprinting Hacking Windows Hacking Unix/Linux Hacking the network. Internet Footprinting. mnystrom. 3. 3. 3. © 2004 Cisco Systems, Inc. All rights reserved.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - laken


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Hacking primer l.jpg

Hacking Primer

Martin G. Nystrom, CISSP-ISSAP

Security Architect, Cisco Systems, Inc.

April 2005


Outline l.jpg
Outline

  • Internet footprinting

  • Hacking Windows

  • Hacking Unix/Linux

  • Hacking the network


Slide3 l.jpg

Internet Footprinting

mnystrom

3

3

3

© 2004 Cisco Systems, Inc. All rights reserved.


Internet footprinting outline l.jpg
Internet Footprinting Outline

  • Review publicly available information

  • Perform network reconnaissance

  • Discover landscape

  • Determine vulnerable services


Review publicly available information l.jpg
Review publicly available information

  • News: Look for recent news

    • news.google.com

    • SEC filings

    • Search for phone numbers, contacts

  • Technical info: Look for stupid postings

    • Router configs

    • Admin pages

    • Nessus scans

  • Netcraft

  • Whois/DNS info

    • SamSpade

    • dig


Network reconnaissance l.jpg
Network reconnaissance

  • Use traceroute to find vulnerable servers

    • Trout

  • Can also query BGP tools

    • http://nitrous.digex.net/mae/equinix.html

    • Look up ASNs


Landscape discovery l.jpg
Landscape discovery

  • Ping sweep: Find out which hosts are alive

    • nmap, fping, gping, SuperScan, etc.

  • Port scans: Find out which ports are listening

    • Don’t setup a full connection – just SYN

    • Netcat

      • can be run in encrypted mode – cryptcat

    • nmap advanced options

      • XMAS scan sends all TCP options

      • Source port scanning sets source port (e.g., port 88 to scan Windows systems)

      • Time delays

  • Banner grab & O/S guess

    • telnet

    • ftp

    • netcat

    • nmap


Slide8 l.jpg

Hacking Windows

mnystrom

8

8

8

© 2004 Cisco Systems, Inc. All rights reserved.


Hacking windows outline l.jpg
Hacking Windows outline

  • Scan

  • Enumerate

  • Penetrate

  • Escalate

  • Pillage

  • Get interactive

  • Expand influence


Scanning windows l.jpg
Scanning Windows

  • Port scan, looking for what’s indicative of Windows

    • 88 – Kerberos

    • 139 – NetBIOS

    • 445 – SMB/CIFS

    • 1433 – SQL Server

    • 3268, 3269 – Active Directory

    • 3389 – Terminal Services

  • Trick: Scan from source port = 88 to find IPSec secured systems


Enumerating windows l.jpg
Enumerating Windows

  • Accounts

    • USER account used by most code, but escalates to SYSTEM to perform kernel-level operations

    • System accounts tracked by their SIDs

      • RID at end of SID identifies account type

      • RID = 500 is admin account

    • Need to escalate to Administrator to have any real power

    • Tools

      • userdump – enumerates users on a host

      • sid2user & user2sid translates account names on a host

    • SAM

      • Contains usernames, SIDs, RIDs, hashed passwords

      • Local account stored in local SAM

      • Domain accounts stored in Active Directory (AD)

    • Trusts

      • Can exist between AD domains

      • Allows accounts from one domain to be used in ACLs on another domain


Enumerating windows cont l.jpg
Enumerating Windows (cont.)

  • Need access to ports 135, 139, 445

  • Enumerate hosts in a domain

    • net view /domain:<domain name>

  • Find domain controller(s)

    • nltest /dsgetdc:<domain name> /pdc

    • nltest /bdc_query:<domain name>

    • nbtstcan – fast NetBIOS scanner

    • null sessions are an important way to get info

      • Runs over 445

      • Not logged by most IDS

      • net use \\<target>\ipc$ “” /u:””

      • “local” (from ResKit) or Dumpsec can then enumerate accounts

    • Countermeasures

      • Block UDP/137

      • Set RestictAnonymous registry value


Enumerating windows cont13 l.jpg
Enumerating Windows (cont.)

  • Look for hosts with 2 NICs

    • “getmac” from Win2K resource kit

  • Enumerate trusts on domain controller

    • nltest /server:amer /trusted_domains

  • Enumerate shares with DumpSec

    • Hidden shares have “$” at the end

  • Enumerate with LDAP

    • LDAPminer


Penetrating windows l.jpg
Penetrating Windows

  • 3 methods

    • Guess password

    • Obtain hashes

      • Emergency Repair Disk

    • Exploit a vulnerable service

  • Guessing passwords

    • Review vulnerable accounts via dumpsec

    • Use NetBIOS Auditing Tool to guess passwords


Escalating privileges in windows l.jpg
Escalating privileges in Windows

  • getadmin

    • getad

    • getad2

    • pipeupadmin

  • Shatter

    • Yields system-level privileges

    • Works against Windows Server 2003


Pillaging windows l.jpg
Pillaging Windows

  • Clear logs

    • Some IDS’s will restart auditing once it’s been disabled

  • Grab hashes

    • Remotely with pwdump3

    • Backup SAM: c:\winnt\repair\sam._

  • Grab passwords

    • Sniff SMB traffic

  • Crack passwords

    • L0phtcrack

    • John the Ripper


Getting interactive with windows l.jpg
Getting interactive with Windows

  • Copy rootkit over a share

  • Hide rootkit on the target server

    • Low traffic area such as winnt\system32\OS2\dll\toolz

    • Stream tools into files

  • Remote shell

    • remote.exe (resource kit tool)

    • netcat

  • How to fire up remote listener?

