The Fundamentals of Hacking: An 0\/3r\/!3vv

About This Presentation

Title:

The Fundamentals of Hacking: An 0\/3r\/!3vv

Description:

This could be used to bypass the access control restrictions. How To Use FTP Bounce ... at that site is available on port 8080, a port normally blocked by a firewall. ... – PowerPoint PPT presentation

Number of Views:276

Avg rating:3.0/5.0

Slides: 196

Provided by: ezra7

Category:

more less

Transcript and Presenter's Notes

Title: The Fundamentals of Hacking: An 0\/3r\/!3vv

1
The Fundamentals of HackingAn 0\/3r\/!3vv

Jen Johnson
Miria Grunick

2
Five Phases of an Attack

Phase 1 Reconnaissance
Phase 2 Scanning
Phase 3 Gaining Access
Phase 4 Maintaining Access
Phase 5 Covering Attacks and Hiding

3
Phase 1 Reconnaissance

Takes place before the attack.
Investigate the target using publicly available
information
Types Low-Technology Reconnaissance, Searching
the Web, Whois Databases, Using the DNS, and
General Purpose Tools

4
Low-Technology Reconnaissance

Social Engineering An attacker calls the target
organization and fools an employee into revealing
sensitive information. Often, the attacker calls
and pretends to be a new employee, customer,
system administrator, or business partner.

5
Low-Technology Reconnaissance

Physical Break-In Physically breaking into the
building to try to gain access to the network
from the inside. This is often accomplished by
walking into the building with a group of
employees or being hired as an employee or temp.

6
Low-Technology Reconnaissance

Dumpster Diving Going through an organizations
discarded documents to find sensitive
information. Often, employees will throw out
papers that reveal critical information (i.e.
old Post-It notes with user IDs and passwords).

7
Searching the Web

Organizations Web Site Can reveal important
information, such as the employees contact
information, clues about the corporate culture
and language, business partners, recent mergers
and acquisitions, and what technologies the
organization uses.

8
Searching the Web

Search Engines Can reveal information about the
companys history, current events, future plans,
financial status, business partners, technologies
in use.
Usenet Employees may submit questions to
technical newsgroups that reveal information
about the particular products that the
organization uses.

9
Whois Databases

Whois databases contain information about the
assignment of Internet addresses, domain names,
registrars, and individual contacts.
First, find out who the registrar is. The
Internet Network Information Center (InterNIC)
whois database system lists the registrars of
websites based on the organizations name or
domain name for sites with the .net, .org or .com
extensions. The InterNIC whois database is
avaliable online at www.internic.net/whois.html

10
Whois Databases

If you are researching an organization without
the .com, .net, or .org extensions (i.e.
international websites), try the Allwhois site
at www.allwhois.com/home.html
Once you have the registrars name, you can go to
the registrars site and get more information,
such as names and numbers of administrators,
email and postal addresses, registration dates,
and the addresses of the organizations DNS
servers.

11
American Registry for Internet Numbers (ARIN)

Contains all IP addresses assigned to a
particular organization. Search by company or
domain names.
For North American, South American, Caribbean,
and sub-Saharan African organizations
www.arin.net/whois/arinwhois.html
For European organizations www.ripe.net
For Asian organizations www.apnic.net

12
Domain Name System (DNS)

DNS a world-wide hierarchical database that
stores information about domain names and IP
addresses. This database is searched to get
information about a given domain name, most
commonly the corresponding IP address.
Once an attacker knows one of the DNS servers,
the attacker can begin interrogating the name
servers.

13
DNS

To interrogate DNS servers, first invoke a
nslookup program on any UNIX or Windows NT/2000
environment by typing nslookup at the command
prompt.
Try to do a zone transfer. In a zone transfer,
the nslookup program asks the DNS server to
transmit all information it has about a given
domain.

14
DNS

To do a zone transfer, the nslookup must be
instructed to use the targets DNS server, using
the server target_DNS_server command
Next, specify to search for any type of DNS
record by typing set typeany
Initiate the zone transfer by typing ls d
target_domain
Output can give useful information, such as
system names, IP addresses of the systems, and
sometimes even operating system types.
More information about nslookup
www.zoneedit.com/doc/nslookup.html

15
General Reconnaissance Tools

Sam Spade (freeware avaliable at
www.samspade.org/ssw/ )
Many reconnaissance tools in one ping, whois, IP
block whois, nslookup, dig, DNS zone transfer,
traceroute, finger, SMTP VRFY, Web browser.
Other general-purpose reconnaissance tools
CyberKit, NetScan Tools, iNetTools

16
Web-Based Reconnaissance Tools

Research and Attack portals sites that allow a
user to enter the target site and research or
initiate an attack against the target (via
denial-of-service attacks or vulnerability scans)
Difference between Web-based tools and general
reconnaissance tools now the traffic comes from
the Web server, not the attacker machine. Thus,
the attacker can remain more anonymous.

17
Web-Based Reconnaissance Tools

Examples
www.network-tools.com
privacy.net/analyze

18
Phase 2 Scanning
The premise of scanning is to probe as many ports
as possible, keeping track of open and useful
ports that would be receptive to
hacking. Scanners send multiple packets over a
communication medium then listen and record each
response. The following are techniques for
inspecting ports and protocols.
19
War Dialing

War Dialing Dialing large pools of telephone
numbers in an effort to find unprotected modems.
Done with an automated tool, such as THC-Scan
2.0, available at www.thc.org/releases.php.
This tool will return a list of all of the modems
discovered in the range of the phone numbers it
was given.
The hacker can then check all of the modems and
see if any have no passwords, allowing them
access to the network.

