Hacking Primer

8/8/2019 Hacking Primer

1/34

B Y

I N T R A M A N T R A G L O B A L S O L U T I O N P V T L T D , I N D O R E

H T T P : / / I N T R A M A N T R A . C O M

10/17/2010Nimble Security Group, New Delhi

Hacking Primer


2/34

Outline


y Internet footprinting

yHacking Windows

yHacking Unix/LinuxyHacking the network


3/34


4/34

Internet Footprinting Outline

yReview publicly available information

y Perform network reconnaissance

yDiscover landscapeyDetermine vulnerable services


5/34


6/34

Network reconnaissance

y Use traceroute to find vulnerable servers

Trout

y Can also query BGP tools

http://nitrous.digex.net/mae/equinix.html

Look up ASNs


7/34

Landscape discovery

y Ping sweep: Find out which hosts are alive nmap, fping, gping, SuperScan, etc.

y Port scans: Find out which ports are listening Dont setup a full connection just SYN Netcat

can be run in encrypted mode cryptcat nmap advanced options

XMAS scan sends all TCP options Source port scanning sets source port (e.g., port 88 to scan Windows systems) Time delays

y Banner grab & O/S guess telnet

ftp netcat nmap


8/34

Hacking Windows

888


9/34

Hacking Windows outline

1. Scan

2. Enumerate

3. Penetrate

4. Escalate

5. Pillage

6. Get interactive

7. Expand influence


10/34

Scanning Windows

y Port scan, looking for whats indicative ofWindows 88 Kerberos

139 NetBIOS

445 SMB/CIFS

1433 SQL Server

3268, 3269 Active Directory

3389 Terminal Services

y Trick: Scan from source port = 88 to find IPSecsecured systems


11/34

Enumerating Windows

y Accounts USER account used by most code, but escalates to SYSTEM to perform kernel-

level operations System accounts tracked by their SIDs

RID at end of SID identifies account type RID = 500 is admin account

Need to escalate to Administrator to have any real power Tools

userdump enumerates users on a host sid2user & user2sid translates account names on a host

SAM Contains usernames, SIDs, RIDs, hashed passwords Local account stored in local SAM Domain accounts stored in Active Directory (AD)

Trusts Can exist between AD domains Allows accounts from one domain to be used in ACLs on another domain


12/34

Enumerating Windows (cont.)

y Need access to ports 135, 139, 445y Enumerate hosts in a domain

net view /domain:

y Find domain controller(s) nltest /dsgetdc: /pdc

nltest /bdc_query: nbtstcan fast NetBIOS scanner null sessions are an important way to get info

Runs over 445 Not logged by most IDS net use \\\ipc$ /u: local (from ResKit) or Dumpsec can then enumerate accounts

Countermeasures Block UDP/137 Set RestictAnonymous registry value


13/34

Enumerating Windows (cont.)

y Look for hosts with 2 NICs getmac from Win2K resource kit

y Enumerate trusts on domain controller

nltest /server:amer /trusted_domainsy Enumerate shares with DumpSec

Hidden shares have $ at the end

y Enumerate with LDAP

LDAPminer


14/34

Penetrating Windows

y 3 methods Guess password

Obtain hashes

Emergency Repair Disk

Exploit a vulnerable service

y Guessing passwords Review vulnerable accounts via dumpsec

Use NetBIOS Auditing Tool to guess passwords


15/34

Escalating privileges in Windows

y getadmin

getad

getad2

pipeupadmin

y Shatter

Yields system-level privileges

Works against Windows Server 2003


16/34

Pillaging Windows

y Clear logs Some IDSs will restart auditing once its been

disabled

y Grab hashes

Remotely with pwdump3 Backup SAM: c:\winnt\repair\sam._

y Grab passwords Sniff SMB traffic

y Crack passwords

L0phtcrack John the Ripper


17/34

Getting interactive with Windows

y Copy rootkit over a sharey Hide rootkit on the target server

Low traffic area such as winnt\system32\OS2\dll\toolz Stream tools into files

y Remote shell remote.exe (resource kit tool) netcat

y How to fire up remote listener? trojan Leave a CD in the bathroom titled, pending layoffs Schedule it for remote execution

