1 / 110

Computer & Network Hacker Exploits

Computer & Network Hacker Exploits. Step-by step. Stages of An Attack. Target Selection Reconnaissance Penetration Internal operations, Keeping the connection. Overview. Reconnaissance Scanning War dialers Port scanning and mapping Firewall filters and Firewalk Vulnerability Scanners.

lindsay
Download Presentation

Computer & Network Hacker Exploits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Computer & Network Hacker Exploits Step-by step

  2. Stages of An Attack • Target Selection • Reconnaissance • Penetration • Internal operations, Keeping the connection

  3. Overview • Reconnaissance • Scanning • War dialers • Port scanning and mapping • Firewall filters and Firewalk • Vulnerability Scanners

  4. Overview • Exploit the System • Gaining Access • DOS tools • Application level Attacks • Keeping Access • BO2K • Rootkits • Knark

  5. Overview • Covering Your Tracks • Covering your tracks in UNIX & Windows • Reverse Shell • Loki

  6. Purpose The purpose of this part of the course is to understand attack methods ... ...so we can implement effective defense strategies • We must protect our systems • How can we create effective defenses? • That's the real reason we're here • Why these tools & techniques? • Because they are in widespread use right now • They provide us fundamental information about the principles the attackers are employing. • They illustrate what we need to do to defend ourselves • Some of them are pretty Kewl! Some are VERY NASTY!

  7. Note! • To the extent possible, platform independents is assumed • Individual tools may run on UNIX or Windows... • We will cover attack concepts that can be applied against Windows NT, UNIX, or other platforms (Novell, VAX, MVS, etc.) • I've included links to tools ‑‑ Use at your own risk! • They could harm your network in unexpected ways • Review the source code... Is this legit? • Experiment on a test network, separated from production and office or campus systems • Also, DON’T USE YOUR WORK OR BUSINESS ACCOUNT TO DOWNLOAD THE TOOLS OR SURF THE HACKER SITES! Why?

  8. General Trends of Exploits • What are we seeing in the wild? • Hacker tools are getting easier to use and more easily distributed • The rise of Hacker groups as distribution houses for software • The LOpht and Cult of the Dead Cow • High‑quality, extremely functional hacker tools • Better quality than from some major software houses

  9. General Trends • Excellent communication through the computer underground to Chat, web, informal grouping, and hacker Computer and Network Conferences • With the rise of these hacker groups, a lot more information about security is available to the general public. The less‑informed attackers (often called "script kiddies" or "ankle biters") will use this information in attacks. We must use this information to defend ourselves. I've included several references at the end of the handouts to help you stay informed.

  10. General Trends • Used to be many different types of systems out there (“the computer room”) • Now, we have a smaller number of systems types (Windows, Linux, MacOS, SunOS, FreeBSD, Palm, etc) • They are distributed everywhere! • Less experience users and administrators • One virus or attack can jeopardize vast number of systems (Morris worm, Melissa Virus, I LOVE YOU) • Home Laboratories are easy to set up for the hacker!

  11. NEVER UNDERESTIMATE YOUR ADVERSARY!!!

  12. Your Adversaries Advantages • He can use multiple sources for his attack • His attack can be timed to be inconvenient for you (Friday before a 3-day holiday, Christmas Eve, During your company picnic,…) • He has the ability to corral greater media attention • Increased sense of ‘hero’ complex when a hacker brings down a large company.

  13. Zero-Knowledge Attack No knowledge from the inside of your organization is know before the attempt is made to target your company (your assets, intellectual property, finances, or other) Knowledgeable, perhaps by use of an inside, or from an insider An inside, either implanted or home grown has decided to gather information to be used for targeting your organization. Two Attack Forms

  14. Reconnaissance

  15. Reconnaissance • An attacker will gather as much information as he can about you, your company, your people, your computers, your network, and your physical security. • Your network: • You may not know it, but there is already much information about you out there. • An adversary will use all data mining possible. Reconnaissance