20
FIN Probe

A FIN packet is sent (Or any packet without an
ACK or SYN flag) to an open port and one waits
for a response.
The correct RFC793 behavior is to not respond.
Many broken implementations (i.e MS Windows) send
a RESET back.

21
Network Mapping

A hacker first tries to determine which addresses
have active hosts by pinging all possible
addresses in the network.
Once a hacker knows which hosts are alive, he or
she will try to determine the network topology.
This is done by a method called tracerouting.

22
Network Mapping

Tracerouting Send a series of packets with
different Time-To-Live (TTL) values in the IP
header and check the source address of the Time
Exceeded message returned.
Example Send a packet with a TTL of 1. The Time
Exceeded message will have the source address of
the first router. Now send a packet with a TTL of
2. The Time Exceeded message returned will have
the source address of the second router, and so
on.

23
Tracerouting
24
Network Mapping

Windows 2000/NT and UNIX have tools that do this
for us
Windows 2000/NT tracert
UNIX traceroute
Another network mapping tool Cheops (available
at www.marko.net/cheops ) This tool does the
ping sweep and traceroute and draws a picture of
the topology of the network.

25
Screenshot of Cheops
26
How Cheops Works

Sequentially send ARP messages to every IP
address in the range.
Traceroute to every IP address that responds to
the ARP message.

27
Scanning Involves 3 Steps

Locating Nodes
Performing Service Discoveries
Testing Services for Known Security Holes

28
TCP Port Scanning

Most basic form of scanning. Attempts to open a
full TCP port connection to determine if that
port is active.
This method leaves an easier to spot trail than
partial open scanning.

29
Stealth Port Scanning

All the operating systems now honor the tradition
of permitting only the super-user to open the
ports numbered 0 to 1023. These standard ports
are assigned to services by the IANA (Internet
Assigned Numbers Authority, www.iana.org).
Attempts to open a port in the range of 0..1023
by an unprivileged user program will fail. A user
program can open any unallocated port higher than
1023.

On Unix, the text file named
/etc/ services
(on Windows 2000 the file named windir\
system32\ drivers\ etc\ services)
lists these service names and the ports they
use. Here are a few lines extracted from this
file

31
echo 7/tcp Echo
ftp-data 20/udp File Transfer (default)
ftp 21/tcp File Transfer (control)
ssh 22/tcp SSH Remote Login Protocol
telnet 23/tcp Telnet
domain 53/udp Domain Name Server
www-http 80/tcp WWW HTTP
32
Non Standard Ports
wins 1512/tcp Microsoft Windows Internet Name Service
Radius 1812/udp RaDIUS authentication protocol
yahoo 5010 Yahoo! Messenger
X11 6000-6063/tcp X Window System
33
Stealth Scanning Includes Some/All of the
Following

Setting individual flags (ACK, FIN, RST, .. )
NULL flags set
All flags set
Bypassing filters, firewalls, routers
Appearing as casual network traffic
Varied packet dispersal rates

34
Fragmented Packets

The scanner splits the TCP header into several IP
fragments. This bypasses some packet filter
firewalls because they cannot see a complete TCP
header that can match their filter rules.

Some packet filters and firewalls do queue all IP
fragments (e.g., the CONFIG _IP _ALWAYS _DEFRAG
option in Linux enables it in the kernel), but
many networks cannot afford the performance loss
caused by the queuing.

36
TCP Fragmenting

TCP fragmenting is not a scan method so to speak,
although it employs a method to obscure scanning
implementations by splitting the TCP header into
smaller fragments.

A minimally allowable fragmented TCP header must
contain a destination and source port for the
first packet (8 octect, 64 bit), typically the
initialized flags in the next, allowing the
remote host to reassemble the packet upon
arrival.

The actual reassembly is established through an
IPM (internet protocol module) that identifies
the fragmented packets by the field equivalent
values of
source
destination
protocol
identification

39
Using TCP Fragmenting - FragRouter

Program which fragments TCP packets
35 different ways to fragment
Called a router because it is a software
implementation of a router data from other
programs is sent through the FragRouter
FragRouter fragments the packets and then
forwards the packets to their destination

40
SYN Scanning

Also called half-open scanning, as TCP connection
is not completed.
A SYN packet is sent and the target host
responds with a SYNACK, indicating the port is
listening
RST indicates a non-listener
The server process is never informed by the TCP
layer because the connection did not complete.

41
A demonstration of this technique is necessary to
show a half open transaction

client -gt SYN
server -gt SYNACK
client -gt RST

This example has shown the target port was open,
since the server responded with SYNACK flags.
The RST bit is kernel oriented, that is, the
client need not send another packet with this
bit, since the kernel's TCP/IP stack code
automates this.

43
Inversely, a closed port will respond with
RSTACK.

client -gt SYN
server -gt RSTACK
This combination of flags is indicative of a
non- listening port.

44
FIN Scanning

The typical TCP scan attempts to open connections
(at least part way). Another technique sends
erroneous packets at a port, expecting that open
listening ports will send back different error
messages than closed ports.

The scanner sends a FIN packet, which should
close a connection that is open. Closed ports
reply to a FIN packet with a RST. Open ports, on
the other hand, ignore the packet in question.
If no service is listening at the target port,
the operating system will generate an error
message.
If a service is listening, the operating system
will silently drop the incoming packet.
Therefore, silence indicates the presence of a
service at the port.

46
This is the negotiation for open/closed port
recognition

client -gt FIN
server -gt -
No reply signaled by the server is iconic of an
open port. The server's operating system silently
dropped the incoming FIN packet to the service
running on that port.

