1 / 32

Hacking Exposed

Hacking Exposed. May 5, 2004 Jan Decrock Karel Dekyvere. Agenda. Some reflections The attackers process Things you must do. What is it about?. P P T. In this order!. eople rocess echnology. How it usually goes. Attacker Processes. Buffer Overflows Shovel a Shell

colum
Download Presentation

Hacking Exposed

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacking Exposed May 5, 2004 Jan Decrock Karel Dekyvere NATO Security Workshop 11 Dec 2001

  2. Agenda • Some reflections • The attackers process • Things you must do NATO Security Workshop 11 Dec 2001

  3. What is it about? P P T In this order! eople rocess echnology NATO Security Workshop 11 Dec 2001

  4. How it usually goes NATO Security Workshop 11 Dec 2001

  5. Attacker Processes • Buffer Overflows • Shovel a Shell • Interactive Control • Camouflaging • Island Hopping • Viruses • Footprinting • Social Engineering • Scanning • Enumeration • Gaining Access • Privilege Escalation NATO Security Workshop 11 Dec 2001

  6. Footprinting • Footprinting Defined: • An attacker’s use of tools and information to create a complete profile of an organization’s security posture – “Casing the joint” • Tools: NATO Security Workshop 11 Dec 2001

  7. Social Engineering • Social Engineering Defined: • An attacker’s use of personal interviewing techniques, research skills and/or trickery to discover sensitive information from a target’s employees, partners or customers • Tools • Telephone • Voice Mail • Email • USENET • Temporary Employment NATO Security Workshop 11 Dec 2001

  8. Scanning • Scanning Defined: • An attacker’s use of tools and information to determine what systems are alive and reachable from the Internet • Tools: NATO Security Workshop 11 Dec 2001

  9. Enumeration • Enumeration Defined: • An attacker’s use of tools and information to determine what services are alive and listening from the Internet • Tools: • LANGuard, N-Stealth, Fluxay, Nessus • Countermeasures • Restrictanonymous helps (1 or 2)? • Rename admin helps? • Disable services! • Enable port filtering NATO Security Workshop 11 Dec 2001

  10. Port Redirection • Port Redirection Defined: • The use of tools to direct network traffic destined for one port and send it to another host on another port • Tools: • FPipe.exe, RINETD(8) • Countermeasures • Port have to get installed on the target system. Mitigate by staying secure • Use IPSEC or other to allow communications from/to • Packet content! NATO Security Workshop 11 Dec 2001

  11. Gaining Access • Gaining Access Defined: • An attacker’s use of tools and information to make an attempt to access the target system • Tools: • Countermeasures • Syskey will protect me (offline encryption)? NATO Security Workshop 11 Dec 2001

  12. Are you careful with security? NATO Security Workshop 11 Dec 2001

  13. Privilege Escalation • Privilege Escalation Defined: • An attacker’s efforts to elevate his role from ‘user’ to ‘administrator’ by exploiting an operating system or application-specific flaw. Generally exploited from a console session of a non-privileged user. • Tools: • Your users have ‘debug programs’, ‘logon locally’ right? NATO Security Workshop 11 Dec 2001

  14. Buffer Overflows • Buffer Overflows Defined: • Buffer Overflow tools exploit un-checked buffers in specific OS’s or applications to cause ‘shellcode’ to run (usually in the context of ‘SYSTEM’, ‘IWAM’ or ‘SQLUSER’ if exploiting Windows 2000, IIS or SQL. • Tools: • Too many to name…. • Patch management: good idea! • Wanna know how it works? NATO Security Workshop 11 Dec 2001

  15. Public Enemy #1: The Buffer Overrun • Attempting to copy >n bytes into an n-byte buffer • If you’re lucky you get an AV • If you’re unlucky you get instability • If you’re really unlucky the attacker injects code into your application • And executes it! • And everyone’s an admin :-( NATO Security Workshop 11 Dec 2001

  16. A Stack (foo() has just called bar()) Buffer in bar() Your allocated data Return Address to foo() Return address bar() arguments Function arguments A Dangerous buffer Assembly code Address of start Add ‘em together (using a copy function) How Does It Work? Gotcha! NATO Security Workshop 11 Dec 2001

  17. Code injections • Insert malicious code in program through user interface • Usually possible due to lack of input parameter checking • Most commonly used mechanism to take over websites! NATO Security Workshop 11 Dec 2001

