Title: The Fundamentals of Hacking: An 0\/3r\/!3vv
1The Fundamentals of HackingAn 0\/3r\/!3vv
- Jen Johnson
- Miria Grunick
2Five Phases of an Attack
- Phase 1 Reconnaissance
- Phase 2 Scanning
- Phase 3 Gaining Access
- Phase 4 Maintaining Access
- Phase 5 Covering Attacks and Hiding
3Phase 1 Reconnaissance
- Takes place before the attack.
- Investigate the target using publicly available
information - Types Low-Technology Reconnaissance, Searching
the Web, Whois Databases, Using the DNS, and
General Purpose Tools
4Low-Technology Reconnaissance
- Social Engineering An attacker calls the target
organization and fools an employee into revealing
sensitive information. Often, the attacker calls
and pretends to be a new employee, customer,
system administrator, or business partner.
5Low-Technology Reconnaissance
- Physical Break-In Physically breaking into the
building to try to gain access to the network
from the inside. This is often accomplished by
walking into the building with a group of
employees or being hired as an employee or temp.
6Low-Technology Reconnaissance
- Dumpster Diving Going through an organizations
discarded documents to find sensitive
information. Often, employees will throw out
papers that reveal critical information (i.e.
old Post-It notes with user IDs and passwords).
7Searching the Web
- Organizations Web Site Can reveal important
information, such as the employees contact
information, clues about the corporate culture
and language, business partners, recent mergers
and acquisitions, and what technologies the
organization uses.
8Searching the Web
- Search Engines Can reveal information about the
companys history, current events, future plans,
financial status, business partners, technologies
in use. - Usenet Employees may submit questions to
technical newsgroups that reveal information
about the particular products that the
organization uses.
9Whois Databases
- Whois databases contain information about the
assignment of Internet addresses, domain names,
registrars, and individual contacts. - First, find out who the registrar is. The
Internet Network Information Center (InterNIC)
whois database system lists the registrars of
websites based on the organizations name or
domain name for sites with the .net, .org or .com
extensions. The InterNIC whois database is
avaliable online at www.internic.net/whois.html
10Whois Databases
- If you are researching an organization without
the .com, .net, or .org extensions (i.e.
international websites), try the Allwhois site
at www.allwhois.com/home.html - Once you have the registrars name, you can go to
the registrars site and get more information,
such as names and numbers of administrators,
email and postal addresses, registration dates,
and the addresses of the organizations DNS
servers.
11American Registry for Internet Numbers (ARIN)
- Contains all IP addresses assigned to a
particular organization. Search by company or
domain names. - For North American, South American, Caribbean,
and sub-Saharan African organizations
www.arin.net/whois/arinwhois.html - For European organizations www.ripe.net
- For Asian organizations www.apnic.net
12Domain Name System (DNS)
- DNS a world-wide hierarchical database that
stores information about domain names and IP
addresses. This database is searched to get
information about a given domain name, most
commonly the corresponding IP address. - Once an attacker knows one of the DNS servers,
the attacker can begin interrogating the name
servers.
13DNS
- To interrogate DNS servers, first invoke a
nslookup program on any UNIX or Windows NT/2000
environment by typing nslookup at the command
prompt. - Try to do a zone transfer. In a zone transfer,
the nslookup program asks the DNS server to
transmit all information it has about a given
domain.
14DNS
- To do a zone transfer, the nslookup must be
instructed to use the targets DNS server, using
the server target_DNS_server command - Next, specify to search for any type of DNS
record by typing set typeany - Initiate the zone transfer by typing ls d
target_domain - Output can give useful information, such as
system names, IP addresses of the systems, and
sometimes even operating system types. - More information about nslookup
www.zoneedit.com/doc/nslookup.html
15General Reconnaissance Tools
- Sam Spade (freeware avaliable at
www.samspade.org/ssw/ ) - Many reconnaissance tools in one ping, whois, IP
block whois, nslookup, dig, DNS zone transfer,
traceroute, finger, SMTP VRFY, Web browser. - Other general-purpose reconnaissance tools
CyberKit, NetScan Tools, iNetTools
16Web-Based Reconnaissance Tools
- Research and Attack portals sites that allow a
user to enter the target site and research or
initiate an attack against the target (via
denial-of-service attacks or vulnerability scans) - Difference between Web-based tools and general
reconnaissance tools now the traffic comes from
the Web server, not the attacker machine. Thus,
the attacker can remain more anonymous.
17Web-Based Reconnaissance Tools
- Examples
- www.network-tools.com
- privacy.net/analyze
18Phase 2 Scanning
The premise of scanning is to probe as many ports
as possible, keeping track of open and useful
ports that would be receptive to
hacking. Scanners send multiple packets over a
communication medium then listen and record each
response. The following are techniques for
inspecting ports and protocols.
19War Dialing
- War Dialing Dialing large pools of telephone
numbers in an effort to find unprotected modems.
Done with an automated tool, such as THC-Scan
2.0, available at www.thc.org/releases.php. - This tool will return a list of all of the modems
discovered in the range of the phone numbers it
was given. - The hacker can then check all of the modems and
see if any have no passwords, allowing them
access to the network.
20FIN Probe
- A FIN packet is sent (Or any packet without an
ACK or SYN flag) to an open port and one waits
for a response. - The correct RFC793 behavior is to not respond.
Many broken implementations (i.e MS Windows) send
a RESET back.
21Network Mapping
- A hacker first tries to determine which addresses
have active hosts by pinging all possible
addresses in the network. - Once a hacker knows which hosts are alive, he or
she will try to determine the network topology.
This is done by a method called tracerouting.