47
RST Reply

Opposing this is the RST reply by the server upon
a closed port reached.
Since, no service is bound on that port, issuing
a FIN invokes a reset (RST) response from the
server.
client -gt FIN
server -gt RST

Other techniques that have been used consist of
XMAS scans where all flags in the TCP packet are
set, or NULL scans where none of the bits are
set. However, different operating systems respond
differently to these scans, and it becomes
important to identify the OS and even its version
and patch level.

49
Reverse Ident Scanning

This technique involves issuing a response to the
ident/auth daemon, usually port 113 to query the
service for the owner of the running process.
The main reason behind this is to find daemons
running as root, this result would entice an
intruder to find a vulnerable overflow and
instigate other suspicious activities involving
this port.

Alternatively, a daemon running as user nobody
(httpd) may not be as attractive to a user
because of limited access privileges.
identd could release miscellaneous private
information such as
user info
entities
objects
processes

51
FTP Bounce
52
Background

FTP session consists of two connections between
the client and the server.
The high port server connection is enabled by the
client that allows the FTP server to send data to
the client.
When the client wants to transfer data to or from
the server, it issues a PORT command. The PORT
command instructs the server to open a data
connection which is used to transfer the data.

53
Problem

An outside attacker can use the FTP server to
open connections which appear to originate from
the server. This could be used to bypass the
access control restrictions.

54
(No Transcript)
55
How To Use FTP BounceAttacks
56
Port Scanning

An attacker can run the attck from a third-party
FTP server acting as a stage for the scan. The
victim site sees the scan as coming from the FTP
server rather than the true source (the FTP
client).
When the victim site is on the same subnet as the
FTP server, or when it does not filter traffic
from the FTP server, the attacker can use the
server machine as the source of the port scan
rather than the client machine

57
Bypassing Basic Packet Filtering Devices

An attacker may bypass a firewall in certain
network configurations.
Example a site has its anonymous FTP server
behind a firewall. Using the technique above, an
attacker determines that an internal web server
at that site is available on port 8080, a port
normally blocked by a firewall.

By connecting to the public FTP server at the
site, the attacker initiates a further connection
between the FTP server and an arbitrary port on a
non-public machine at that site .
(for instance the internal web server at port
8080).
As a result, the attacker establishes a
connection to a machine that would otherwise be
protected by the firewall.

59
Bypassing Dynamic Packet Filtering Devices

Example
victim site houses all of its systems behind a
firewall that uses dynamic packet filters
person at victim site browses web pages and
downloads a Java applet constructed by attacker.
Java applet then opens an outbound FTP connection
to attacker's machine.
applet then issues an FTP PORT command,
instructing server machine to open a connection
to some otherwise protected system behind the
victim firewall.

Dynamic packet filtering firewall examines
outbound packets to determine if any action is
required on its part.
It notes the PORT command and allows an incoming
connection from the remote web server to the
telnet port on the victim machine.
This connection was allowed in this case because
the PORT command was issued by the client.

61
Scanning Packages Available Commercially

CyberCop
JAKAL
NetRecon
NMap

62
CyberCop

Intrusion detection system that safeguards
corporate assets by performing real-time
surveillance of network traffic. The CyberCop
system protects networks from external and
internal attacks by providing a "high tech
burglar alarm" capable of alerting companies when
the security of their networks is breached by
unauthorized intruders.

63
JAKAL

Developed on UNIX to test UNIX hosts. Jakal is
interesting because of its possibilities it is
designed for stealth and to go through most
firewalls. Usually it doesn't leave any trace of
its activity, except for some messages (SYNACK).

64
NetRecon

Scans multiple operating systems, including UNIX,
Linux, Windows 2000, Windows NT, Windows 95/98
and NetWare.
Scans using many Windows NT/2000 network
protocols such as TCP/IP, IPX/SPX, and NetBEUI.

65
Nmap

Most popular scanner to date
Free utility for network exploration or security
auditing. Designed to rapidly scan large
networks. Uses raw IP packets to determine what
hosts are available on the network, what services
(application name and version) those hosts are
offering, what operating systems (and OS
versions) they are running, what type of packet
filters/firewalls are in use.
http//www.insecure.org/nmap/idlescan.html

66
Scan Types Supported by Nmap
67
Type of Scan Command-Line Option Summary of Characteristics
TCP Connect -sT Completes the 3-way handshake with each scanned port.
TCP SYN -sS Only sends the initial SYN and awaits the SYN-ACK response.
TCP FIN -sF Sends a TCP FIN to each port. Reset indicates port is closed.
68
TCP Xmas Tree -sX Sends packet with the FIN, URG and PUSH code bits set. Reset indicates port is closed.
Null -sN Sends packets with no code bits set. Reset indicates port is closed.
TCP ACK -sA Sends packet with the ACK code bit set to each target port.
Window -sW Similar to ACK, but focuses on TCP Window size to determine if ports are open or closed.
69
FTP Bounce -b Bounces a TCP scan off of an FTP server, obscuring the originator of the scan.
UDP Scanning -sU Sends a UDP packet to target ports to determine if a UDP service is listening.
Ping -sP Sends ICMP echo request packets to every machine on target network.
RPC Scanning -sR Scans RPC services using all discovered to open TCP/UDP ports on the target to send RPC Null commands.
70
Determining Firewall Filter Rules

One disadvantage of Nmap it cannot
differentiate what is open on an end machine and
what is being firewalled.
It is also important to determine what ports are
available through the firewall or router. One
tool that can do this is Firewalk (avaliable
www.packetfactory.net/projects/firewalk/firewalk-5
.0.tgz
Firewalk can determine which types of packets are
permitted through and which ports are accessible
through the firewall.
Note Firewalk is only useful for
packet-filtering devices, not proxy-based
firewalls.