  16. Open information • American Registry for Internet Numbers • Who owns particular IP address (Whois) • (http://www.arin.net/whois/arinwhois.html) • DNS Interrogation (use nslookup) • Targets own web site (crawl it – a lot of info can be gathered by crawling – names, e-mail address, phone numbers, branches of the organization, trusted relationships) programs: Websnake, Webzip, curl Search Engines, web searches: can show trusted relations (for example, you may show up on a customer list, your web designer may use you as a reference) Reconnaissance

  17. Open Information • Usenet news postings (WWW.Deja.com) • Flipping:Related pages which link – use altavista, and search for link:www.target.com • (Hotbot – linkdomain:www.target.com) • Example: on altavista, link:cisco.com AND title:resume if you are looking for resumes of cisco engineers. Reconnaissance

  18. Open Information • X-Raying: finding areas in a company web page not normally accessable. How? In Altavista, host: or url: followed by keywords or names. • Example: host:lucent.com and “business development” Reconnaissance

  19. Open Information • Peeling: many times there is more information embedded within really long URLs. Peel off some of the junk and look for web addresses or secondary addresses, and unique areas. • Example: http://www.lucent.com/web1.lucent.com/resumes/kramerz.html • http://anon.free.anonymizer.com/http://www.snowmaps.com Reconnaissance

  20. Open Information • Anchor Searches: Anchor labels may be informative in searching for targets. • Example: You can search the anchors by using a search engine and using anchor: “view resumes” • Harvesting: pick out and use keywords in related documents then use meta search engines (like alltheweb.com, mamma.com, dogpile.com) Reconnaissance

  21. Open Information • Peer searches: once you find specific information or specific people, conduct peer searches using the Meta search engines. • Example: Jon Doe bank manager doej@bank.com • use dogpile and look for all other references to doej@bank.com • Might turn up doej is into drag racing and a common dialog could be established. Reconnaissance

  22. Open Information • Open a phony e-mail account. Send e-mail to insiders. (The return e-mail headers can tell you loads of info about the inside systems!) • DATA-MINING!!!! Company, people, trusted relationships, mailing lists • Capability to connect to company DNS server (pull down all registered domains at a site!) Reconnaissance

  23. Scanning “finding weak points”

  24. WAR Dialing • Named for the dialer in the movie “Wargames” • An attacker is trying to find a backdoor into your network. A modem which is used for remote access. • This might be the easiest point of penetration! • The telephone numbers gathered in the recon phase are a good starting point! • Phreaking is looking for voice back doors, whereas hacking is looking for network access backdoors. Scanning

  25. WAR Dialing • War dialers dial a sequence of telephone numbers attempting to locate modem carriers or a secondary dial tone • “demon Dialers” is another name • Phone Numbers come from: • Phone book, InterNIC data, WebCrawl, mailing lists, newsgroups, social engineering “I am from the phone company and I need to verify what numbers you folks are using for data lines…” Scanning – WAR Dialers

  26. WAR Dialer Software • The Hackers Choice 2.0 • A‑DIAL (Auto Dial) by VeXaTiOn, 1995 • Deluxe Fone‑Code Hacker by The Sorceress KHAIAH 1985 • Dialing Demon version 1.05 by Tracy McKibben 1988 • Doo Tools version 1.10, by Phantom Photon 1991 • PBX Scanner Version 5.0, by Great White 1989 • SuperDialer 1.03 by Evan Anderson 1990 • ToneLoc 1.10 by Minor Threat & Mucho Maas 1994 • X‑DialerR by ICiKl 1996 • Z‑Hacker 3.21, by BIackBeard 1991 Scanning – WAR Dialers

  27. The Hackers Choice 2.0 • THC‑Scan 2.0 The Hacker's Choice (THC) • Written by Van Hauser; released 12/98 • Essentially an updated to the very venerable ToneLoc (by Mucho Maas and Minor Threat, 1994) • Available at hftp://thc.infemo.tusculum.edu • THC‑Scan is one of the most full featured, non‑commercial, war dialing tools available today. Scanning – WAR Dialers

