intro to hacking
TRANSCRIPT
Hacking Primer
Outline
• Internet footprinting
• Hacking Windows
• Hacking Unix/Linux
• Hacking the network
Internet Footprinting
333© 2004 Cisco Systems, Inc. All rights reserved.mnystrom
Internet Footprinting Outline
• Review publicly available information
• Perform network reconnaissance
• Discover landscape
• Determine vulnerable services
Review publicly available information
• News: Look for recent news
news.google.com
SEC filings
Search for phone numbers, contacts
• Technical info: Look for stupid postings
Router configs
Admin pages
Nessus scans
• Netcraft
• Whois/DNS info
SamSpade
dig
Network reconnaissance
• Use traceroute to find vulnerable servers
Trout
• Can also query BGP tools
http://nitrous.digex.net/mae/equinix.html
Look up ASNs
Landscape discovery
• Ping sweep: Find out which hosts are alive
nmap, fping, gping, SuperScan, etc.
• Port scans: Find out which ports are listening
Don’t setup a full connection – just SYN
Netcat
can be run in encrypted mode – cryptcat
nmap advanced options
XMAS scan sends all TCP options
Source port scanning sets source port (e.g., port 88 to scan Windows systems)
Time delays
• Banner grab & O/S guess
telnet
ftp
netcat
nmap
Hacking Windows
888© 2004 Cisco Systems, Inc. All rights reserved.mnystrom
Hacking Windows outline
1.Scan
2.Enumerate
3.Penetrate
4.Escalate
5.Pillage
6.Get interactive
7.Expand influence
Scanning Windows
• Port scan, looking for what’s indicative of Windows
88 – Kerberos
139 – NetBIOS
445 – SMB/CIFS
1433 – SQL Server
3268, 3269 – Active Directory
3389 – Terminal Services
• Trick: Scan from source port = 88 to find IPSec secured systems
Enumerating Windows
• Accounts
USER account used by most code, but escalates to SYSTEM to perform kernel-level operations
System accounts tracked by their SIDs
RID at end of SID identifies account type
RID = 500 is admin account
Need to escalate to Administrator to have any real power
Tools
userdump – enumerates users on a host
sid2user & user2sid translates account names on a host
SAM
Contains usernames, SIDs, RIDs, hashed passwords
Local account stored in local SAM
Domain accounts stored in Active Directory (AD)
Trusts
Can exist between AD domains
Allows accounts from one domain to be used in ACLs on another domain
Enumerating Windows (cont.)
• Need access to ports 135, 139, 445
• Enumerate hosts in a domain
net view /domain:<domain name>
• Find domain controller(s)
nltest /dsgetdc:<domain name> /pdc
nltest /bdc_query:<domain name>
nbtstcan – fast NetBIOS scanner
null sessions are an important way to get info
Runs over 445
Not logged by most IDS
net use \\<target>\ipc$ “” /u:””
“local” (from ResKit) or Dumpsec can then enumerate accounts
Countermeasures
Block UDP/137
Set RestictAnonymous registry value
Enumerating Windows (cont.)
• Look for hosts with 2 NICs
“getmac” from Win2K resource kit
• Enumerate trusts on domain controller
nltest /server:amer /trusted_domains
• Enumerate shares with DumpSec
Hidden shares have “$” at the end
• Enumerate with LDAP
LDAPminer
Penetrating Windows
• 3 methods
Guess password
Obtain hashes
Emergency Repair Disk
Exploit a vulnerable service
• Guessing passwords
Review vulnerable accounts via dumpsec
Use NetBIOS Auditing Tool to guess passwords
Escalating privileges in Windows
• getadmin
getad
getad2
pipeupadmin
• Shatter
Yields system-level privileges
Works against Windows Server 2003
Pillaging Windows
• Clear logsSome IDS’s will restart auditing once it’s been disabled
• Grab hashesRemotely with pwdump3
Backup SAM: c:\winnt\repair\sam._
• Grab passwordsSniff SMB traffic
• Crack passwordsL0phtcrack
John the Ripper
Getting interactive with Windows
• Copy rootkit over a share
• Hide rootkit on the target server
Low traffic area such as winnt\system32\OS2\dll\toolz
Stream tools into files
• Remote shell
remote.exe (resource kit tool)
netcat
• How to fire up remote listener?