at scheduler psexec


18/34

Windows Expand influence

y Get passwords Keystroke logger with stealth mail

FakeGINA intercepts Winlogon

y Plant stuff in registry to run on rebooty Hide files attrib +h

Stream files

Tripwire should catch this stuff


19/34

Hacking Unix/Linux

191919


20/34

Hacking Unix/Linux outline

1. Discover landscape

2. Enumerate systems

3.Attack Remote

Local

4. Get beyond root


21/34

Discover landscape

y Goals Discover available hosts

Find all running services

y Methodology

ICMP and TCP ping scans Find listening services with nmap and udp_scan

Discover paths with ICMP, UDP, TCP

y Tools nmap

SuperScan (Windows)

udp_scan (more reliable than nmap for udp scanning)


22/34

Enumerate systems

y Goal: Discover the following Users Operating systems Running programs Specific software versions Unprotected files Internal information

y Tools OS/Application: telnet, ftp, nc, nmap Users: finger, rwho,rusers, SMTP RPC programs: rpcinfo NFS shares: showmount File retrieval: TFTP

SNMP: snmpwalk snmpget


23/34

Enumerate services

y Users finger SMTP vrfy

y DNS info dig

y RPC services rpcinfo

y NFS shares showmount

y Countermeasures Turn off un-necessary services Block IP addresses with router ACLs or TCP wrappers


24/34

Attack remotely

y 3 primary methods Exploit a listening service Route through a system with 2 or more interfaces Get user to execute it for you

Trojans Hostile web site

y Brute-force against service http://packetstormsecurity.nl/Crackers/ Countermeasure: strong passwords, hide user names

y Buffer-overflow attack Overflow the stack with machine-dependent code (assembler) Usually yields a shell shovel it back with netcat Prime targets: programs that run as root or suid

Countermeasures Disable stack execution Code reviews Limit root and suid programs


25/34

Attack remotely (cont.)

y Buffer overflow example echo vrfy `perl e print a x 1000` |nc www.targetsystem.com 25

Replace this with something like this

char shellcode[] = \xeb\xlf\x5e\x89\x76\x08

y Input validation attacks

PHF CGI newline character

SSI passes user input to O/S

y Back channels

X-Windows

Send display back to attackers IP

Reverse telnet


26/34

Attack remotely (cont.)

y Countermeasures against back channels Get rid of executables used for this (x-windows, telnet, etc.)

y Commonly attacked services

Sendmail

NFS

RPC

X-windows (sniffing session data) ftpd (wu-ftpd)

DNS

Guessable query IDs

BIND vulnerabilities

Countermeasures

Restrict zone transfers BlockTCP/UDP 53

Dont use HINFO records


27/34

Attack locally

y Buffer overflow

y Setuid programs

y Passwordguessing/cracking

yMis-configured file/dir

permissions


28/34

Get beyond root

y Map the network (own more hosts)y Install rootkit

crypto checksum is the only way to know if its real Create backdoors Sniff other traffic

dsniff arpredirect loki Hunt Countermeasures Encrypt all traffic Switched networks (not a panacaea)

Clean logs Session hijacking


29/34

Hacking the Network

292929

Vulnerabilities Dealing with firewalls


30/34

Vulnerabilities

y TTY access 5 to choose fromy SNMP V2 community stringsy HTTP (Everthing is clear-text)y TFTP

No auth Easy to discern router config files .cfg

y Countermeasures ACLs TCP wrappers Encrypt passwords


31/34

Vulnerabilities: routing issues

y Path integrity

Source routing reveals path through the network

Routing updates can be spoofed (RIP, IGRP)

y ARP spoofing Easy with dsniff


32/34

Dealing with firewalls

y Enumerate with nmap or tcpdump Can show you which ports are filtered (blocked)

y Some proxies return a banner Eagle Raptor

yTCP traffic itself may provide signature

y Ping the un-pingable hping

Look for ICMP type 13 (admin prohibited)


33/34

Dealing with firewalls (cont.)

yACLs may allow scanning if source port isset

nmap with -g option

y Port redirection fpipe

netcat


34/34

Questions?


Documents

Hacking Primer