Computer and Network System Administration

1. Computer and Network System Administration Fall 2004 Scott Daniels

2. CIS5906 • The purpose of hack week is to understand the attack methods the hackers use. Not to make you hackers. • There are different labels; hackers (white hat, black hat), cracker, script kiddy and phreeker. • hackers were normally highly intelligent people who want to understand technology, have been expanded to include good and bad. • crackers and script kiddies are the bottom of the barrel who use the works of others to attack other systems. • Phreekers mainly deal with hacking into phone lines. • Always ask permissions before running hacking tools on any system.

3. CIS5906 • There are a couple of steps a hacker mainly takes during hacking • Reconnaissance • scanning • Exploiting • Keeping control • Hiding the fact the machine has been hacked

4. CIS5906 • When first trying to hack a hacker will do Reconnaissance; looking around to gather as much of information. • ARIN and Whois,DNS Interrogation, Web Site Search, Sam Spade, Web-based reconnaissance and attack tools. • American Registry for Internet Numbers contains information about who owns particular IP address ranges and domain names. • DNS Interrogation; By dumping all records from your DNS server a attackers can determine which machines are accessible on the internet • Web Site Search: search the target’s website • Sam Spade: general reconnaissance tool www.samspade.org • Lots of web-based reconnaissance and attack tools. • Dumpster diving and social engenering.

5. CIS5906 • After the reconnaissance comes the scanning of the systems • Wardialing with TBA and THC-Scan; Network Mapping with Cheops; NMAP; Firewalk; FragRouter;Nessus; Wisker; Enum& Dumpsec

6. CIS5906 • Next comes the Exploiting of the system. • IP address spoffing; Sniffing with sniffit, dniff and ethereal; Session Hijacking; DNS Cache Poisoning; NetCat; Buffer Overflows and other Errors; Password cracking (L0phtCrack and John the Ripper) and worms • Hackers are getting together, organized and writing modular code that can be used to hack a system. A example of this is metasploit www.metasploit.com

7. CIS5906 • Once you get on there you must cover your tracks and hide your activities. rootkits are for once you got root. • A hacker will go after the log files, either by trying to fill var before the attack with a denial of service attack or modifying it after having root. • Interesting feature of NTFS a malicious program can be copied to one of the multiple streams associated with a file. cp program from the NT Resource Kit (cp hacker.exe notepad.exe:stream1.exe). The hidden file will follow the other file around. Scary. • Admin hacker can clear the windows log files. Also WinZapper. • Reverse www shell, a placed daemon will at schedule times on port 80 and open a shell so for network monitors it will look like normal web traffic. • Loki gives an attacker the ability to tunnel shell sessions over innocuous-looking protocols. • Convert_TCP allows for transmiting information by entering ASCII data into the following TCP/IP header fields:TP Identification, TCP initial sequence number,TCP acknologment sequence number