71
How Firewalk Works

Determines the number of hops between the tool
and the firewall
Sends UDP and TCP packets with TTL one greater
than the hop count to the filtering device.
If ICMP Time Exceeded message is returned, the
port is available through the firewall
If ICMP Port Unreachable message or nothing is
returned, the port is most likely being filtered
by the firewall.
Unlike Nmap, Firewalk can determine what kind of
packets are allowed through the firewall for each
specific port and which ports allow new
connections.

72
Vulnerability Scanning

Use an automated tool that checks for common
configuation errors, default configuration
errors, and well-known system vulnerabilities.
Generally made up of multiple parts
vulnerability database, user configuration tool,
scanning engine, knowledge base of current active
scan, and results repository and report
generation tool.

73
Vulnerability Scanner
74
Nessus

The most popular of the vulnerability scanners.
(Available www.nessus.com)
Also allows the user to write their own
vulernability checks and include them in the
tool.
Has a variety of plug-ins, such as checking for
vulnerabilities that allow a shell to be gained
remotely and checking to see if the target system
already has backdoor tools installed.

75
Port, Socket Service Vulnerability Penetrations

Once a breach has been uncovered during the
discovery phase, different vulnerability
penetrations are used to take advantage and
possibly gain control of computers, servers and
internetworking equipment.
More on exploiting these vulnerabilities in Phase
3

76
Operating System Fingerprinting with Nmap
77
TCP ISN Sampling

The idea here is to find patterns in the initial
sequence numbers chosen by TCP implementations
when responding to a connection request.
Categorized into groups such as traditional 64K,
random increments and true random, (Linux 2.0)

78
Dont Fragment Bit

Trend of operating systems to set the IP Dont
Fragment bit on some of the packets they send.
By paying attention to this bit, one can glean
information on the target OS.

79
TCP Initial Window

Simply involves checking the window size on
returned packets.
Gives quite a lot of information since some
operating systems can be uniquely identified by
the window alone.

80
TCP Option

Excellent means of gaining access to leaked
information.
Can discover if a host is implementing them by
sending a query with an option set target shows
support of the option by setting it on the reply.
Can stuff many options on one packet to test
everything at once.

81
SYN Flood Resistance

If too many forged SYN packets are sent to some
operating systems, they will stop accepting new
connections.
Many operating systems can only handle 8 packets.
By sending 8 forged packets to an open port and
then trying to establish a connection, you can
learn about the operating system used.
This is easier to detect on the target side than
other methods, however.

82
(No Transcript)
83
Random Clipart
84
Pre-Phase 3

Understanding Filters, Firewalls and the IDS

85
Packet Filter

First line of defense.
Checks each packet against a policy or rule
before routing it to the destined node or network
destination.
Most reject SYN/ACK, ICMP, and incoming UDP
packets that initiate inward security.

86
Example

Cisco Series Access Router
If router is configured to pass a particular
protocol, external hosts can use that protocol to
establish a direct connection to internal hosts.
The router will produce an audit log with
features to generate alarms when hostile behavior
is detected.

87
Enhanced Version

Stateful Filter

88
Stateful Filter

Provides same functionality as previous version,
but also keeps track of state information, such
as TCP sequence numbers.
Uses the analysis of data within the lowest
levels of the protocol stack to compare the
current session to previous ones for the purpose
of detecting suspicious activity.
Uses specific rules determined by the user.

89
Downside

Does not recognize specific applications,
therefore, is unable to apply dissimilar rules to
different applications.

90
Proxy Firewall
91

Simple server with duel NICs that has routing or
packet forwarding deactivated, utilizing a proxy
server daemon instead.
Gateway is a term used as a synonym for proxy
server.
Gathers all internet requests, forwards them to
internet servers, receives responses and forwards
them to the original requestor within the company.

92
Enhanced Version

Application Proxy Gateway

93
Application Proxy Gateway

Contains integrated modules that check every
request and response.
Example
An FTP stream may only be allowed to download
data.

94
Application Gateways look at data on the
application layer of the protocol stack and serve
as proxies for outside users. Thus, outside
users never really have a direct connection to
anything beyond the proxy gateway.
95
Implementing a Backdoor Method4 Actions Take
Place

Seizing a virtual connection this involves
hijacking a remote telnet session, a VPN tunnel
or a secure-ID session.
Planting an insider User, engineer or socially
engineered (swindled) person.
Can also spoof an employee with an e mail with a
remote access Trojan attached.

Manipulating an internal vulnerability attacks
on demilitarized zones, such as
E-mail, domain name resolution, telnet or FTP.
Manipulating an external vulnerability involves
penetrating through external mail server, HTTP
server daemon and/or telnet service on an
external boundary gateway.

97
Intrusion Detection System
98
Scanning Intrusion Detection Systems

Detects statistical anomalies. Measures a
"baseline" of such stats as CPU utilization, disk
activity, user logins, file activity, and so
forth. Then, the system can trigger when there is
a deviation from this baseline.
Can detect the anomalies without having to
understand the underlying cause behind them.

99
Signature Recognition

The majority of commercial products are based
upon examining the traffic looking for well-known
patterns of attack.
Classic example is to example every packet on the
wire for the pattern "/cgi-bin/phf?", which might
indicate somebody attempting to access this
vulnerable CGI script on a web-server.

100
How does a NIDS match signatures with incoming
traffic?

1. Protocol stack verification A number of
intrusions, such as "Ping-O-Death" and "TCP
Stealth Scanning" use violations of the
underlying IP, TCP, UDP, and ICMP protocols in
order to attack the machine. A simple
verification system can flag invalid packets.
This can include valid, by suspicious, behavior
such as severally fragmented IP packets.

