1.13k likes | 1.44k Views
Computer & Network Hacker Exploits. Step-by step. Stages of An Attack. Target Selection Reconnaissance Penetration Internal operations, Keeping the connection. Overview. Reconnaissance Scanning War dialers Port scanning and mapping Firewall filters and Firewalk Vulnerability Scanners.
E N D
Computer & Network Hacker Exploits Step-by step
Stages of An Attack • Target Selection • Reconnaissance • Penetration • Internal operations, Keeping the connection
Overview • Reconnaissance • Scanning • War dialers • Port scanning and mapping • Firewall filters and Firewalk • Vulnerability Scanners
Overview • Exploit the System • Gaining Access • DOS tools • Application level Attacks • Keeping Access • BO2K • Rootkits • Knark
Overview • Covering Your Tracks • Covering your tracks in UNIX & Windows • Reverse Shell • Loki
Purpose The purpose of this part of the course is to understand attack methods ... ...so we can implement effective defense strategies • We must protect our systems • How can we create effective defenses? • That's the real reason we're here • Why these tools & techniques? • Because they are in widespread use right now • They provide us fundamental information about the principles the attackers are employing. • They illustrate what we need to do to defend ourselves • Some of them are pretty Kewl! Some are VERY NASTY!
Note! • To the extent possible, platform independents is assumed • Individual tools may run on UNIX or Windows... • We will cover attack concepts that can be applied against Windows NT, UNIX, or other platforms (Novell, VAX, MVS, etc.) • I've included links to tools ‑‑ Use at your own risk! • They could harm your network in unexpected ways • Review the source code... Is this legit? • Experiment on a test network, separated from production and office or campus systems • Also, DON’T USE YOUR WORK OR BUSINESS ACCOUNT TO DOWNLOAD THE TOOLS OR SURF THE HACKER SITES! Why?
General Trends of Exploits • What are we seeing in the wild? • Hacker tools are getting easier to use and more easily distributed • The rise of Hacker groups as distribution houses for software • The LOpht and Cult of the Dead Cow • High‑quality, extremely functional hacker tools • Better quality than from some major software houses
General Trends • Excellent communication through the computer underground to Chat, web, informal grouping, and hacker Computer and Network Conferences • With the rise of these hacker groups, a lot more information about security is available to the general public. The less‑informed attackers (often called "script kiddies" or "ankle biters") will use this information in attacks. We must use this information to defend ourselves. I've included several references at the end of the handouts to help you stay informed.
General Trends • Used to be many different types of systems out there (“the computer room”) • Now, we have a smaller number of systems types (Windows, Linux, MacOS, SunOS, FreeBSD, Palm, etc) • They are distributed everywhere! • Less experience users and administrators • One virus or attack can jeopardize vast number of systems (Morris worm, Melissa Virus, I LOVE YOU) • Home Laboratories are easy to set up for the hacker!
NEVER UNDERESTIMATE YOUR ADVERSARY!!!
Your Adversaries Advantages • He can use multiple sources for his attack • His attack can be timed to be inconvenient for you (Friday before a 3-day holiday, Christmas Eve, During your company picnic,…) • He has the ability to corral greater media attention • Increased sense of ‘hero’ complex when a hacker brings down a large company.