    • trojan

    • Leave a CD in the bathroom titled, “pending layoffs” 

    • Schedule it for remote execution

      • at scheduler

      • psexec


Windows expand influence l.jpg
Windows – Expand influence

  • Get passwords

    • Keystroke logger with stealth mail

    • FakeGINA intercepts Winlogon

  • Plant stuff in registry to run on reboot

  • Hide files

    • “attrib +h <directory>”

    • Stream files

    • Tripwire should catch this stuff


Slide19 l.jpg

Hacking Unix/Linux

mnystrom

19

19

19

© 2004 Cisco Systems, Inc. All rights reserved.


Hacking unix linux outline l.jpg
Hacking Unix/Linux outline

  • Discover landscape

  • Enumerate systems

  • Attack

    • Remote

    • Local

  • Get beyond root


Discover landscape l.jpg
Discover landscape

  • Goals

    • Discover available hosts

    • Find all running services

  • Methodology

    • ICMP and TCP ping scans

    • Find listening services with nmap and udp_scan

    • Discover paths with ICMP, UDP, TCP

  • Tools

    • nmap

    • SuperScan (Windows)

    • udp_scan (more reliable than nmap for udp scanning)


Enumerate systems l.jpg
Enumerate systems

  • Goal: Discover the following…

    • Users

    • Operating systems

    • Running programs

    • Specific software versions

    • Unprotected files

    • Internal information

  • Tools

    • OS/Application: telnet, ftp, nc, nmap

    • Users: finger, rwho,rusers, SMTP

    • RPC programs: rpcinfo

    • NFS shares: showmount

    • File retrieval: TFTP

    • SNMP: snmpwalk snmpget


Enumerate services l.jpg
Enumerate services

  • Users

    • finger

    • SMTP vrfy

  • DNS info

    • dig

  • RPC services

    • rpcinfo

  • NFS shares

    • showmount

  • Countermeasures

    • Turn off un-necessary services

    • Block IP addresses with router ACLs or TCP wrappers


Attack remotely l.jpg
Attack remotely

  • 3 primary methods

    • Exploit a listening service

    • Route through a system with 2 or more interfaces

    • Get user to execute it for you

      • Trojans

      • Hostile web site

  • Brute-force against service

    • http://packetstormsecurity.nl/Crackers/

    • Countermeasure: strong passwords, hide user names

  • Buffer-overflow attack

    • Overflow the stack with machine-dependent code (assembler)

    • Usually yields a shell – shovel it back with netcat

    • Prime targets: programs that run as root or suid

    • Countermeasures

      • Disable stack execution

      • Code reviews

      • Limit root and suid programs


Attack remotely cont l.jpg
Attack remotely (cont.)

  • Buffer overflow example

    • echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25

    • Replace this with something like this…

    • char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”

  • Input validation attacks

    • PHF CGI – newline character

    • SSI passes user input to O/S

  • Back channels

    • X-Windows

      • Send display back to attacker’s IP

      • Reverse telnet


Attack remotely cont26 l.jpg
Attack remotely (cont.)

  • Countermeasures against back channels

    • Get rid of executables used for this (x-windows, telnet, etc.)

  • Commonly attacked services

    • Sendmail

    • NFS

    • RPC

    • X-windows (sniffing session data)

    • ftpd (wu-ftpd)

    • DNS

      • Guessable query IDs

      • BIND vulnerabilities

      • Countermeasures

        • Restrict zone transfers

        • Block TCP/UDP 53

        • Don’t use HINFO records


Attack locally l.jpg
Attack locally

  • Buffer overflow

  • Setuid programs

  • Password guessing/cracking

  • Mis-configured file/dir permissions


Get beyond root l.jpg
Get beyond root

  • Map the network (own more hosts)

  • Install rootkit

    • crypto checksum is the only way to know if it’s real

    • Create backdoors

    • Sniff other traffic

      • dsniff

      • arpredirect

      • loki

      • Hunt

      • Countermeasures

        • Encrypt all traffic

        • Switched networks (not a panacaea)

    • Clean logs

    • Session hijacking


Slide29 l.jpg

Hacking the Network

  • Vulnerabilities

  • Dealing with firewalls

mnystrom

29

29

29

© 2004 Cisco Systems, Inc. All rights reserved.


Vulnerabilities l.jpg
Vulnerabilities

  • TTY access – 5 to choose from

  • SNMP V2 community strings

  • HTTP (Everthing is clear-text)

  • TFTP

    • No auth

    • Easy to discern router config files “<router-name>.cfg

  • Countermeasures

    • ACLs

    • TCP wrappers

    • Encrypt passwords


Vulnerabilities routing issues l.jpg
Vulnerabilities: routing issues

  • Path integrity

    • Source routing reveals path through the network

    • Routing updates can be spoofed (RIP, IGRP)

  • ARP spoofing

    • Easy with dsniff


Dealing with firewalls l.jpg
Dealing with firewalls

  • Enumerate with nmap or tcpdump

    • Can show you which ports are filtered (blocked)

  • Some proxies return a banner

    • Eagle Raptor

  • TCP traffic itself may provide signature

  • Ping the un-pingable

    • hping

    • Look for ICMP type 13 (admin prohibited)


Dealing with firewalls cont l.jpg
Dealing with firewalls (cont.)

  • ACLs may allow scanning if source port is set

    • nmap with “-g” option

  • Port redirection

    • fpipe

    • netcat



Slide35 l.jpg

Presentation_ID

35

35

35

© 2003 Cisco Systems, Inc. All rights reserved.


ad