22Network Mapping
- Tracerouting Send a series of packets with
different Time-To-Live (TTL) values in the IP
header and check the source address of the Time
Exceeded message returned. - Example Send a packet with a TTL of 1. The Time
Exceeded message will have the source address of
the first router. Now send a packet with a TTL of
2. The Time Exceeded message returned will have
the source address of the second router, and so
on.
23Tracerouting
24Network Mapping
- Windows 2000/NT and UNIX have tools that do this
for us - Windows 2000/NT tracert
- UNIX traceroute
- Another network mapping tool Cheops (available
at www.marko.net/cheops ) This tool does the
ping sweep and traceroute and draws a picture of
the topology of the network.
25Screenshot of Cheops
26How Cheops Works
- Sequentially send ARP messages to every IP
address in the range. - Traceroute to every IP address that responds to
the ARP message.
27Scanning Involves 3 Steps
- Locating Nodes
- Performing Service Discoveries
- Testing Services for Known Security Holes
28TCP Port Scanning
- Most basic form of scanning. Attempts to open a
full TCP port connection to determine if that
port is active. - This method leaves an easier to spot trail than
partial open scanning.
29Stealth Port Scanning
- All the operating systems now honor the tradition
of permitting only the super-user to open the
ports numbered 0 to 1023. These standard ports
are assigned to services by the IANA (Internet
Assigned Numbers Authority, www.iana.org). - Attempts to open a port in the range of 0..1023
by an unprivileged user program will fail. A user
program can open any unallocated port higher than
1023.
30- On Unix, the text file named
- /etc/ services
- (on Windows 2000 the file named windir\
system32\ drivers\ etc\ services) - lists these service names and the ports they
use. Here are a few lines extracted from this
file
31echo 7/tcp Echo
ftp-data 20/udp File Transfer (default)
ftp 21/tcp File Transfer (control)
ssh 22/tcp SSH Remote Login Protocol
telnet 23/tcp Telnet
domain 53/udp Domain Name Server
www-http 80/tcp WWW HTTP
32Non Standard Ports
wins 1512/tcp Microsoft Windows Internet Name Service
Radius 1812/udp RaDIUS authentication protocol
yahoo 5010 Yahoo! Messenger
X11 6000-6063/tcp X Window System
33Stealth Scanning Includes Some/All of the
Following
- Setting individual flags (ACK, FIN, RST, .. )
- NULL flags set
- All flags set
- Bypassing filters, firewalls, routers
- Appearing as casual network traffic
- Varied packet dispersal rates
34Fragmented Packets
- The scanner splits the TCP header into several IP
fragments. This bypasses some packet filter
firewalls because they cannot see a complete TCP
header that can match their filter rules.
35- Some packet filters and firewalls do queue all IP
fragments (e.g., the CONFIG _IP _ALWAYS _DEFRAG
option in Linux enables it in the kernel), but
many networks cannot afford the performance loss
caused by the queuing.
36TCP Fragmenting
- TCP fragmenting is not a scan method so to speak,
although it employs a method to obscure scanning
implementations by splitting the TCP header into
smaller fragments.
37- A minimally allowable fragmented TCP header must
contain a destination and source port for the
first packet (8 octect, 64 bit), typically the
initialized flags in the next, allowing the
remote host to reassemble the packet upon
arrival.
38- The actual reassembly is established through an
IPM (internet protocol module) that identifies
the fragmented packets by the field equivalent
values of - source
- destination
- protocol
- identification
-
39Using TCP Fragmenting - FragRouter
- Program which fragments TCP packets
- 35 different ways to fragment
- Called a router because it is a software
implementation of a router data from other
programs is sent through the FragRouter - FragRouter fragments the packets and then
forwards the packets to their destination
40SYN Scanning
- Also called half-open scanning, as TCP connection
is not completed. - A SYN packet is sent and the target host
responds with a SYNACK, indicating the port is
listening - RST indicates a non-listener
- The server process is never informed by the TCP
layer because the connection did not complete.
41A demonstration of this technique is necessary to
show a half open transaction
-
- client -gt SYN
- server -gt SYNACK
- client -gt RST
42- This example has shown the target port was open,
since the server responded with SYNACK flags. - The RST bit is kernel oriented, that is, the
client need not send another packet with this
bit, since the kernel's TCP/IP stack code
automates this.
43Inversely, a closed port will respond with
RSTACK.
- client -gt SYN
- server -gt RSTACK
- This combination of flags is indicative of a
non- listening port.
44FIN Scanning
- The typical TCP scan attempts to open connections
(at least part way). Another technique sends
erroneous packets at a port, expecting that open
listening ports will send back different error
messages than closed ports.
45- The scanner sends a FIN packet, which should
close a connection that is open. Closed ports
reply to a FIN packet with a RST. Open ports, on
the other hand, ignore the packet in question. - If no service is listening at the target port,
the operating system will generate an error
message. - If a service is listening, the operating system
will silently drop the incoming packet.
Therefore, silence indicates the presence of a
service at the port.
46This is the negotiation for open/closed port
recognition
- client -gt FIN
- server -gt -
- No reply signaled by the server is iconic of an
open port. The server's operating system silently
dropped the incoming FIN packet to the service
running on that port.
47RST Reply
- Opposing this is the RST reply by the server upon
a closed port reached. - Since, no service is bound on that port, issuing
a FIN invokes a reset (RST) response from the
server. - client -gt FIN
- server -gt RST
48- Other techniques that have been used consist of
XMAS scans where all flags in the TCP packet are
set, or NULL scans where none of the bits are
set. However, different operating systems respond
differently to these scans, and it becomes
important to identify the OS and even its version
and patch level.