trojan
Leave a CD in the bathroom titled, “pending layoffs”
Schedule it for remote execution
at scheduler
psexec
Windows – Expand influence
• Get passwords
Keystroke logger with stealth mail
FakeGINA intercepts Winlogon
• Plant stuff in registry to run on reboot
• Hide files
“attrib +h <directory>”
Stream files
Tripwire should catch this stuff
Hacking Unix/Linux
191919© 2004 Cisco Systems, Inc. All rights reserved.mnystrom
Hacking Unix/Linux outline
1.Discover landscape
2.Enumerate systems
3.Attack
– Remote
– Local
4.Get beyond root
Discover landscape
• Goals
Discover available hosts
Find all running services
• Methodology
ICMP and TCP ping scans
Find listening services with nmap and udp_scan
Discover paths with ICMP, UDP, TCP
• Tools
nmap
SuperScan (Windows)
udp_scan (more reliable than nmap for udp scanning)
Enumerate systems
• Goal: Discover the following…
Users
Operating systems
Running programs
Specific software versions
Unprotected files
Internal information
• Tools
OS/Application: telnet, ftp, nc, nmap
Users: finger, rwho,rusers, SMTP
RPC programs: rpcinfo
NFS shares: showmount
File retrieval: TFTP
SNMP: snmpwalk snmpget
Enumerate services
• Users
finger
SMTP vrfy
• DNS info
dig
• RPC services
rpcinfo
• NFS shares
showmount
• Countermeasures
Turn off un-necessary services
Block IP addresses with router ACLs or TCP wrappers
Attack remotely
• 3 primary methods
Exploit a listening service
Route through a system with 2 or more interfaces
Get user to execute it for you
Trojans
Hostile web site
• Brute-force against service
http://packetstormsecurity.nl/Crackers/
Countermeasure: strong passwords, hide user names
• Buffer-overflow attack
Overflow the stack with machine-dependent code (assembler)
Usually yields a shell – shovel it back with netcat
Prime targets: programs that run as root or suid
Countermeasures
Disable stack execution
Code reviews
Limit root and suid programs
Attack remotely (cont.)
• Buffer overflow exampleecho “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25
Replace this with something like this…
char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”
• Input validation attacks
PHF CGI – newline character
SSI passes user input to O/S
• Back channels
X-Windows
Send display back to attacker’s IP
Reverse telnet
Attack remotely (cont.)
• Countermeasures against back channels
Get rid of executables used for this (x-windows, telnet, etc.)
• Commonly attacked services
Sendmail
NFS
RPC
X-windows (sniffing session data)
ftpd (wu-ftpd)
DNS
Guessable query IDs
BIND vulnerabilities
Countermeasures
Restrict zone transfers
Block TCP/UDP 53
Don’t use HINFO records
Attack locally
• Buffer overflow
• Setuid programs
• Password guessing/cracking
• Mis-configured file/dir permissions
Get beyond root
• Map the network (own more hosts)
• Install rootkit
crypto checksum is the only way to know if it’s real
Create backdoors
Sniff other traffic
dsniff
arpredirect
loki
Hunt
Countermeasures
Encrypt all traffic
Switched networks (not a panacaea)
Clean logs
Session hijacking
Hacking the Network
292929© 2004 Cisco Systems, Inc. All rights reserved.mnystrom
• Vulnerabilities• Dealing with firewalls
Vulnerabilities
• TTY access – 5 to choose from
• SNMP V2 community strings
• HTTP (Everthing is clear-text)
• TFTP
No auth
Easy to discern router config files “<router-name>.cfg
• Countermeasures
ACLs
TCP wrappers
Encrypt passwords
Vulnerabilities: routing issues
• Path integrity
Source routing reveals path through the network
Routing updates can be spoofed (RIP, IGRP)
• ARP spoofing
Easy with dsniff
Dealing with firewalls
• Enumerate with nmap or tcpdump
Can show you which ports are filtered (blocked)
• Some proxies return a banner
Eagle Raptor
• TCP traffic itself may provide signature
• Ping the un-pingable
hping
Look for ICMP type 13 (admin prohibited)
Dealing with firewalls (cont.)
• ACLs may allow scanning if source port is set
nmap with “-g” option
• Port redirection
fpipe
netcat
Questions?