1 / 35

Hacking Primer

Hacking Primer. Martin G. Nystrom, CISSP-ISSAP Security Architect, Cisco Systems, Inc. April 2005. Outline. Internet footprinting Hacking Windows Hacking Unix/Linux Hacking the network. Internet Footprinting. mnystrom. 3. 3. 3. © 2004 Cisco Systems, Inc. All rights reserved.

laken
Download Presentation

Hacking Primer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hacking Primer Martin G. Nystrom, CISSP-ISSAP Security Architect, Cisco Systems, Inc. April 2005

  2. Outline • Internet footprinting • Hacking Windows • Hacking Unix/Linux • Hacking the network

  3. Internet Footprinting mnystrom 3 3 3 © 2004 Cisco Systems, Inc. All rights reserved.

  4. Internet Footprinting Outline • Review publicly available information • Perform network reconnaissance • Discover landscape • Determine vulnerable services

  5. Review publicly available information • News: Look for recent news • news.google.com • SEC filings • Search for phone numbers, contacts • Technical info: Look for stupid postings • Router configs • Admin pages • Nessus scans • Netcraft • Whois/DNS info • SamSpade • dig

  6. Network reconnaissance • Use traceroute to find vulnerable servers • Trout • Can also query BGP tools • http://nitrous.digex.net/mae/equinix.html • Look up ASNs

  7. Landscape discovery • Ping sweep: Find out which hosts are alive • nmap, fping, gping, SuperScan, etc. • Port scans: Find out which ports are listening • Don’t setup a full connection – just SYN • Netcat • can be run in encrypted mode – cryptcat • nmap advanced options • XMAS scan sends all TCP options • Source port scanning sets source port (e.g., port 88 to scan Windows systems) • Time delays • Banner grab & O/S guess • telnet • ftp • netcat • nmap

  8. Hacking Windows mnystrom 8 8 8 © 2004 Cisco Systems, Inc. All rights reserved.

  9. Hacking Windows outline • Scan • Enumerate • Penetrate • Escalate • Pillage • Get interactive • Expand influence

  10. Scanning Windows • Port scan, looking for what’s indicative of Windows • 88 – Kerberos • 139 – NetBIOS • 445 – SMB/CIFS • 1433 – SQL Server • 3268, 3269 – Active Directory • 3389 – Terminal Services • Trick: Scan from source port = 88 to find IPSec secured systems

  11. Enumerating Windows • Accounts • USER account used by most code, but escalates to SYSTEM to perform kernel-level operations • System accounts tracked by their SIDs • RID at end of SID identifies account type • RID = 500 is admin account • Need to escalate to Administrator to have any real power • Tools • userdump – enumerates users on a host • sid2user & user2sid translates account names on a host • SAM • Contains usernames, SIDs, RIDs, hashed passwords • Local account stored in local SAM • Domain accounts stored in Active Directory (AD) • Trusts • Can exist between AD domains • Allows accounts from one domain to be used in ACLs on another domain

  12. Enumerating Windows (cont.) • Need access to ports 135, 139, 445 • Enumerate hosts in a domain • net view /domain:<domain name> • Find domain controller(s) • nltest /dsgetdc:<domain name> /pdc • nltest /bdc_query:<domain name> • nbtstcan – fast NetBIOS scanner • null sessions are an important way to get info • Runs over 445 • Not logged by most IDS • net use \\<target>\ipc$ “” /u:”” • “local” (from ResKit) or Dumpsec can then enumerate accounts • Countermeasures • Block UDP/137 • Set RestictAnonymous registry value

  13. Enumerating Windows (cont.) • Look for hosts with 2 NICs • “getmac” from Win2K resource kit • Enumerate trusts on domain controller • nltest /server:amer /trusted_domains • Enumerate shares with DumpSec • Hidden shares have “$” at the end • Enumerate with LDAP • LDAPminer

  14. Penetrating Windows • 3 methods • Guess password • Obtain hashes • Emergency Repair Disk • Exploit a vulnerable service • Guessing passwords • Review vulnerable accounts via dumpsec • Use NetBIOS Auditing Tool to guess passwords

  15. Escalating privileges in Windows • getadmin • getad • getad2 • pipeupadmin • Shatter • Yields system-level privileges • Works against Windows Server 2003

  16. Pillaging Windows • Clear logs • Some IDS’s will restart auditing once it’s been disabled • Grab hashes • Remotely with pwdump3 • Backup SAM: c:\winnt\repair\sam._ • Grab passwords • Sniff SMB traffic • Crack passwords • L0phtcrack • John the Ripper