49Reverse Ident Scanning
- This technique involves issuing a response to the
ident/auth daemon, usually port 113 to query the
service for the owner of the running process. - The main reason behind this is to find daemons
running as root, this result would entice an
intruder to find a vulnerable overflow and
instigate other suspicious activities involving
this port.
50- Alternatively, a daemon running as user nobody
(httpd) may not be as attractive to a user
because of limited access privileges. - identd could release miscellaneous private
information such as - user info
- entities
- objects
- processes
51FTP Bounce
52Background
- FTP session consists of two connections between
the client and the server. - The high port server connection is enabled by the
client that allows the FTP server to send data to
the client. - When the client wants to transfer data to or from
the server, it issues a PORT command. The PORT
command instructs the server to open a data
connection which is used to transfer the data.
53Problem
- An outside attacker can use the FTP server to
open connections which appear to originate from
the server. This could be used to bypass the
access control restrictions.
54(No Transcript)
55How To Use FTP BounceAttacks
56Port Scanning
- An attacker can run the attck from a third-party
FTP server acting as a stage for the scan. The
victim site sees the scan as coming from the FTP
server rather than the true source (the FTP
client). - When the victim site is on the same subnet as the
FTP server, or when it does not filter traffic
from the FTP server, the attacker can use the
server machine as the source of the port scan
rather than the client machine
57Bypassing Basic Packet Filtering Devices
- An attacker may bypass a firewall in certain
network configurations. - Example a site has its anonymous FTP server
behind a firewall. Using the technique above, an
attacker determines that an internal web server
at that site is available on port 8080, a port
normally blocked by a firewall.
58- By connecting to the public FTP server at the
site, the attacker initiates a further connection
between the FTP server and an arbitrary port on a
non-public machine at that site . - (for instance the internal web server at port
8080). - As a result, the attacker establishes a
connection to a machine that would otherwise be
protected by the firewall.
59Bypassing Dynamic Packet Filtering Devices
- Example
- victim site houses all of its systems behind a
firewall that uses dynamic packet filters - person at victim site browses web pages and
downloads a Java applet constructed by attacker. - Java applet then opens an outbound FTP connection
to attacker's machine. - applet then issues an FTP PORT command,
instructing server machine to open a connection
to some otherwise protected system behind the
victim firewall.
60- Dynamic packet filtering firewall examines
outbound packets to determine if any action is
required on its part. - It notes the PORT command and allows an incoming
connection from the remote web server to the
telnet port on the victim machine. - This connection was allowed in this case because
the PORT command was issued by the client.
61Scanning Packages Available Commercially
- CyberCop
- JAKAL
- NetRecon
- NMap
62CyberCop
- Intrusion detection system that safeguards
corporate assets by performing real-time
surveillance of network traffic. The CyberCop
system protects networks from external and
internal attacks by providing a "high tech
burglar alarm" capable of alerting companies when
the security of their networks is breached by
unauthorized intruders.
63JAKAL
- Developed on UNIX to test UNIX hosts. Jakal is
interesting because of its possibilities it is
designed for stealth and to go through most
firewalls. Usually it doesn't leave any trace of
its activity, except for some messages (SYNACK).
64NetRecon
- Scans multiple operating systems, including UNIX,
Linux, Windows 2000, Windows NT, Windows 95/98
and NetWare. - Scans using many Windows NT/2000 network
protocols such as TCP/IP, IPX/SPX, and NetBEUI.
65Nmap
- Most popular scanner to date
- Free utility for network exploration or security
auditing. Designed to rapidly scan large
networks. Uses raw IP packets to determine what
hosts are available on the network, what services
(application name and version) those hosts are
offering, what operating systems (and OS
versions) they are running, what type of packet
filters/firewalls are in use. - http//www.insecure.org/nmap/idlescan.html
66Scan Types Supported by Nmap
67Type of Scan Command-Line Option Summary of Characteristics
TCP Connect -sT Completes the 3-way handshake with each scanned port.
TCP SYN -sS Only sends the initial SYN and awaits the SYN-ACK response.
TCP FIN -sF Sends a TCP FIN to each port. Reset indicates port is closed.
68TCP Xmas Tree -sX Sends packet with the FIN, URG and PUSH code bits set. Reset indicates port is closed.
Null -sN Sends packets with no code bits set. Reset indicates port is closed.
TCP ACK -sA Sends packet with the ACK code bit set to each target port.
Window -sW Similar to ACK, but focuses on TCP Window size to determine if ports are open or closed.
69FTP Bounce -b Bounces a TCP scan off of an FTP server, obscuring the originator of the scan.
UDP Scanning -sU Sends a UDP packet to target ports to determine if a UDP service is listening.
Ping -sP Sends ICMP echo request packets to every machine on target network.
RPC Scanning -sR Scans RPC services using all discovered to open TCP/UDP ports on the target to send RPC Null commands.
70Determining Firewall Filter Rules
- One disadvantage of Nmap it cannot
differentiate what is open on an end machine and
what is being firewalled. - It is also important to determine what ports are
available through the firewall or router. One
tool that can do this is Firewalk (avaliable
www.packetfactory.net/projects/firewalk/firewalk-5
.0.tgz - Firewalk can determine which types of packets are
permitted through and which ports are accessible
through the firewall. - Note Firewalk is only useful for
packet-filtering devices, not proxy-based
firewalls.
71How Firewalk Works
- Determines the number of hops between the tool
and the firewall - Sends UDP and TCP packets with TTL one greater
than the hop count to the filtering device. - If ICMP Time Exceeded message is returned, the
port is available through the firewall - If ICMP Port Unreachable message or nothing is
returned, the port is most likely being filtered
by the firewall. - Unlike Nmap, Firewalk can determine what kind of
packets are allowed through the firewall for each
specific port and which ports allow new
connections.