Zero-Knowledge Attack No knowledge from the inside of your organization is know before the attempt is made to target your company (your assets, intellectual property, finances, or other) Knowledgeable, perhaps by use of an inside, or from an insider An inside, either implanted or home grown has decided to gather information to be used for targeting your organization. Two Attack Forms
Reconnaissance • An attacker will gather as much information as he can about you, your company, your people, your computers, your network, and your physical security. • Your network: • You may not know it, but there is already much information about you out there. • An adversary will use all data mining possible. Reconnaissance
Open information • American Registry for Internet Numbers • Who owns particular IP address (Whois) • (http://www.arin.net/whois/arinwhois.html) • DNS Interrogation (use nslookup) • Targets own web site (crawl it – a lot of info can be gathered by crawling – names, e-mail address, phone numbers, branches of the organization, trusted relationships) programs: Websnake, Webzip, curl Search Engines, web searches: can show trusted relations (for example, you may show up on a customer list, your web designer may use you as a reference) Reconnaissance
Open Information • Usenet news postings (WWW.Deja.com) • Flipping:Related pages which link – use altavista, and search for link:www.target.com • (Hotbot – linkdomain:www.target.com) • Example: on altavista, link:cisco.com AND title:resume if you are looking for resumes of cisco engineers. Reconnaissance
Open Information • X-Raying: finding areas in a company web page not normally accessable. How? In Altavista, host: or url: followed by keywords or names. • Example: host:lucent.com and “business development” Reconnaissance
Open Information • Peeling: many times there is more information embedded within really long URLs. Peel off some of the junk and look for web addresses or secondary addresses, and unique areas. • Example: http://www.lucent.com/web1.lucent.com/resumes/kramerz.html • http://anon.free.anonymizer.com/http://www.snowmaps.com Reconnaissance
Open Information • Anchor Searches: Anchor labels may be informative in searching for targets. • Example: You can search the anchors by using a search engine and using anchor: “view resumes” • Harvesting: pick out and use keywords in related documents then use meta search engines (like alltheweb.com, mamma.com, dogpile.com) Reconnaissance
Open Information • Peer searches: once you find specific information or specific people, conduct peer searches using the Meta search engines. • Example: Jon Doe bank manager doej@bank.com • use dogpile and look for all other references to doej@bank.com • Might turn up doej is into drag racing and a common dialog could be established. Reconnaissance
Open Information • Open a phony e-mail account. Send e-mail to insiders. (The return e-mail headers can tell you loads of info about the inside systems!) • DATA-MINING!!!! Company, people, trusted relationships, mailing lists • Capability to connect to company DNS server (pull down all registered domains at a site!) Reconnaissance
Scanning “finding weak points”
WAR Dialing • Named for the dialer in the movie “Wargames” • An attacker is trying to find a backdoor into your network. A modem which is used for remote access. • This might be the easiest point of penetration! • The telephone numbers gathered in the recon phase are a good starting point! • Phreaking is looking for voice back doors, whereas hacking is looking for network access backdoors. Scanning
WAR Dialing • War dialers dial a sequence of telephone numbers attempting to locate modem carriers or a secondary dial tone • “demon Dialers” is another name • Phone Numbers come from: • Phone book, InterNIC data, WebCrawl, mailing lists, newsgroups, social engineering “I am from the phone company and I need to verify what numbers you folks are using for data lines…” Scanning – WAR Dialers
WAR Dialer Software • The Hackers Choice 2.0 • A‑DIAL (Auto Dial) by VeXaTiOn, 1995 • Deluxe Fone‑Code Hacker by The Sorceress KHAIAH 1985 • Dialing Demon version 1.05 by Tracy McKibben 1988 • Doo Tools version 1.10, by Phantom Photon 1991 • PBX Scanner Version 5.0, by Great White 1989 • SuperDialer 1.03 by Evan Anderson 1990 • ToneLoc 1.10 by Minor Threat & Mucho Maas 1994 • X‑DialerR by ICiKl 1996 • Z‑Hacker 3.21, by BIackBeard 1991 Scanning – WAR Dialers
The Hackers Choice 2.0 • THC‑Scan 2.0 The Hacker's Choice (THC) • Written by Van Hauser; released 12/98 • Essentially an updated to the very venerable ToneLoc (by Mucho Maas and Minor Threat, 1994) • Available at hftp://thc.infemo.tusculum.edu • THC‑Scan is one of the most full featured, non‑commercial, war dialing tools available today. Scanning – WAR Dialers
The Hackers Choice 2.0 • Need a screenshot here Scanning – WAR Dialers