  28. The Hackers Choice 2.0 • Need a screenshot here Scanning – WAR Dialers

  29. The Hackers Choice 2.0 • Note that the screen shows a nice real‑time inventory of detected lines. • A convenient statistic is the number of lines dialed per hour. With a single machine and a single modem, we typically do 100 to 125 lines per hour. This is a useful metric in determining how long it will take to dial large numbers of lines (also, it helps you to see what your consultants really are charging you if you outsource this!) Scanning – WAR Dialers

  30. THC 2.0 Features • Carrier Mode and Tone Mode (open PBX – allows you to dial another number) • Dial random, sequential, or a list of numbers • Scanning through a modem out‑dial • Break up work across multiple machines • Or multiple instances of THC‑Scan on one system, each with its own modem • Supports a separate dialing program (THC‑Scan supplies the telephone number to the dialer program) Scanning – WAR Dialers

  31. THC 2.0 Features • Nudging • Nudging refers to sending a pre‑defined string of characters to a discovered modem. The war dialer "nudges" the target, to get it to respond with possibly useful information: banners, login prompts, etc • Random waits between calls (to lower chance of detection) • Rudimentary jamming detection (counts number of busy signals) Scanning – WAR Dialers

  32. Ok, I found the numbers… • You found a number of modems. What do you do now?? • Review the war dialer logs and look for familiar login prompts or even warning banners • Connect to each discovered modem • Often times, you will find a system without a password • PCAnywhere for a clueless user ‑‑ you're in, baby! • Old, neglected machine still on the network • A Router!!!!! • If there is a userID/password prompt, guess • Make it an educated guess, based on the system • What are default accounts/passwords? • What are common things associated with the target? Scanning – WAR Dialers

  33. Notes… • THC has released a powerful scripting language for hacking login prompts: Login Hacker (hftp://thc.inferno.tusculum.edu/) • It is a tool for password guessing • Many systems tell you what platform they are (e.g., "Hi, I'm AIX!"). For others, you can determine this information from the nature of the prompt. UNIX boxes and Cisco router prompts are particularly easy to identify. • While guessing passwords is a time‑consuming process, keep in mind that time is the single greatest resource your adversaries have. Scanning – WAR Dialers

  34. Root sync bin nobody operator manager Admin Administrator System days of the week COMPANY NAME COMPANY PRODUCT Custom dictionaries built from company keywords and acronyms Try these Username/passwords! Scanning – WAR Dialers

  35. WAR Dialer Defense • An effective dial‑up line and modem policy is crucial • Inventory all dial‑up lines with a business need • Activate scanning detection functionality in your PBX, if available • Telewalls – A firewall for phones • Conduct war dialing exercises against your own network • reconcile your findings to the inventory • Utilize a commercial war dialer • Sandstorm's Phonesweep or ISS's Telephony Scanner • Toneloc or THCScan (Free) • Conduct periodic desk‑to‑desk checks in the evenings • Use two people for this (buddy system) Scanning – WAR Dialers

  36. Some concerns • When war dialing against your own network, how do you determine which numbers to dial? • you should get a list of all analog lines at your PBX. You may also want to consider dialing digital lines, because inexpensive digital line modem adapters are readily available. Scanning – WAR Dialers

  37. Some concerns • A major concern involves numbers not accessible through your PBX (i.e., direct lines from the telco). The best, although not ideal, approach for finding these is to follow the money ‑ get the telephone bills from the telco. Ask your telco to give you a copy of all bills being mailed to a given address, or, if possible, all bills for lines at a certain address. Scanning – WAR Dialers

  38. Some concerns • When you do desk‑to‑desk checks, you should always employ the the buddy system. With an explicit two‑person team checking for unwanted/unregistered modems, you will not be subject to claims of unfairness or worse yet, theft from people's desks. If a single person checks for modems late at night, and something turns up missing from someone's desk, you may have significant problems. Scanning – WAR Dialers

