1 / 15

Compromising a Unix Host

An Introduction to Tools and Techniques. -Mike Sconzo. Compromising a Unix Host. Important Things. Information Gathering Techniques Active, passive Tools Nmap, ping, mtr, traceroute, dig, ettercap, Xprobe2, p0f, Nessus, tcpdump, Dsniff Types of Attacks Basic Exploit What to look for.

maleah
Download Presentation

Compromising a Unix Host

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Introduction to Tools and Techniques. -Mike Sconzo Compromising a Unix Host

  2. Important Things • Information Gathering • Techniques • Active, passive • Tools • Nmap, ping, mtr, traceroute, dig, ettercap, Xprobe2, p0f, Nessus, tcpdump, Dsniff • Types of Attacks • Basic Exploit • What to look for

  3. Active vs. Passive • Passive • Harder for people to detect (especially if truly passive) • Sometimes less accurate results • Tools • Tcpdump, p0f, dsniff, ettercap (sometimes), ethereal • Active • Easy to detect, especially if used in 'default' configuration, can usually make it 'harder' to detect • Usually more accurate • Tools • Ping, traceroute, Xprobe2, Nmap, ettercap, Nessus, MTR

  4. Passive Tools • Tcpdump • Sniffer, easy to detect if not run correctly • Effective and easy to use • p0f • Passive OS detection, harder to detect. • ettercap • Swiss army knife of network hijacking! • Many of the features of Dsniff, but expanded, can MiTM some services, and generally cause problems :) • Dsniff • Tool/suite of tools for password recon, and other things

  5. Active Tools • Ping • Check to see if a host is alive ... other uses? • Traceroute • Find the path to a host ... other uses/benefits of knowing path? • MTR • Ping + Traceroute! • Xprobe2 • Active OS fingerprinting using ICMP • Nmap • Active OS fingerprinting, open ports, service versioning and more!

  6. Active Tools continued • ettercap • Arp spoof (many uses), passive OS fingerprinting, MiTM, kill connections (similar to hunt), and ... you can write your own plugins! • Nessus • Vulnerability (!!) scanner, expandable, 'new hotness'

  7. Types of Attacks • Man in The Middle (MiTM) • Sit between target and victim • For some defination of “between” • Denial of Service (DoS) • Deny access to the box/service • Social Engr. • Attack the weakest link • 'spliot • Buffer overflow, format string vuln etc...?

  8. MiTM • Multiple ways/services to attack • SSH (example) • Ssh mitm v2 – proxy • v1 – not cryptographically secure! • Maybe force v1 connection? • Arp spoof, dns spoof • Other ideas?

  9. DoS • Deny access to something • Login Host (example) • ICMP flood (humm...what can do this?) • SYN flood (use up available 'connections') • Lots more! • Considered a 'lame' attack by itself • But, serves a purpose ....

  10. Social Engr. • Go after people • Why guess the password when somebody could tell it to you? • Get somebody to install a vulnerable version of a program. Because a sys-admins job is giving his users something to use. • Could be the latest version of something, but if you did a code audit, you may know something secret (aka 0-day).

  11. 'sploits • Attacks in a can • Easy to use • Easy to find • Used by the lowest common denominator! • Effective on systems that have not been patched/configured correctly • Why do the hard stuff, if the low hanging fruit is a knee level? • Excellent way to learn

  12. Basic Attack • We have gathered some information • passive/active • Maybe we did a code audit, and found a 0-day to get on the box, or perhaps we downloaded something • But only got 'user' privs. Bummer, we want r00t! • Now what? Time to find a local exploit! • What to look at? • Kernel, daemons, set-uid programs, why? • Escalate privs • Cover your tracks • Wipe logs, fun with tripwire!

  13. How do we get back in? • Rootkit? • Lots to choose from • Unfortunately most are easily detectable • Custom write one, maybe • Rogue accounts • Good choice, but easily detectable • Why not an account that's already on the machine with sudo? • Simple Backdoor • NetCat (nc)

  14. Play Time!

  15. References • http://www.insecure.org/ • http://ettercap.sourceforge.net/ • http://www.sys-security.com/html/projects/X.html • http://lcamtuf.coredump.cx/p0f.tgz • http://www.nessus.org/ • http://www.bitwizard.nl/mtr/

More Related