72Vulnerability Scanning
- Use an automated tool that checks for common
configuation errors, default configuration
errors, and well-known system vulnerabilities. - Generally made up of multiple parts
vulnerability database, user configuration tool,
scanning engine, knowledge base of current active
scan, and results repository and report
generation tool.
73Vulnerability Scanner
74Nessus
- The most popular of the vulnerability scanners.
(Available www.nessus.com) - Also allows the user to write their own
vulernability checks and include them in the
tool. - Has a variety of plug-ins, such as checking for
vulnerabilities that allow a shell to be gained
remotely and checking to see if the target system
already has backdoor tools installed.
75Port, Socket Service Vulnerability Penetrations
- Once a breach has been uncovered during the
discovery phase, different vulnerability
penetrations are used to take advantage and
possibly gain control of computers, servers and
internetworking equipment. - More on exploiting these vulnerabilities in Phase
3
76Operating System Fingerprinting with Nmap
77TCP ISN Sampling
- The idea here is to find patterns in the initial
sequence numbers chosen by TCP implementations
when responding to a connection request. - Categorized into groups such as traditional 64K,
random increments and true random, (Linux 2.0)
78Dont Fragment Bit
- Trend of operating systems to set the IP Dont
Fragment bit on some of the packets they send. - By paying attention to this bit, one can glean
information on the target OS.
79TCP Initial Window
- Simply involves checking the window size on
returned packets. - Gives quite a lot of information since some
operating systems can be uniquely identified by
the window alone.
80TCP Option
- Excellent means of gaining access to leaked
information. - Can discover if a host is implementing them by
sending a query with an option set target shows
support of the option by setting it on the reply. - Can stuff many options on one packet to test
everything at once.
81SYN Flood Resistance
- If too many forged SYN packets are sent to some
operating systems, they will stop accepting new
connections. - Many operating systems can only handle 8 packets.
- By sending 8 forged packets to an open port and
then trying to establish a connection, you can
learn about the operating system used. - This is easier to detect on the target side than
other methods, however.
82(No Transcript)
83Random Clipart
84Pre-Phase 3
- Understanding Filters, Firewalls and the IDS
85Packet Filter
- First line of defense.
- Checks each packet against a policy or rule
before routing it to the destined node or network
destination. - Most reject SYN/ACK, ICMP, and incoming UDP
packets that initiate inward security.
86Example
- Cisco Series Access Router
- If router is configured to pass a particular
protocol, external hosts can use that protocol to
establish a direct connection to internal hosts. - The router will produce an audit log with
features to generate alarms when hostile behavior
is detected.
87Enhanced Version
88Stateful Filter
- Provides same functionality as previous version,
but also keeps track of state information, such
as TCP sequence numbers. - Uses the analysis of data within the lowest
levels of the protocol stack to compare the
current session to previous ones for the purpose
of detecting suspicious activity. - Uses specific rules determined by the user.
89Downside
- Does not recognize specific applications,
therefore, is unable to apply dissimilar rules to
different applications.
90Proxy Firewall
91- Simple server with duel NICs that has routing or
packet forwarding deactivated, utilizing a proxy
server daemon instead. - Gateway is a term used as a synonym for proxy
server. - Gathers all internet requests, forwards them to
internet servers, receives responses and forwards
them to the original requestor within the company.
92Enhanced Version
- Application Proxy Gateway
93Application Proxy Gateway
- Contains integrated modules that check every
request and response. - Example
- An FTP stream may only be allowed to download
data.
94Application Gateways look at data on the
application layer of the protocol stack and serve
as proxies for outside users. Thus, outside
users never really have a direct connection to
anything beyond the proxy gateway.
95Implementing a Backdoor Method4 Actions Take
Place
- Seizing a virtual connection this involves
hijacking a remote telnet session, a VPN tunnel
or a secure-ID session. - Planting an insider User, engineer or socially
engineered (swindled) person. - Can also spoof an employee with an e mail with a
remote access Trojan attached.
96- Manipulating an internal vulnerability attacks
on demilitarized zones, such as - E-mail, domain name resolution, telnet or FTP.
- Manipulating an external vulnerability involves
penetrating through external mail server, HTTP
server daemon and/or telnet service on an
external boundary gateway.
97Intrusion Detection System
98Scanning Intrusion Detection Systems
- Detects statistical anomalies. Measures a
"baseline" of such stats as CPU utilization, disk
activity, user logins, file activity, and so
forth. Then, the system can trigger when there is
a deviation from this baseline. - Can detect the anomalies without having to
understand the underlying cause behind them.
99Signature Recognition
- The majority of commercial products are based
upon examining the traffic looking for well-known
patterns of attack. - Classic example is to example every packet on the
wire for the pattern "/cgi-bin/phf?", which might
indicate somebody attempting to access this
vulnerable CGI script on a web-server.
100How does a NIDS match signatures with incoming
traffic?
- 1. Protocol stack verification A number of
intrusions, such as "Ping-O-Death" and "TCP
Stealth Scanning" use violations of the
underlying IP, TCP, UDP, and ICMP protocols in
order to attack the machine. A simple
verification system can flag invalid packets.
This can include valid, by suspicious, behavior
such as severally fragmented IP packets.
101- 2. Application protocol verification A number of
intrusions use invalid protocol behavior, such as
"WinNuke", which uses invalid NetBIOS protocol
or DNS cache poisoning, which has a valid, but
unusually signature. In order to effectively
detect these intrusions, a NIDS must re-implement
a wide variety of application-layer protocols in
order to detect suspicious or invalid behavior.