101

2. Application protocol verification A number of
intrusions use invalid protocol behavior, such as
"WinNuke", which uses invalid NetBIOS protocol
or DNS cache poisoning, which has a valid, but
unusually signature. In order to effectively
detect these intrusions, a NIDS must re-implement
a wide variety of application-layer protocols in
order to detect suspicious or invalid behavior.

102

3. Creating new loggable events A NIDS can be
used to extend the auditing capabilities of your
network management software. For example, a NIDS
can simply log all the application layer
protocols used on a machine. Downstream event log
systems (WinNT Event, UNIX syslog, SNMP TRAPS,
etc.) can then correlate these extended events
with other events on the network.

103
Other countermeasures besides IDS

Firewalls These are to protect from external
attacks most intrusions are committed by
employees inside the firewall, and it should
therefore be considered a last line of defense.

104
Authentication

Scanners should be run that automate the finding
of open accounts.
One should enforce automatically strict policies
for passwords (7 character minimum, including
numbers, dual-case, and punctuation) using crack
or built in policy checkers (WinNT native, add-on
for UNIX).

105
Virtual Private Networks

Create secure connections over the Internet for
remote access.
VPNs actually decrease corporate security. While
the pipe itself is secure (authenticated,
encrypted), either end of the pipe are wide open.
A home machine compromised with a backdoor
rootkit allows a hacker to subvert the VPN
connection, allow full, undetectable access to
the other side of the firewall.

106
IDS

Setup Locations

107

Network Hosts Although network intrusion
detection systems have traditionally been used as
probes, they can also be placed on hosts.
Network perimeter IDS is most effective on the
network perimeter, such as on both sides of the
firewall, near the dial-up server, and on links
to partner networks. These links tend to be
low-bandwidth (T1 speeds) such that an IDS can
keep up with the traffic.

108

Servers are often placed on their own network,
connected to switches. The problem these servers
have, though, is that IDS systems cannot keep up
with high-volume traffic.
Server Farms For extremely important servers,
you may be able to install dedicated IDS systems
that monitor just the individual server's link.
Also, application servers tend to have lower
traffic than file servers, so they are better
targets for IDS systems.

109
Phase 3

Penetration

110
Stack Based Overflow Attack

Overwrite the return pointer stored in the stack
by overflowing the stack. When the return pointer
is copied into the IP, the IP tries to fetch the
data of the new address that was pushed into the
return pointer by overflowing the stack.
Example Overflow the stack with a series of
A s. When the value of the return pointer
is copied into the IP, the IP address will fetch
the instruction from the all A address (address
41414141h)

111

Important to overflow buffer with meaningful
information
i.e. machine language code containing commands
we want executed
Difficult to overwrite return pointer to hit
exactly at beginning of code
Place a bunch of NOP or NOP equivalents (called a
NOP sled) at beginning of code.
When overwriting return pointer, have to aim to
overwrite to a range of values rather than a
specific value.

112

Once the stack is smashed, there are many things
an attacker can do. Most likely, the attacker
will try to create a back door to the target
system.
Creating a backdoor with Inetd Add a line to the
/etc/inetd.conf file, which will spawn a command
shell each time anyone tries to connect to a port
defined by the attacker. Run this line in the
stack to get a command shell to open on a given
port
/bin/sh c echo port stream tcp
nopwait root /bin/sh sh I
gtgt /etc/inetd.conf killall HUP inetd

113

Creating a backdoor with TFTP and Netcat Get the
target to execute the TFTP client. Load the
Netcat program onto the target system. Configure
Netcat to push a command shell from the target
machine to the attackers machine.
A good document on Stack Based Buffer Overflow
Attacks Smashing the Stack for Fun and Profit
by Aleph One, available at packetstormsecurity.or
g/docs/hack/
smashstack.txt

114
Password Attacks

Two kinds Password Guessing and Password
Cracking
Password Guessing Attempt to guess the password
for a particular user ID. This process is rarely
successful, time consuming, and generates a lot
of network traffic. Also, some accounts are
locked out after a set number of unsuccessful
guesses. Many password-guessing tools can be
found at Packet Storms Site packetstormsecurity.
org

115

Password Cracking Steal the file with the
encrypted passwords and use a password cracking
program to recover the original passwords.
Stealing the file Win use a Pwdump program
(packetstormsecurity.nl/Crackers/NT/), or sniff
them from the network (more on sniffing later)
UNIX gain root-level access and steal the
/etc/shadow or /etc/secure file if shadow
passwords are used, otherwise steal the
/etc/passwd file.

116

Password Cracking Software
Windows L0phtCrack (available
www.atstake.com/products/lc/ ) This tool includes
other options, such as a sniffer and a pwdump
program
UNIX John the Ripper (available
www.openwall.com/john/ )

117
Web Application Attacks

Can still be conducted, even if the target site
uses SSL.
Account Harvesting, Undermining Session-Tracking
Mechanisms, SQL Piggybacking
Account Harvesting Works for applications that
have different error messages for an incorrect
user ID and an incorrect password. By looking at
the error messages, the attacker can determine
valid user IDs, sometimes even passwords.

118

Here, although the web pages look identical for
each type of error, notice that the URL has
changed, giving any hackers a hint about
incorrect user IDs vs. incorrect passwords.

119
Undermining Web Application Session Tracking

Three ways Session IDs are implemented URL
session tracking, hidden form elements, and
cookies.
The attacker will first login to the site
multiple times to see how the session IDs are
generated.
To change a session ID in a URL, simply type a
different users session ID (or a generated one)
over the original users ID in the URL.

120

To change the session ID in a site with hidden
form elements, view the source of the page,
modify the ID number and reload it into the
browser.
To edit the session ID in a site that uses
cookies, use a program called Achilles
(available www.mavensecurity.com/achilles).
Achilles is a web proxy that intercepts the
per-session cookies and allows the attacker to
modify them.