  39. Port Scanning

  40. TCP/IP Handshake • TCP/IP 3-way Handshake establishes a connection to a port Scanning – Port Scanning All legitimate Transmission Control Protocol (TCP) connections (e.g., HTTP, telnet, ftp, etc.) are established through a three‑way handshake. 65,535 TCP ports, 65,535 UDP ports (no 3-way with UDP)

  41. SYN ACK Server SYN | ACK Client Three Way Handshake 1: Send SYN seq=x 2: Send SYN seq=y, ACK x+1 3: Send ACK y+1 The handshake allows for the establishment of sequence numbers (x or y are ISN = Initial Sequence Number) between the two systems. These sequence numbers are used so that TCP can provide for reliable packet delivery in sequential order. Sequence numbers are used for sequencing and retransmissions.

  42. Port Scanners • Scan all 65,535 (times 2) ports • Find tcp 80, web server • Find tcp 23, telnet server • Find udp 53, DNS server • Find tcp 6000, X Window server • etc. • Nmap is a very useful tool with advanced scanning capabilities • Available at: hftp://www.insecure.org/nmap Scanning – Port Scanning

  43. Port Scanners • By scanning each port, we can determine what is listening on the box, and find ways to get in. Tools like Nmap allow us to inventory open ports in a variety of ways. Numerous other port scanners are available, including: • strobe • Probe • etcp • Nmap is the most fully featured of all of these tools. • The ISS and CyberCop commercial scanners also include port scanning capabilities. Scanning – Port Scanning

  44. Open Port Information • With a list of open ports, the attacker can get an idea of which services are in use by consulting RFC 1700. Also, particular exploits for these services can be found at • http://www.technotronic.com. • the attacker can devise his/her own exploits! • http://www.iana.org Scanning – Port Scanning

  45. Allows for conducting numerous types of scans: "Vanilla" TCP scans Connect to every port, with 3‑way handshake SYN scans (aka "half‑open" scans) Only do initial SYN Harder to detect and much quicker FIN scans Stealthy and bypass some filters SYN scan using IP fragments Bypass some packet filters... Yes! UDP Scanning FTP Proxy "Bounce Attack" Scanning RPC Scanning TCP Sequence prediction test ACK scanning Xmas Tree NULL scan NMAP An NMAP scan Scanning – Port Scanning

  46. NMAP NMAP scan – FTP Proxy Bounce • FTP Proxy "Bounce Attacks" utilize an ancient feature of FTP servers. These servers allow a user to tell the server to send the file to another system. Using this capability, an attacker can bounce an NMAP port scan off of someone's FTP server, to help obscure the source of the attack. • You should make sure that you disable the FTP Bounce capability from your public FTP servers. Scanning – Port Scanning

  47. NMAP NMAP TCP Stack Fingerprinting • Attempts to determine the operating system of target by sending various packet types and measuring the response • This concept originated with a tool called QueSO, available at: hftp://www.apostols.org/projectz/queso Scanning – Port Scanning

  48. NMAP NMAP TCP Stack Fingerprinting • Nmap does various types of tests to determine the platform: • TCP Sequence Prediction • SYN packet to open port • NULL packet to open port • SYN|FIN|URG|PSH packet to open port • ACK packet to open port • SYN packet to closed port • ACK packet to closed port • FIN|PSH|URG packet to closed port • UDP packet to closed port Scanning – Port Scanning

  49. NMAP NMAP TCP Stack Fingerprinting • In addition to finding out what ports are open on a system, an attacker also wants to determine which platform (Operating system and hardware) the system is based on. • By determining the platform, the attacker can further research the system to determine the particular vulnerabilities it is subject to. • For example, if the system is a Windows NT Server 4.0 box, the attacker can utilize http://www.technotronic.com or http://xforce.iss.net/ to focus the attack. Scanning – Port Scanning

  50. NMAP TCP Stack Fingerprinting • Note that each TCP stack implementation may have a very unique signature to how it behaves, particularly when confronted with various illegal combinations of TCP flags and packets! • This information is used to identify the target system. • NMAP has a data base of how various systems respond to these illegal flags. NMAP can determine what system you are running!!! Scanning – Port Scanning

More Related