Upload
deepak-rathore
View
218
Download
0
Embed Size (px)
Citation preview
8/8/2019 Hacking Primer
1/34
B Y
I N T R A M A N T R A G L O B A L S O L U T I O N P V T L T D , I N D O R E
H T T P : / / I N T R A M A N T R A . C O M
10/17/2010Nimble Security Group, New Delhi
Hacking Primer
8/8/2019 Hacking Primer
2/34
Outline
10/17/2010Nimble Security Group, New Delhi
y Internet footprinting
yHacking Windows
yHacking Unix/LinuxyHacking the network
8/8/2019 Hacking Primer
3/34
8/8/2019 Hacking Primer
4/34
Internet Footprinting Outline
yReview publicly available information
y Perform network reconnaissance
yDiscover landscapeyDetermine vulnerable services
8/8/2019 Hacking Primer
5/34
8/8/2019 Hacking Primer
6/34
Network reconnaissance
y Use traceroute to find vulnerable servers
Trout
y Can also query BGP tools
http://nitrous.digex.net/mae/equinix.html
Look up ASNs
8/8/2019 Hacking Primer
7/34
Landscape discovery
y Ping sweep: Find out which hosts are alive nmap, fping, gping, SuperScan, etc.
y Port scans: Find out which ports are listening Dont setup a full connection just SYN Netcat
can be run in encrypted mode cryptcat nmap advanced options
XMAS scan sends all TCP options Source port scanning sets source port (e.g., port 88 to scan Windows systems) Time delays
y Banner grab & O/S guess telnet
ftp netcat nmap
8/8/2019 Hacking Primer
8/34
Hacking Windows
888
8/8/2019 Hacking Primer
9/34
Hacking Windows outline
1. Scan
2. Enumerate
3. Penetrate
4. Escalate
5. Pillage
6. Get interactive
7. Expand influence
8/8/2019 Hacking Primer
10/34
Scanning Windows
y Port scan, looking for whats indicative ofWindows 88 Kerberos
139 NetBIOS
445 SMB/CIFS
1433 SQL Server
3268, 3269 Active Directory
3389 Terminal Services
y Trick: Scan from source port = 88 to find IPSecsecured systems
8/8/2019 Hacking Primer
11/34
Enumerating Windows
y Accounts USER account used by most code, but escalates to SYSTEM to perform kernel-
level operations System accounts tracked by their SIDs
RID at end of SID identifies account type RID = 500 is admin account
Need to escalate to Administrator to have any real power Tools
userdump enumerates users on a host sid2user & user2sid translates account names on a host
SAM Contains usernames, SIDs, RIDs, hashed passwords Local account stored in local SAM Domain accounts stored in Active Directory (AD)
Trusts Can exist between AD domains Allows accounts from one domain to be used in ACLs on another domain
8/8/2019 Hacking Primer
12/34
Enumerating Windows (cont.)
y Need access to ports 135, 139, 445y Enumerate hosts in a domain
net view /domain:
y Find domain controller(s) nltest /dsgetdc: /pdc
nltest /bdc_query: nbtstcan fast NetBIOS scanner null sessions are an important way to get info
Runs over 445 Not logged by most IDS net use \\\ipc$ /u: local (from ResKit) or Dumpsec can then enumerate accounts
Countermeasures Block UDP/137 Set RestictAnonymous registry value
8/8/2019 Hacking Primer
13/34
Enumerating Windows (cont.)