102- 3. Creating new loggable events A NIDS can be
used to extend the auditing capabilities of your
network management software. For example, a NIDS
can simply log all the application layer
protocols used on a machine. Downstream event log
systems (WinNT Event, UNIX syslog, SNMP TRAPS,
etc.) can then correlate these extended events
with other events on the network.
103Other countermeasures besides IDS
- Firewalls These are to protect from external
attacks most intrusions are committed by
employees inside the firewall, and it should
therefore be considered a last line of defense.
104Authentication
- Scanners should be run that automate the finding
of open accounts. - One should enforce automatically strict policies
for passwords (7 character minimum, including
numbers, dual-case, and punctuation) using crack
or built in policy checkers (WinNT native, add-on
for UNIX).
105Virtual Private Networks
- Create secure connections over the Internet for
remote access. - VPNs actually decrease corporate security. While
the pipe itself is secure (authenticated,
encrypted), either end of the pipe are wide open.
- A home machine compromised with a backdoor
rootkit allows a hacker to subvert the VPN
connection, allow full, undetectable access to
the other side of the firewall.
106IDS
107- Network Hosts Although network intrusion
detection systems have traditionally been used as
probes, they can also be placed on hosts. - Network perimeter IDS is most effective on the
network perimeter, such as on both sides of the
firewall, near the dial-up server, and on links
to partner networks. These links tend to be
low-bandwidth (T1 speeds) such that an IDS can
keep up with the traffic.
108- Servers are often placed on their own network,
connected to switches. The problem these servers
have, though, is that IDS systems cannot keep up
with high-volume traffic. - Server Farms For extremely important servers,
you may be able to install dedicated IDS systems
that monitor just the individual server's link.
Also, application servers tend to have lower
traffic than file servers, so they are better
targets for IDS systems.
109Phase 3
110Stack Based Overflow Attack
- Overwrite the return pointer stored in the stack
by overflowing the stack. When the return pointer
is copied into the IP, the IP tries to fetch the
data of the new address that was pushed into the
return pointer by overflowing the stack. - Example Overflow the stack with a series of
- A s. When the value of the return pointer
is copied into the IP, the IP address will fetch
the instruction from the all A address (address
41414141h)
111- Important to overflow buffer with meaningful
information - i.e. machine language code containing commands
we want executed - Difficult to overwrite return pointer to hit
exactly at beginning of code - Place a bunch of NOP or NOP equivalents (called a
NOP sled) at beginning of code. - When overwriting return pointer, have to aim to
overwrite to a range of values rather than a
specific value.
112- Once the stack is smashed, there are many things
an attacker can do. Most likely, the attacker
will try to create a back door to the target
system. - Creating a backdoor with Inetd Add a line to the
/etc/inetd.conf file, which will spawn a command
shell each time anyone tries to connect to a port
defined by the attacker. Run this line in the
stack to get a command shell to open on a given
port - /bin/sh c echo port stream tcp
nopwait root /bin/sh sh I - gtgt /etc/inetd.conf killall HUP inetd
113- Creating a backdoor with TFTP and Netcat Get the
target to execute the TFTP client. Load the
Netcat program onto the target system. Configure
Netcat to push a command shell from the target
machine to the attackers machine. - A good document on Stack Based Buffer Overflow
Attacks Smashing the Stack for Fun and Profit
by Aleph One, available at packetstormsecurity.or
g/docs/hack/ - smashstack.txt
114Password Attacks
- Two kinds Password Guessing and Password
Cracking - Password Guessing Attempt to guess the password
for a particular user ID. This process is rarely
successful, time consuming, and generates a lot
of network traffic. Also, some accounts are
locked out after a set number of unsuccessful
guesses. Many password-guessing tools can be
found at Packet Storms Site packetstormsecurity.
org
115- Password Cracking Steal the file with the
encrypted passwords and use a password cracking
program to recover the original passwords. - Stealing the file Win use a Pwdump program
(packetstormsecurity.nl/Crackers/NT/), or sniff
them from the network (more on sniffing later)
UNIX gain root-level access and steal the
/etc/shadow or /etc/secure file if shadow
passwords are used, otherwise steal the
/etc/passwd file.
116- Password Cracking Software
- Windows L0phtCrack (available
www.atstake.com/products/lc/ ) This tool includes
other options, such as a sniffer and a pwdump
program - UNIX John the Ripper (available
www.openwall.com/john/ )
117Web Application Attacks
- Can still be conducted, even if the target site
uses SSL. - Account Harvesting, Undermining Session-Tracking
Mechanisms, SQL Piggybacking - Account Harvesting Works for applications that
have different error messages for an incorrect
user ID and an incorrect password. By looking at
the error messages, the attacker can determine
valid user IDs, sometimes even passwords.
118- Here, although the web pages look identical for
each type of error, notice that the URL has
changed, giving any hackers a hint about
incorrect user IDs vs. incorrect passwords.
119Undermining Web Application Session Tracking
- Three ways Session IDs are implemented URL
session tracking, hidden form elements, and
cookies. - The attacker will first login to the site
multiple times to see how the session IDs are
generated. - To change a session ID in a URL, simply type a
different users session ID (or a generated one)
over the original users ID in the URL.
120- To change the session ID in a site with hidden
form elements, view the source of the page,
modify the ID number and reload it into the
browser. - To edit the session ID in a site that uses
cookies, use a program called Achilles
(available www.mavensecurity.com/achilles).
Achilles is a web proxy that intercepts the
per-session cookies and allows the attacker to
modify them.