  17. Getting interactive with Windows • Copy rootkit over a share • Hide rootkit on the target server • Low traffic area such as winnt\system32\OS2\dll\toolz • Stream tools into files • Remote shell • remote.exe (resource kit tool) • netcat • How to fire up remote listener? • trojan • Leave a CD in the bathroom titled, “pending layoffs”  • Schedule it for remote execution • at scheduler • psexec

  18. Windows – Expand influence • Get passwords • Keystroke logger with stealth mail • FakeGINA intercepts Winlogon • Plant stuff in registry to run on reboot • Hide files • “attrib +h <directory>” • Stream files • Tripwire should catch this stuff

  19. Hacking Unix/Linux mnystrom 19 19 19 © 2004 Cisco Systems, Inc. All rights reserved.

  20. Hacking Unix/Linux outline • Discover landscape • Enumerate systems • Attack • Remote • Local • Get beyond root

  21. Discover landscape • Goals • Discover available hosts • Find all running services • Methodology • ICMP and TCP ping scans • Find listening services with nmap and udp_scan • Discover paths with ICMP, UDP, TCP • Tools • nmap • SuperScan (Windows) • udp_scan (more reliable than nmap for udp scanning)

  22. Enumerate systems • Goal: Discover the following… • Users • Operating systems • Running programs • Specific software versions • Unprotected files • Internal information • Tools • OS/Application: telnet, ftp, nc, nmap • Users: finger, rwho,rusers, SMTP • RPC programs: rpcinfo • NFS shares: showmount • File retrieval: TFTP • SNMP: snmpwalk snmpget

  23. Enumerate services • Users • finger • SMTP vrfy • DNS info • dig • RPC services • rpcinfo • NFS shares • showmount • Countermeasures • Turn off un-necessary services • Block IP addresses with router ACLs or TCP wrappers

  24. Attack remotely • 3 primary methods • Exploit a listening service • Route through a system with 2 or more interfaces • Get user to execute it for you • Trojans • Hostile web site • Brute-force against service • http://packetstormsecurity.nl/Crackers/ • Countermeasure: strong passwords, hide user names • Buffer-overflow attack • Overflow the stack with machine-dependent code (assembler) • Usually yields a shell – shovel it back with netcat • Prime targets: programs that run as root or suid • Countermeasures • Disable stack execution • Code reviews • Limit root and suid programs

  25. Attack remotely (cont.) • Buffer overflow example • echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25 • Replace this with something like this… • char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…” • Input validation attacks • PHF CGI – newline character • SSI passes user input to O/S • Back channels • X-Windows • Send display back to attacker’s IP • Reverse telnet

  26. Attack remotely (cont.) • Countermeasures against back channels • Get rid of executables used for this (x-windows, telnet, etc.) • Commonly attacked services • Sendmail • NFS • RPC • X-windows (sniffing session data) • ftpd (wu-ftpd) • DNS • Guessable query IDs • BIND vulnerabilities • Countermeasures • Restrict zone transfers • Block TCP/UDP 53 • Don’t use HINFO records

  27. Attack locally • Buffer overflow • Setuid programs • Password guessing/cracking • Mis-configured file/dir permissions

  28. Get beyond root • Map the network (own more hosts) • Install rootkit • crypto checksum is the only way to know if it’s real • Create backdoors • Sniff other traffic • dsniff • arpredirect • loki • Hunt • Countermeasures • Encrypt all traffic • Switched networks (not a panacaea) • Clean logs • Session hijacking

  29. Hacking the Network • Vulnerabilities • Dealing with firewalls mnystrom 29 29 29 © 2004 Cisco Systems, Inc. All rights reserved.

  30. Vulnerabilities • TTY access – 5 to choose from • SNMP V2 community strings • HTTP (Everthing is clear-text) • TFTP • No auth • Easy to discern router config files “<router-name>.cfg • Countermeasures • ACLs • TCP wrappers • Encrypt passwords

  31. Vulnerabilities: routing issues • Path integrity • Source routing reveals path through the network • Routing updates can be spoofed (RIP, IGRP) • ARP spoofing • Easy with dsniff

  32. Dealing with firewalls • Enumerate with nmap or tcpdump • Can show you which ports are filtered (blocked) • Some proxies return a banner • Eagle Raptor • TCP traffic itself may provide signature • Ping the un-pingable • hping • Look for ICMP type 13 (admin prohibited)

  33. Dealing with firewalls (cont.) • ACLs may allow scanning if source port is set • nmap with “-g” option • Port redirection • fpipe • netcat

  34. Questions?

  35. Presentation_ID 35 35 35 © 2003 Cisco Systems, Inc. All rights reserved.

More Related