The Hackers Choice 2.0 • Note that the screen shows a nice real‑time inventory of detected lines. • A convenient statistic is the number of lines dialed per hour. With a single machine and a single modem, we typically do 100 to 125 lines per hour. This is a useful metric in determining how long it will take to dial large numbers of lines (also, it helps you to see what your consultants really are charging you if you outsource this!) Scanning – WAR Dialers
THC 2.0 Features • Carrier Mode and Tone Mode (open PBX – allows you to dial another number) • Dial random, sequential, or a list of numbers • Scanning through a modem out‑dial • Break up work across multiple machines • Or multiple instances of THC‑Scan on one system, each with its own modem • Supports a separate dialing program (THC‑Scan supplies the telephone number to the dialer program) Scanning – WAR Dialers
THC 2.0 Features • Nudging • Nudging refers to sending a pre‑defined string of characters to a discovered modem. The war dialer "nudges" the target, to get it to respond with possibly useful information: banners, login prompts, etc • Random waits between calls (to lower chance of detection) • Rudimentary jamming detection (counts number of busy signals) Scanning – WAR Dialers
Ok, I found the numbers… • You found a number of modems. What do you do now?? • Review the war dialer logs and look for familiar login prompts or even warning banners • Connect to each discovered modem • Often times, you will find a system without a password • PCAnywhere for a clueless user ‑‑ you're in, baby! • Old, neglected machine still on the network • A Router!!!!! • If there is a userID/password prompt, guess • Make it an educated guess, based on the system • What are default accounts/passwords? • What are common things associated with the target? Scanning – WAR Dialers
Notes… • THC has released a powerful scripting language for hacking login prompts: Login Hacker (hftp://thc.inferno.tusculum.edu/) • It is a tool for password guessing • Many systems tell you what platform they are (e.g., "Hi, I'm AIX!"). For others, you can determine this information from the nature of the prompt. UNIX boxes and Cisco router prompts are particularly easy to identify. • While guessing passwords is a time‑consuming process, keep in mind that time is the single greatest resource your adversaries have. Scanning – WAR Dialers
Root sync bin nobody operator manager Admin Administrator System days of the week COMPANY NAME COMPANY PRODUCT Custom dictionaries built from company keywords and acronyms Try these Username/passwords! Scanning – WAR Dialers
WAR Dialer Defense • An effective dial‑up line and modem policy is crucial • Inventory all dial‑up lines with a business need • Activate scanning detection functionality in your PBX, if available • Telewalls – A firewall for phones • Conduct war dialing exercises against your own network • reconcile your findings to the inventory • Utilize a commercial war dialer • Sandstorm's Phonesweep or ISS's Telephony Scanner • Toneloc or THCScan (Free) • Conduct periodic desk‑to‑desk checks in the evenings • Use two people for this (buddy system) Scanning – WAR Dialers
Some concerns • When war dialing against your own network, how do you determine which numbers to dial? • you should get a list of all analog lines at your PBX. You may also want to consider dialing digital lines, because inexpensive digital line modem adapters are readily available. Scanning – WAR Dialers
Some concerns • A major concern involves numbers not accessible through your PBX (i.e., direct lines from the telco). The best, although not ideal, approach for finding these is to follow the money ‑ get the telephone bills from the telco. Ask your telco to give you a copy of all bills being mailed to a given address, or, if possible, all bills for lines at a certain address. Scanning – WAR Dialers
Some concerns • When you do desk‑to‑desk checks, you should always employ the the buddy system. With an explicit two‑person team checking for unwanted/unregistered modems, you will not be subject to claims of unfairness or worse yet, theft from people's desks. If a single person checks for modems late at night, and something turns up missing from someone's desk, you may have significant problems. Scanning – WAR Dialers
TCP/IP Handshake • TCP/IP 3-way Handshake establishes a connection to a port Scanning – Port Scanning All legitimate Transmission Control Protocol (TCP) connections (e.g., HTTP, telnet, ftp, etc.) are established through a three‑way handshake. 65,535 TCP ports, 65,535 UDP ports (no 3-way with UDP)
SYN ACK Server SYN | ACK Client Three Way Handshake 1: Send SYN seq=x 2: Send SYN seq=y, ACK x+1 3: Send ACK y+1 The handshake allows for the establishment of sequence numbers (x or y are ISN = Initial Sequence Number) between the two systems. These sequence numbers are used so that TCP can provide for reliable packet delivery in sequential order. Sequence numbers are used for sequencing and retransmissions.