  18. SQL code injection • Think of a website that allows you to query information, think harder. • How could the code be build to capture your input: • Select * from creditcards where username = ‘x’ • Select * from PC_parts where model = ‘x’ • Imagine what happens if your input would be: • hacker’ or 1=1 (the good) • hacker’ drop table creditcards (the bad) • hacker’ xp_cmdshell(‘fdisk.exe’) (the ugly) • Try this @home, not @work ! NATO Security Workshop 11 Dec 2001

  19. You want to be in such a situation? • Then start thinking in terms of security NATO Security Workshop 11 Dec 2001

  20. DEMO? NATO Security Workshop 11 Dec 2001

  21. Shovel a Shell • Shovel a Shell Defined: • An attacker’s use of tools to gain a ‘remote command shell’ on a target server. • Tools: • Netcat – The attackers ‘swiss army knife’ • PSExec.exe • Countermeasures • Limit outbound connections! • Software restriction policies. NATO Security Workshop 11 Dec 2001

  22. Island Hopping • Island Hopping Defined: • Attacker uses compromised platform to stage an attack on another host • Attacker repeats entire ‘attack methodology’ process to expand influence far and wide • Tools: • Did you know: ¼ of all Internet routers contained third party sniffers NATO Security Workshop 11 Dec 2001

  23. Viruses • Main Sources: Internet, Mail, Floppy. • You can protect yourself • Keep upto date of new virusses (mailing lists, automatic updates, Patch management process...) NATO Security Workshop 11 Dec 2001

  24. Why viruses/worms win • Viruses/worms usually exploit buffer overruns. • 1 change in 1010 to find a buffer overrun • Or you reverse engineer announced flaws in the system. • Download a patch • Install on a computer • Verify modification to system/memory allocs • Write virus based on patch information • Hope that nobody installed to patch • What are my changes to be successful? NATO Security Workshop 11 Dec 2001

  25. Why viruses/worms should not win • Virus/worm usually ships 10 to 20 days ‘after’ the patch is released. • Excuse #1: Good Anti-virus software will protect me; somebody is always the first to be infected; what if the worm spreads faster than the pattern file. • Excuse #2: We have a firewall that blocks all traffic; really, and you have one for all mobile users, one to split your internal network, etc… • Excuse #3: Only Microsoft writes bogus code, I run on non-MS products; statistics say that each 1000 lines of code has 1bug (no matter what software or vendor). NATO Security Workshop 11 Dec 2001

  26. How much is enough security? NATO Security Workshop 11 Dec 2001

  27. Thank you for attendingand remember, PPT NATO Security Workshop 11 Dec 2001

  28. Know Your Enemy • Some Good Books: • Hacking Exposed Windows 2000 by Joel Scambray and Stuart McClure, ISBN: 0072192623 • Windows 2000 Security Handbook by Philip Cox and Tom Sheldon, ISBN: 0072124334 NATO Security Workshop 11 Dec 2001

  29. Know Your Enemy • Web Sites: • HNC at http://www.hack-net.com • Attrition at http://www.attrition.org • Counterpane Systems (home of Bruce Schneier) at http://www.counterpane.com • Cult of the Dead Cow at http://www.cultdeadcow.com • Rootshell at http://rootshell.com • 2600 at http://www.2600.com • EEye at http://www.eeye.com • WSD at http://www.w00w00.org • NTSecurity at http://www.ntsecurity.net NATO Security Workshop 11 Dec 2001

  30. Know Your Enemy • Web Sites: • Slash Dot at http://www.slashdot.org • Razor at http://razor.bindview.com • Rainforest Puppy at http://www.wiretrip.net/rfp • Phrack at http://phrack.infonexus.com • Security Focus at http://www.securityfocus.com . Get on the NTBugTraq mailing list here. • BlackHat at http://www.blackhat.com/ • Nomad Mobile Research Centre at http://www.nmrc.org/ • Secure I Team at http://www.secureiteam.com NATO Security Workshop 11 Dec 2001

  31. Know Your Enemy • Events • RSA Conference http://www.rsaconference.com • BlackHat http:///www.blackhat.com • DefCon http://www.defcon.org (The Largest Hacking Convention, bring your own 802.11b wireless network card!) NATO Security Workshop 11 Dec 2001

  32. References • Hacking Exposed 4th Edition • Hacking Windows 2000 Exposed • Special Ops • Microsoft Solution for Securing Windows 2000 Serverhttp://www.microsoft.com/technet/security/prodtech/windows/secwin2k/default.asp • NSA Security Guidelineshttp://nsa1.www.conxion.com/ NATO Security Workshop 11 Dec 2001

More Related