121
SQL Piggybacking

Extending an applications SQL statement to
extract or update information that the attacker
is not authorized to access.
Rainforest Puppy has a paper about SQL
Piggybacking How I Hacked Packetstorm
(available www.opennet.ru/base/cgi/22.txt.html )
Begin by exploring how the Web application
interacts with the database.

122

The attacker may extend the SQL query
Example
Use SELECT FROM account WHERE
(userid10001 and number 11111111111 or
userid10002)
instead of SELECT FROM account WHERE
(userid10001 and number 11111111111)
to get information on 10002

123
Sniffing

Sniffer Gathers packets from the local network
and allows the user to view the data being
transmitted.
Two ways of sniffing Passive (network built with
a hub) and Active (network built with a switch)

124
Passive Sniffing

Passively listens and collects packets.
Snort (available www.snort.org ) A good
passive sniffer that can be used as an IDS. Can
sift through the network and look for attack
signatures.
Sniffit (avalaible reptile.rug.ac.be/coder
/sniffit/sniffit.html) has an interactive
mode that shows all active sessions and allows
the attacker to see all keystrokes of the victim.

125

Dsniff one of the more versatile sniffing
tools. It is several programs in one, but is most
known as a sniffer. It can interpret a number of
different protocols, like FTP, HTTP, AIM, ICQ,
Napster, Microsoft SQL, etc. Available
www.monkey.org/dugsong/dsniff

126
Active Sniffing

Need to fool the switch into sending the packets
to the system with the sniffer
Different methods MAC Flooding and Spoofing ARP
Messages
MAC Flooding Send a flood of traffic with random
MAC addresses until the switchs memory is full.
Some switches will then forward packets to all
links on the switch (done with the Dsniff program
Macof).

127

Spoofing ARP Messages
Arpspoof, a Dsniff feature, allows attackers to
change the ARP traffic on local networks.
Attacker configures his or her system to forward
any traffic it receives to the router.
Arpspoof program is activated, which sends fake
ARP replies
Fake ARP replies change the targets ARP table.
Any traffic from the target machine is sent to
the attackers machine before being transferred
to the local network.

128
Spoofing ARP Messages
129
Other Methods of Redirecting Traffic

Spoofing DNS
DNSspoof, a Dsniff feature, allows attackers to
send the target machine false DNS information,
making the victim access the attackers machine
when they intend to access a different system.
The attacker starts the dnsspoof program and
waits for the target to send a DNS query for a
specific host.
Once the query is received, the attacker then
sends a false DNS response.
When the target tries to access the intended
host, the system is now accessing the attackers
machine.

130
Spoofing DNS
131

Sniffing HTTPS
Attacker runs webmitm feature on Dsniff and doing
DNS spoof
All HTTP and HTTPS traffic is proxied by webmitm
Target connects to attackers machine and SSL
connection is established.
Attackers system establishes a SSL connection
with the server the target is attempting to
access.
Webmitm acts as proxy with two connections
From the targets system to the attackers
machine
From the attackers machine to the actual server
the target was trying to reach
Note the target receives attackers certificate,
not the certificate of the server the target is
trying to reach.

132
Sniffing HTTPS
133

The user will receive a warning that the
certificate is not signed by a trusted
Certificate Authority. Webmitm will then display
the contents of the SSL session on the attackers
screen.
Sniffing SSH This is done in a similar manner as
sniffing HTTPS, except the sshmitm (another
Dsniff feature) is used instead of the webmitm
feature. Note Sshmitm only allows for sniffing
of SSH protocol version 1.

134
Is your machine running a sniffer?

Detecting the process that does the sniffing is
difficult, because the name of that process can
be disguised as something innocent.
The only way to detect the sniffer is to check if
the network interface is in promiscuous mode. If
the network interface is in promiscuous mode,
this means that it listens for all packets on the
network and not only for packets destined to that
machine.
Another method is to run ifconfig -a. This will
list the available network interfaces, and show
all the information about them. The word PROMISC
means that the interface is in promiscuous mode.

135
How to avoid packet sniffers altogether

Active hubs only send packets to the intended
machines. This can disable the sniffer since it
will not receive packets not intended for that
specific machine. Cisco, HP and 3Com have such
active hubs.

136
Detecting other sniffers on the network

Detecting other sniffers on other machines is
very difficult, but detecting whether a Linux
machine is doing the sniffing is possible.
This can be done by exploiting a weakness in the
TCP/IP stack implementation of Linux.
When Linux is in promiscuous mode, it will answer
to TCP/IP packets sent to its IP address even if
the MAC address on that packet is wrong.
Therefore, sending TCP/IP packets to all the IP
addresses on the subnet, where the MAC address
contains wrong information, will tell you which
machines are Linux machines in promiscuous mode .

137
IP Address Spoofing

Used to disguise the IP address of a system.
Three ways an IP address can be spoofed changing
the IP address, undermining UNIX r-commands, and
spoofing with source routing
Changing the IP address The attacker can either
reconfigure the whole system to have a different
IP address or use a tool (Nmap or Dsniff) to
change the source address of outgoing packets.
Limitation the attacker cannot receive any
responses.

138

Undermining UNIX r-Commands
Attacker finds two computers with a trust
relationship
Send a bunch of TCP SYN packets to target and see
how the initial sequence numbers change
A DoS attack is sent to other system
Attacker initializes a connection with target
system, using the IP address of the other system
Target system sends TCP SYN and ACK packets to
other system, which is dead
Attacker estimates initial sequence number of
other system and sends TCP ACK packet back
If initial sequence numbers match, attacker has
successfully gained one-way access to the target.