Port Scanners • Scan all 65,535 (times 2) ports • Find tcp 80, web server • Find tcp 23, telnet server • Find udp 53, DNS server • Find tcp 6000, X Window server • etc. • Nmap is a very useful tool with advanced scanning capabilities • Available at: hftp://www.insecure.org/nmap Scanning – Port Scanning
Port Scanners • By scanning each port, we can determine what is listening on the box, and find ways to get in. Tools like Nmap allow us to inventory open ports in a variety of ways. Numerous other port scanners are available, including: • strobe • Probe • etcp • Nmap is the most fully featured of all of these tools. • The ISS and CyberCop commercial scanners also include port scanning capabilities. Scanning – Port Scanning
Open Port Information • With a list of open ports, the attacker can get an idea of which services are in use by consulting RFC 1700. Also, particular exploits for these services can be found at • http://www.technotronic.com. • the attacker can devise his/her own exploits! • http://www.iana.org Scanning – Port Scanning
Allows for conducting numerous types of scans: "Vanilla" TCP scans Connect to every port, with 3‑way handshake SYN scans (aka "half‑open" scans) Only do initial SYN Harder to detect and much quicker FIN scans Stealthy and bypass some filters SYN scan using IP fragments Bypass some packet filters... Yes! UDP Scanning FTP Proxy "Bounce Attack" Scanning RPC Scanning TCP Sequence prediction test ACK scanning Xmas Tree NULL scan NMAP An NMAP scan Scanning – Port Scanning
NMAP NMAP scan – FTP Proxy Bounce • FTP Proxy "Bounce Attacks" utilize an ancient feature of FTP servers. These servers allow a user to tell the server to send the file to another system. Using this capability, an attacker can bounce an NMAP port scan off of someone's FTP server, to help obscure the source of the attack. • You should make sure that you disable the FTP Bounce capability from your public FTP servers. Scanning – Port Scanning
NMAP NMAP TCP Stack Fingerprinting • Attempts to determine the operating system of target by sending various packet types and measuring the response • This concept originated with a tool called QueSO, available at: hftp://www.apostols.org/projectz/queso Scanning – Port Scanning
NMAP NMAP TCP Stack Fingerprinting • Nmap does various types of tests to determine the platform: • TCP Sequence Prediction • SYN packet to open port • NULL packet to open port • SYN|FIN|URG|PSH packet to open port • ACK packet to open port • SYN packet to closed port • ACK packet to closed port • FIN|PSH|URG packet to closed port • UDP packet to closed port Scanning – Port Scanning
NMAP NMAP TCP Stack Fingerprinting • In addition to finding out what ports are open on a system, an attacker also wants to determine which platform (Operating system and hardware) the system is based on. • By determining the platform, the attacker can further research the system to determine the particular vulnerabilities it is subject to. • For example, if the system is a Windows NT Server 4.0 box, the attacker can utilize http://www.technotronic.com or http://xforce.iss.net/ to focus the attack. Scanning – Port Scanning
NMAP TCP Stack Fingerprinting • Note that each TCP stack implementation may have a very unique signature to how it behaves, particularly when confronted with various illegal combinations of TCP flags and packets! • This information is used to identify the target system. • NMAP has a data base of how various systems respond to these illegal flags. NMAP can determine what system you are running!!! Scanning – Port Scanning