y Look for hosts with 2 NICs getmac from Win2K resource kit
y Enumerate trusts on domain controller
nltest /server:amer /trusted_domainsy Enumerate shares with DumpSec
Hidden shares have $ at the end
y Enumerate with LDAP
LDAPminer
8/8/2019 Hacking Primer
14/34
Penetrating Windows
y 3 methods Guess password
Obtain hashes
Emergency Repair Disk
Exploit a vulnerable service
y Guessing passwords Review vulnerable accounts via dumpsec
Use NetBIOS Auditing Tool to guess passwords
8/8/2019 Hacking Primer
15/34
Escalating privileges in Windows
y getadmin
getad
getad2
pipeupadmin
y Shatter
Yields system-level privileges
Works against Windows Server 2003
8/8/2019 Hacking Primer
16/34
Pillaging Windows
y Clear logs Some IDSs will restart auditing once its been
disabled
y Grab hashes
Remotely with pwdump3 Backup SAM: c:\winnt\repair\sam._
y Grab passwords Sniff SMB traffic
y Crack passwords
L0phtcrack John the Ripper
8/8/2019 Hacking Primer
17/34
Getting interactive with Windows
y Copy rootkit over a sharey Hide rootkit on the target server
Low traffic area such as winnt\system32\OS2\dll\toolz Stream tools into files
y Remote shell remote.exe (resource kit tool) netcat
y How to fire up remote listener? trojan Leave a CD in the bathroom titled, pending layoffs Schedule it for remote execution
at scheduler psexec
8/8/2019 Hacking Primer
18/34
Windows Expand influence
y Get passwords Keystroke logger with stealth mail
FakeGINA intercepts Winlogon
y Plant stuff in registry to run on rebooty Hide files attrib +h
Stream files
Tripwire should catch this stuff
8/8/2019 Hacking Primer
19/34
Hacking Unix/Linux
191919
8/8/2019 Hacking Primer
20/34
Hacking Unix/Linux outline
1. Discover landscape
2. Enumerate systems
3.Attack Remote
Local
4. Get beyond root
8/8/2019 Hacking Primer
21/34
Discover landscape
y Goals Discover available hosts
Find all running services
y Methodology
ICMP and TCP ping scans Find listening services with nmap and udp_scan
Discover paths with ICMP, UDP, TCP
y Tools nmap
SuperScan (Windows)
udp_scan (more reliable than nmap for udp scanning)
8/8/2019 Hacking Primer
22/34
Enumerate systems
y Goal: Discover the following Users Operating systems Running programs Specific software versions Unprotected files Internal information
y Tools OS/Application: telnet, ftp, nc, nmap Users: finger, rwho,rusers, SMTP RPC programs: rpcinfo NFS shares: showmount File retrieval: TFTP
SNMP: snmpwalk snmpget
8/8/2019 Hacking Primer
23/34
Enumerate services
y Users finger SMTP vrfy
y DNS info dig
y RPC services rpcinfo
y NFS shares showmount
y Countermeasures Turn off un-necessary services Block IP addresses with router ACLs or TCP wrappers
8/8/2019 Hacking Primer
24/34
Attack remotely
y 3 primary methods Exploit a listening service Route through a system with 2 or more interfaces Get user to execute it for you
Trojans Hostile web site
y Brute-force against service http://packetstormsecurity.nl/Crackers/ Countermeasure: strong passwords, hide user names
y Buffer-overflow attack Overflow the stack with machine-dependent code (assembler) Usually yields a shell shovel it back with netcat Prime targets: programs that run as root or suid
Countermeasures Disable stack execution Code reviews Limit root and suid programs
8/8/2019 Hacking Primer
25/34
Attack remotely (cont.)
y Buffer overflow example echo vrfy `perl e print a x 1000` |nc www.targetsystem.com 25
Replace this with something like this
char shellcode[] = \xeb\xlf\x5e\x89\x76\x08
y Input validation attacks
PHF CGI newline character
SSI passes user input to O/S
y Back channels
X-Windows
Send display back to attackers IP
Reverse telnet
8/8/2019 Hacking Primer
26/34
Attack remotely (cont.)
y Countermeasures against back channels Get rid of executables used for this (x-windows, telnet, etc.)
y Commonly attacked services
Sendmail
NFS
RPC
X-windows (sniffing session data) ftpd (wu-ftpd)
DNS
Guessable query IDs
BIND vulnerabilities
Countermeasures
Restrict zone transfers BlockTCP/UDP 53
Dont use HINFO records
8/8/2019 Hacking Primer
27/34
Attack locally
y Buffer overflow
y Setuid programs
y Passwordguessing/cracking
yMis-configured file/dir
permissions
8/8/2019 Hacking Primer
28/34
Get beyond root
y Map the network (own more hosts)y Install rootkit
crypto checksum is the only way to know if its real Create backdoors Sniff other traffic
dsniff arpredirect loki Hunt Countermeasures Encrypt all traffic Switched networks (not a panacaea)
Clean logs Session hijacking
8/8/2019 Hacking Primer
29/34
Hacking the Network
292929
Vulnerabilities Dealing with firewalls
8/8/2019 Hacking Primer
30/34
Vulnerabilities
y TTY access 5 to choose fromy SNMP V2 community stringsy HTTP (Everthing is clear-text)y TFTP
No auth Easy to discern router config files .cfg
y Countermeasures ACLs TCP wrappers Encrypt passwords
8/8/2019 Hacking Primer
31/34
Vulnerabilities: routing issues
y Path integrity
Source routing reveals path through the network
Routing updates can be spoofed (RIP, IGRP)
y ARP spoofing Easy with dsniff
8/8/2019 Hacking Primer
32/34
Dealing with firewalls
y Enumerate with nmap or tcpdump Can show you which ports are filtered (blocked)
y Some proxies return a banner Eagle Raptor
yTCP traffic itself may provide signature
y Ping the un-pingable hping
Look for ICMP type 13 (admin prohibited)
8/8/2019 Hacking Primer
33/34
Dealing with firewalls (cont.)
yACLs may allow scanning if source port isset
nmap with -g option
y Port redirection fpipe
netcat
8/8/2019 Hacking Primer
34/34
Questions?
10/17/2010Nimble Security Group, New Delhi