139
Undermining UNIX r-Commands
140

Spoofing with Source Routing The attacker
creates packets that have system As source
address, with the attackers address in the
source route. The attacker sends the packet to
system B. Any replies are sent to the attackers
machine. Note that the attacker does not forward
them to system A because the connection would be
reset.

141
Session Hijacking

A combination of sniffing and spoofing that
allows an attacker to steal the session from the
user, given that after the initial authentication
the session is not encrypted. The attackers
system lies somewhere on the route between the
two communicating machines (A and B). The
attacker observes the traffic, monitoring the TCP
sequence numbers. The attacker can then send
spoofed packets with system As IP address as the
source so that system B will obey the commands.

142

Problem When the attacker sends system B packets
with system As IP address, system A will notice
that the TCP sequence numbers are out of order
and send ACK packets to resynchronize the
numbers. This continual retransmission of ACK
packets is known as an ACK storm.
Most hijacking tools cannot cope with the ACK
storm and the connection will be dropped.

143

Tool Hunt (available www.packetstormsecurity.org
/sniffers/hunt )
Hunt uses ARP spoofing to prevent the connection
from being dropped.
Unlike other tools, Hunt can also resynchronize
the connection. It does this by sending a message
to system A saying msg from root power failure
try to type 88 characters, (where 88 is the
number of chars. that the attacker typed during
the hijacking) which will increment the sequence
number of system As TCP stack to where it should
be.
Two new ARP spoof messages are then sent,
restoring the correct MAC addresses.

144
(No Transcript)
145
Netcat The Networking Swiss Army Knife

Used for multiple purposes, Netcat basically
moves data over any TCP or UDP port. It can
either act as a client or a listener. Available
www.atstake.com/research/tools/
network_utilities
For File Transfers Set up a Netcat client on the
source system and a Netcat listener on the
destination system. The source system initiates a
connection and pushes the file to the destination
system.

146

For Port Scanning Netcat will connect with every
port and display a list of open ports.
For Making Connections to Open Ports Use Netcat
in client mode to connect to open ports and see
what the listening service sends back. Better to
use than Telnet because it is easier to force
Netcat to drop a connection, Netcat can make UDP
connections, and Netcat only returns the pure
data from the open ports, not any other data like
environment variables.

147
Denial-of-Service (DoS) Attacks

Used to prevent access by legitimate users.
Two options Stop services and exhaust resources.
This can be done either remotely or locally.

148
Stopping Local Services

Must have an account on the local system.
Three methods Process Killing, System
Reconfiguration, and Process Crashing
Process Killing When an attacker has root
privileges, he or she can simply kill the local
processes.

149

System Reconfiguration An attacker with root
privileges can reconfigure the system so that it
does not offer certain services or filters on the
machine.
Process Crashing Crashing processes by
exploiting vulnerabilities in the system (i.e.
use stack based buffer overflow with a local
process, causing the process to crash).

150
Locally Exhausting Resources

Running a program from an account on the target
system that grabs the system resources.
Three methods Filling up the process table,
filling up the file system, and sending outbound
traffic that fills up the communication link.

151

Filling up the process table Running a recursive
program that forks processes in an attempt to
fill up the process table so no other users can
run processes.
Filling up the file system Continuously writing
data to the file system, preventing other users
from writing files.
Sending outbound traffic that fills up the
communication link Running program that sends
large amounts of bogus network traffic, consuming
the processor and bandwith.

152
Remotely Stopping Services

Send a malformed packet. Different platforms may
be susceptible to different types of malformed
packets.
These packets have structures that the TCP/IP
stacks cannot anticipate, causing the system to
crash.
Malformed packet suites available at
www.packetstormsecurity.org/DoS

153
Remotely Exhausting Resources

Accomplished by a packet flood
Three common ways SYN flood, Smurf attacks, and
Distributed Denial of Service Attacks (DDoS)
SYN Flood Overwhelm the target machine with SYN
packets. This fills the connection queue so that
no new connections can be made on the target
machine.

154

Smurf Attacks Repeatedly sends a ping to a
broadcast IP address of a network that can
receive and respond to directed broadcast
messages (called a smurf amplifier), with the
target machine as the source of the ping. The
targets bandwidth is filled with these packets.
Tools Smurf (ICMP), Fraggle (UDP), and Papasmurf
(ICMP and UDP) (available www.packetstormsecurity
.org/new-exploits/ ). List of Smurf Amplifiers
www.netscan.org

155

DDoS Attacks Attacker takes over victim machines
(called Zombies) and installs software that waits
for commands from the attacker. The attacker can
then tell the zombies to start a DoS attack on
the target. Tool TFN2K (available
www.packetstormsecurity.nl/groups/mixter/
index2.html ) This tool allows the attacker to
choose which type of packet to use in the DDoS
attack. It also allows IP spoofing, communication
via Echo Reply packets, and running a single
command simultaneously on all zombies.

156
Phase 4 Maintaining Access
157
Backdoor Kits

Active Used by an intruder at any time that they
wish.
Passive Set to trigger themselves according to a
predetermined time or system event.

158
Backdoor Kit Selection

This is dependant upon the type of network
security in place.
Two basic architectural categories
Packet filter
Proxy firewall

159
Trojan Horses

A destructive program that masquerades as a
benign application. Unlike viruses, Trojan horses
do not replicate themselves.
Used to integrate a hole or backdoor into a
systems security countenance.
Trojans spread due to the technological necessity
to use ports lower ports are used by Trojans
that steal passwords while higher ports are used
by remote-access Trojans that can be reached over
the Internet, network, VPN or dial-up access.