121SQL Piggybacking
- Extending an applications SQL statement to
extract or update information that the attacker
is not authorized to access. - Rainforest Puppy has a paper about SQL
Piggybacking How I Hacked Packetstorm
(available www.opennet.ru/base/cgi/22.txt.html ) - Begin by exploring how the Web application
interacts with the database.
122- The attacker may extend the SQL query
- Example
- Use SELECT FROM account WHERE
(userid10001 and number 11111111111 or
userid10002) - instead of SELECT FROM account WHERE
(userid10001 and number 11111111111) - to get information on 10002
123Sniffing
- Sniffer Gathers packets from the local network
and allows the user to view the data being
transmitted. - Two ways of sniffing Passive (network built with
a hub) and Active (network built with a switch)
124Passive Sniffing
- Passively listens and collects packets.
- Snort (available www.snort.org ) A good
passive sniffer that can be used as an IDS. Can
sift through the network and look for attack
signatures. - Sniffit (avalaible reptile.rug.ac.be/coder
- /sniffit/sniffit.html) has an interactive
mode that shows all active sessions and allows
the attacker to see all keystrokes of the victim.
125- Dsniff one of the more versatile sniffing
tools. It is several programs in one, but is most
known as a sniffer. It can interpret a number of
different protocols, like FTP, HTTP, AIM, ICQ,
Napster, Microsoft SQL, etc. Available
www.monkey.org/dugsong/dsniff
126Active Sniffing
- Need to fool the switch into sending the packets
to the system with the sniffer - Different methods MAC Flooding and Spoofing ARP
Messages - MAC Flooding Send a flood of traffic with random
MAC addresses until the switchs memory is full.
Some switches will then forward packets to all
links on the switch (done with the Dsniff program
Macof).
127- Spoofing ARP Messages
- Arpspoof, a Dsniff feature, allows attackers to
change the ARP traffic on local networks. - Attacker configures his or her system to forward
any traffic it receives to the router. - Arpspoof program is activated, which sends fake
ARP replies - Fake ARP replies change the targets ARP table.
- Any traffic from the target machine is sent to
the attackers machine before being transferred
to the local network.
128Spoofing ARP Messages
129Other Methods of Redirecting Traffic
- Spoofing DNS
- DNSspoof, a Dsniff feature, allows attackers to
send the target machine false DNS information,
making the victim access the attackers machine
when they intend to access a different system. - The attacker starts the dnsspoof program and
waits for the target to send a DNS query for a
specific host. - Once the query is received, the attacker then
sends a false DNS response. - When the target tries to access the intended
host, the system is now accessing the attackers
machine.
130Spoofing DNS
131- Sniffing HTTPS
- Attacker runs webmitm feature on Dsniff and doing
DNS spoof - All HTTP and HTTPS traffic is proxied by webmitm
- Target connects to attackers machine and SSL
connection is established. - Attackers system establishes a SSL connection
with the server the target is attempting to
access. - Webmitm acts as proxy with two connections
- From the targets system to the attackers
machine - From the attackers machine to the actual server
the target was trying to reach - Note the target receives attackers certificate,
not the certificate of the server the target is
trying to reach.
132Sniffing HTTPS
133- The user will receive a warning that the
certificate is not signed by a trusted
Certificate Authority. Webmitm will then display
the contents of the SSL session on the attackers
screen. - Sniffing SSH This is done in a similar manner as
sniffing HTTPS, except the sshmitm (another
Dsniff feature) is used instead of the webmitm
feature. Note Sshmitm only allows for sniffing
of SSH protocol version 1.
134Is your machine running a sniffer?
- Detecting the process that does the sniffing is
difficult, because the name of that process can
be disguised as something innocent. - The only way to detect the sniffer is to check if
the network interface is in promiscuous mode. If
the network interface is in promiscuous mode,
this means that it listens for all packets on the
network and not only for packets destined to that
machine. - Another method is to run ifconfig -a. This will
list the available network interfaces, and show
all the information about them. The word PROMISC
means that the interface is in promiscuous mode.
135How to avoid packet sniffers altogether
- Active hubs only send packets to the intended
machines. This can disable the sniffer since it
will not receive packets not intended for that
specific machine. Cisco, HP and 3Com have such
active hubs.
136Detecting other sniffers on the network
- Detecting other sniffers on other machines is
very difficult, but detecting whether a Linux
machine is doing the sniffing is possible. - This can be done by exploiting a weakness in the
TCP/IP stack implementation of Linux. - When Linux is in promiscuous mode, it will answer
to TCP/IP packets sent to its IP address even if
the MAC address on that packet is wrong. - Therefore, sending TCP/IP packets to all the IP
addresses on the subnet, where the MAC address
contains wrong information, will tell you which
machines are Linux machines in promiscuous mode .
137IP Address Spoofing
- Used to disguise the IP address of a system.
- Three ways an IP address can be spoofed changing
the IP address, undermining UNIX r-commands, and
spoofing with source routing - Changing the IP address The attacker can either
reconfigure the whole system to have a different
IP address or use a tool (Nmap or Dsniff) to
change the source address of outgoing packets.
Limitation the attacker cannot receive any
responses.
138- Undermining UNIX r-Commands
- Attacker finds two computers with a trust
relationship - Send a bunch of TCP SYN packets to target and see
how the initial sequence numbers change - A DoS attack is sent to other system
- Attacker initializes a connection with target
system, using the IP address of the other system - Target system sends TCP SYN and ACK packets to
other system, which is dead - Attacker estimates initial sequence number of
other system and sends TCP ACK packet back - If initial sequence numbers match, attacker has
successfully gained one-way access to the target.
139Undermining UNIX r-Commands
140- Spoofing with Source Routing The attacker
creates packets that have system As source
address, with the attackers address in the
source route. The attacker sends the packet to
system B. Any replies are sent to the attackers
machine. Note that the attacker does not forward
them to system A because the connection would be
reset.
141Session Hijacking
- A combination of sniffing and spoofing that
allows an attacker to steal the session from the
user, given that after the initial authentication
the session is not encrypted. The attackers
system lies somewhere on the route between the
two communicating machines (A and B). The
attacker observes the traffic, monitoring the TCP
sequence numbers. The attacker can then send
spoofed packets with system As IP address as the
source so that system B will obey the commands.
142- Problem When the attacker sends system B packets
with system As IP address, system A will notice
that the TCP sequence numbers are out of order
and send ACK packets to resynchronize the
numbers. This continual retransmission of ACK
packets is known as an ACK storm. - Most hijacking tools cannot cope with the ACK
storm and the connection will be dropped.
143- Tool Hunt (available www.packetstormsecurity.org
/sniffers/hunt ) - Hunt uses ARP spoofing to prevent the connection
from being dropped. - Unlike other tools, Hunt can also resynchronize
the connection. It does this by sending a message
to system A saying msg from root power failure
try to type 88 characters, (where 88 is the
number of chars. that the attacker typed during
the hijacking) which will increment the sequence
number of system As TCP stack to where it should
be. - Two new ARP spoof messages are then sent,
restoring the correct MAC addresses.
144(No Transcript)
145Netcat The Networking Swiss Army Knife
- Used for multiple purposes, Netcat basically
moves data over any TCP or UDP port. It can
either act as a client or a listener. Available
www.atstake.com/research/tools/ - network_utilities
- For File Transfers Set up a Netcat client on the
source system and a Netcat listener on the
destination system. The source system initiates a
connection and pushes the file to the destination
system.
146- For Port Scanning Netcat will connect with every
port and display a list of open ports. - For Making Connections to Open Ports Use Netcat
in client mode to connect to open ports and see
what the listening service sends back. Better to
use than Telnet because it is easier to force
Netcat to drop a connection, Netcat can make UDP
connections, and Netcat only returns the pure
data from the open ports, not any other data like
environment variables.
147Denial-of-Service (DoS) Attacks
- Used to prevent access by legitimate users.
- Two options Stop services and exhaust resources.
This can be done either remotely or locally.
148Stopping Local Services
- Must have an account on the local system.
- Three methods Process Killing, System
Reconfiguration, and Process Crashing - Process Killing When an attacker has root
privileges, he or she can simply kill the local
processes.
149- System Reconfiguration An attacker with root
privileges can reconfigure the system so that it
does not offer certain services or filters on the
machine. - Process Crashing Crashing processes by
exploiting vulnerabilities in the system (i.e.
use stack based buffer overflow with a local
process, causing the process to crash).
150Locally Exhausting Resources
- Running a program from an account on the target
system that grabs the system resources. - Three methods Filling up the process table,
filling up the file system, and sending outbound
traffic that fills up the communication link.
151- Filling up the process table Running a recursive
program that forks processes in an attempt to
fill up the process table so no other users can
run processes. - Filling up the file system Continuously writing
data to the file system, preventing other users
from writing files. - Sending outbound traffic that fills up the
communication link Running program that sends
large amounts of bogus network traffic, consuming
the processor and bandwith.
152Remotely Stopping Services
- Send a malformed packet. Different platforms may
be susceptible to different types of malformed
packets. - These packets have structures that the TCP/IP
stacks cannot anticipate, causing the system to
crash. - Malformed packet suites available at
www.packetstormsecurity.org/DoS
153Remotely Exhausting Resources
- Accomplished by a packet flood
- Three common ways SYN flood, Smurf attacks, and
Distributed Denial of Service Attacks (DDoS) - SYN Flood Overwhelm the target machine with SYN
packets. This fills the connection queue so that
no new connections can be made on the target
machine.
154- Smurf Attacks Repeatedly sends a ping to a
broadcast IP address of a network that can
receive and respond to directed broadcast
messages (called a smurf amplifier), with the
target machine as the source of the ping. The
targets bandwidth is filled with these packets.
Tools Smurf (ICMP), Fraggle (UDP), and Papasmurf
(ICMP and UDP) (available www.packetstormsecurity
.org/new-exploits/ ). List of Smurf Amplifiers
www.netscan.org
155- DDoS Attacks Attacker takes over victim machines
(called Zombies) and installs software that waits
for commands from the attacker. The attacker can
then tell the zombies to start a DoS attack on
the target. Tool TFN2K (available
www.packetstormsecurity.nl/groups/mixter/ - index2.html ) This tool allows the attacker to
choose which type of packet to use in the DDoS
attack. It also allows IP spoofing, communication
via Echo Reply packets, and running a single
command simultaneously on all zombies.
156Phase 4 Maintaining Access
157Backdoor Kits
- Active Used by an intruder at any time that they
wish. - Passive Set to trigger themselves according to a
predetermined time or system event.
158Backdoor Kit Selection
- This is dependant upon the type of network
security in place. - Two basic architectural categories
- Packet filter
- Proxy firewall
159Trojan Horses
- A destructive program that masquerades as a
benign application. Unlike viruses, Trojan horses
do not replicate themselves. - Used to integrate a hole or backdoor into a
systems security countenance. - Trojans spread due to the technological necessity
to use ports lower ports are used by Trojans
that steal passwords while higher ports are used
by remote-access Trojans that can be reached over
the Internet, network, VPN or dial-up access.