160
Trojan Horse Backdoor Tools

Back Orifice

161
Back Orifice
Remote Administration System which allows an
intruder to control a computer across a TCP/IP
connection using a simple console or GUI
application. Gives its user more control of the
target computer than the person at the actual
keyboard has.
162
Back Orifice ServerFunctionality

Get detailed system information, including
current user
cpu type
windows version
memory usage
mounted disks and information for those drives
screensaver password
passwords cached by the user

163
Controls and Abilities

File system controlCopy, rename, delete, view,
and search files and directories. File
compression and decompression.
Process controlList, kill, and spawn processes.
Registry controlList, create, delete and set
keys and values in the registry.

164

Multimedia controlPlay wav files, capture screen
shots, and capture video or still frames from any
video input device (like a Quickcam).
Network controlView all accessible network
resources, all incoming and outgoing connections,
list, create and delete network connections, list
all exported resources and their passwords,
create and delete exports.

165

Packet redirectionRedirect any incoming TCP or
UDP port to any other address port.
Application redirectionSpawn most console
applications (such as command.com) on any TCP
port, allowing control of applications via a
telnet session.
HTTP server Upload and download files on any
port using a www client such as Netscape.
Integrated packet snifferMonitor network
packets, logging any plaintext passwords that
pass.
Plugin interfaceWrite your own plugins and
execute the native code of your choice in BO's
hidden system process.

166
NetCat

A simple Unix utility which reads and writes data
across network connections, using TCP or UDP
protocol.
Designed to be a reliable back-end tool that can
be used directly or easily driven by other
programs and scripts.
Part of the Red Hat Power Tools collection and
comes standard on SuSE Linux, Debian Linux,
NetBSD and OpenBSD distributions.

167
It provides access to the following main
features

Outbound or inbound connections, TCP or UDP, to
or from any ports
Full DNS forward/reverse checking, with
appropriate warnings
Ability to use any local source port
Ability to use any locally-configured network
source address
Built-in port-scanning capabilities, with
randomizer
Built-in loose source-routing capability
Can read command line arguments from standard
input
Slow-send mode, one line every N seconds
Hex dump of transmitted and received data
Optional ability to let another program service
established connections
Optional telnet-options responder

168
Port-Scanning

Netcat accepts its commands with options first,
then the target host, and everything thereafter
is interpreted as port names or numbers, or
ranges of ports in M-N syntax.
For each range of ports specified, scanning is
normally done downward within that range.
If the -r switch is used, scanning hops randomly
around within that range and reports open ports
as it finds them.

169
Traditional Root Kits
170
Root Kits

Used by an intruder to prevent his/her detection
on the system he/she has compromised.
Generally contains network sniffers, log-cleaning
scripts, and trojaned replacements of core system
utilities such as ps, netstat, ifconfig, and
killall.
Installs a backdoor remote-access daemon, such as
a modified version of telnetd or sshd. These will
often run on a different port than the one that
these daemons listen on by default.
Most rootkits also come with modified system
binaries that replace the existing ones on the
target system.

171
/bin/login Replacement

When logging onto a UNIX machine, the /bin/login
program runs.
Used to gather and check user ID and password
The Rootkit replaces the /bin/login with a
modified version that includes a backdoor
password.

172
Detecting Backdoors Example

System Administrator runs the /bin/login routine
through strings.
Strings a UNIX program that shows all sequences
of consecutive characters in a file.
If an unfamiliar sequence is found, it may be a
backdoor.

173
Sniffers

Are used to gather passwords for other systems
and listen to traffic for sensitive information.
Rootkits set the promiscuous mode on the target
machine's network interface card, enabling the
sniffer to listen to a variable-sized network.

174
Hidden Sniffers

Ifconfig shows information such as IP addresses,
network mask and MAC addresses.
By running ifconfig, one can detect a sniffer by
looking for the PROMISC flag.
This prevents the System Administer from
detecting the RootKit.

175
Kernel-Level Rootkit

the most severe threat to system security that
can be caused by a rootkit comes from those that
deploy LKM (Loadable Kernel Module) trojans.
LKMs are a mechanism for adding functionality to
an operating-system kernel without requiring a
kernel recompilation.
Kernel rootkits do not replace system binaries,
they subvert them through the kernel.

176
Subverting the kernel

There are two ways that a rootkit can subvert the
kernel to perform actions on behalf of an
intruder
Loading a kernel module
The Linux kernel (and many other operating
systems) can load kernel modules at runtime. This
allows an intruder to insert a module that
overrides kernel syscalls in order to return
incorrect values
Writing to /dev/kmem
By writing to /dev/kmem it is possible to
overwrite the kernel at runtime, and thus perform
any arbitrary modification.

177
Atypical Methods to Subvert the Kernel

Adore-ng by Stealth employs the Virtual
FileSystem layer of the kernel. This works by
replacing the existing handler routines for
providing directory listings of the /proc and the
/ filesystems, and registering its own routines
instead. Userspace programs use the /proc
filesystem to obtain information on running
processes. In this way both processes and files
can be hidden.

178
Detecting Kernel Rootkits

To get a list of kernel modules, two standard
methods can be used
bash lsmod
bash cat /proc/modules
Unfortunately, being a kernel module, an LKM
rootkit can easily defeat such efforts by a
variety of methods.

179
Programs

This is a non-exhaustive list of programs that
are useful for the detection of kernel
modifications in a running system.
kern_check.c (PGP signature kern_check.c.asc) is
a small command-line utility (for Linux 2.2.x,
2.4.x) that will compare your System.map against
your kernels syscall table and warn about any
inconsistencies.
In case of compilation failure, you may want to
make

Write a Comment

User Comments (0)