160Trojan Horse Backdoor Tools
161Back Orifice
Remote Administration System which allows an
intruder to control a computer across a TCP/IP
connection using a simple console or GUI
application. Gives its user more control of the
target computer than the person at the actual
keyboard has.
162Back Orifice ServerFunctionality
- Get detailed system information, including
- current user
- cpu type
- windows version
- memory usage
- mounted disks and information for those drives
- screensaver password
- passwords cached by the user
163Controls and Abilities
- File system controlCopy, rename, delete, view,
and search files and directories. File
compression and decompression. - Process controlList, kill, and spawn processes.
- Registry controlList, create, delete and set
keys and values in the registry.
164- Multimedia controlPlay wav files, capture screen
shots, and capture video or still frames from any
video input device (like a Quickcam). - Network controlView all accessible network
resources, all incoming and outgoing connections,
list, create and delete network connections, list
all exported resources and their passwords,
create and delete exports.
165- Packet redirectionRedirect any incoming TCP or
UDP port to any other address port.
Application redirectionSpawn most console
applications (such as command.com) on any TCP
port, allowing control of applications via a
telnet session. - HTTP server Upload and download files on any
port using a www client such as Netscape. - Integrated packet snifferMonitor network
packets, logging any plaintext passwords that
pass. - Plugin interfaceWrite your own plugins and
execute the native code of your choice in BO's
hidden system process.
166NetCat
- A simple Unix utility which reads and writes data
across network connections, using TCP or UDP
protocol. - Designed to be a reliable back-end tool that can
be used directly or easily driven by other
programs and scripts. - Part of the Red Hat Power Tools collection and
comes standard on SuSE Linux, Debian Linux,
NetBSD and OpenBSD distributions.
167It provides access to the following main
features
- Outbound or inbound connections, TCP or UDP, to
or from any ports - Full DNS forward/reverse checking, with
appropriate warnings - Ability to use any local source port
- Ability to use any locally-configured network
source address - Built-in port-scanning capabilities, with
randomizer - Built-in loose source-routing capability
- Can read command line arguments from standard
input - Slow-send mode, one line every N seconds
- Hex dump of transmitted and received data
- Optional ability to let another program service
established connections - Optional telnet-options responder
168Port-Scanning
- Netcat accepts its commands with options first,
then the target host, and everything thereafter
is interpreted as port names or numbers, or
ranges of ports in M-N syntax. - For each range of ports specified, scanning is
normally done downward within that range. - If the -r switch is used, scanning hops randomly
around within that range and reports open ports
as it finds them.
169Traditional Root Kits
170Root Kits
- Used by an intruder to prevent his/her detection
on the system he/she has compromised. - Generally contains network sniffers, log-cleaning
scripts, and trojaned replacements of core system
utilities such as ps, netstat, ifconfig, and
killall. - Installs a backdoor remote-access daemon, such as
a modified version of telnetd or sshd. These will
often run on a different port than the one that
these daemons listen on by default. - Most rootkits also come with modified system
binaries that replace the existing ones on the
target system.
171/bin/login Replacement
- When logging onto a UNIX machine, the /bin/login
program runs. - Used to gather and check user ID and password
- The Rootkit replaces the /bin/login with a
modified version that includes a backdoor
password.
172Detecting Backdoors Example
- System Administrator runs the /bin/login routine
through strings. - Strings a UNIX program that shows all sequences
of consecutive characters in a file. - If an unfamiliar sequence is found, it may be a
backdoor.
173Sniffers
- Are used to gather passwords for other systems
and listen to traffic for sensitive information. - Rootkits set the promiscuous mode on the target
machine's network interface card, enabling the
sniffer to listen to a variable-sized network.
174Hidden Sniffers
- Ifconfig shows information such as IP addresses,
network mask and MAC addresses. - By running ifconfig, one can detect a sniffer by
looking for the PROMISC flag. - This prevents the System Administer from
detecting the RootKit.
175Kernel-Level Rootkit
- the most severe threat to system security that
can be caused by a rootkit comes from those that
deploy LKM (Loadable Kernel Module) trojans. - LKMs are a mechanism for adding functionality to
an operating-system kernel without requiring a
kernel recompilation. - Kernel rootkits do not replace system binaries,
they subvert them through the kernel.
176Subverting the kernel
- There are two ways that a rootkit can subvert the
kernel to perform actions on behalf of an
intruder - Loading a kernel module
- The Linux kernel (and many other operating
systems) can load kernel modules at runtime. This
allows an intruder to insert a module that
overrides kernel syscalls in order to return
incorrect values - Writing to /dev/kmem
- By writing to /dev/kmem it is possible to
overwrite the kernel at runtime, and thus perform
any arbitrary modification.
177Atypical Methods to Subvert the Kernel
- Adore-ng by Stealth employs the Virtual
FileSystem layer of the kernel. This works by
replacing the existing handler routines for
providing directory listings of the /proc and the
/ filesystems, and registering its own routines
instead. Userspace programs use the /proc
filesystem to obtain information on running
processes. In this way both processes and files
can be hidden.
178Detecting Kernel Rootkits
- To get a list of kernel modules, two standard
methods can be used - bash lsmod
- bash cat /proc/modules
- Unfortunately, being a kernel module, an LKM
rootkit can easily defeat such efforts by a
variety of methods.
179Programs
- This is a non-exhaustive list of programs that
are useful for the detection of kernel
modifications in a running system. - kern_check.c (PGP signature kern_check.c.asc) is
a small command-line utility (for Linux 2.2.x,
2.4.x) that will compare your System.map against
your kernels syscall table and warn about any
inconsistencies. - In case of compilation failure, you may want to
make