Upload
sujeet-kumar
View
223
Download
0
Embed Size (px)
Citation preview
8/7/2019 How Hacking Takes Place
1/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
How Hackers Attack Networks
This presentation is based on a PowerPoint by security expert Adrian Crenshaw.You can view his original presentation here.
http://homepages.ius.edu/adrian/irongeek/secit.ppthttp://homepages.ius.edu/adrian/irongeek/secit.ppt8/7/2019 How Hacking Takes Place
2/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Common platforms for attacks
Windows 98/Me/XP Home EditionLinux , OpenBSD , Trinux , and other low-costforms of UNIX
http://www.linux.org/http://www.openbsd.org/http://trinux.sourceforge.net/http://trinux.sourceforge.net/http://www.openbsd.org/http://www.linux.org/8/7/2019 How Hacking Takes Place
3/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Local and remote attacks
Local: Attacks performed with physicalaccess to the machine
Remote: Attacks launched over thenetwork
8/7/2019 How Hacking Takes Place
4/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Why worry about local attacks onworkstations?
Hackers can collect more informationabout a network and its users.Hackers can obtain the administratorpassword on a workstation, which can leadto server access.Spyware can be installed to gather more
sensitive information.
8/7/2019 How Hacking Takes Place
5/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Common local attacksGetting admin/root at the local machine
Windows Workstation: Rename or deletec:\winnt\system32\config\SAMLinux: at LILO prompt, type linux s
Cracking local passwordsL0phtcrack (LC)
Removing hard drive to install in another boxExploiting files or commands available upon login
C:\Documents and Settings\All Users\Start Menu\Programs\StartupRegistry commands, such as adding users
8/7/2019 How Hacking Takes Place
6/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Cracking over the network:A four-step program1. Footprinting2. Scanning and enumerating3. Researching4. Exploiting
8/7/2019 How Hacking Takes Place
7/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Footprinting
Finding out what an organization owns:Find the network block.
Ping the network broadcast address.
8/7/2019 How Hacking Takes Place
8/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
What services are running?
What accounts exist?How are things set up?
Scanning and enumerating
8/7/2019 How Hacking Takes Place
9/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Scanning and enumerating:Methods and tools
Port scanning
NmapSniffing
ngrep
SNMPSolarwinds
Null sessionNBTenumNbtdump
8/7/2019 How Hacking Takes Place
10/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Scanning and enumerating:Methods and tools (cont.)
Null sessionNBTenumNbtdump
NetBIOS browsingNetviewLegion
Vulnerabilityscanners
NessusWinfingerprint
LANGuard
8/7/2019 How Hacking Takes Place
11/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Researching
http://www.securityfocus.com/ http://www.networkice.com/advice/Exploits/Portshttp://www.hackingexposed.com
http://www.ntsecurity.net/ http://www.insecure.org/
Researching security sites and hacker sites can reveal
exploits that will work on the systems discovered duringscanning and enumerating.
http://www.securityfocus.com/http://www.networkice.com/advice/Exploits/Portshttp://www.hackingexposed.com/http://www.ntsecurity.net/http://www.insecure.org/http://www.insecure.org/http://www.ntsecurity.net/http://www.hackingexposed.com/http://www.networkice.com/advice/Exploits/Portshttp://www.securityfocus.com/8/7/2019 How Hacking Takes Place
12/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Exploits
Brute force/dictionary attacksSoftware bugs
Bad inputBuffer overflowsSniffing
8/7/2019 How Hacking Takes Place
13/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Countering hackers
Port scanningBlock all ports except those you needBlock ICMP if practicalNT: IPsec; Linux: iptables
Sniffing
Use switched mediaUse encrypted protocolsUse fixed ARP entries
8/7/2019 How Hacking Takes Place
14/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Countering hackers (cont.)
Null sessionsSet the following registry value to 2
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous]
Use IDSSnortBlackICE
8/7/2019 How Hacking Takes Place
15/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Identifying attacks
On Windows, check the event log underSecurity.
On Linux, check in /var/log/.Review IIS logs at
\winnt\system32\LogFiles.Check Apache logs at /var/log/httpd.
8/7/2019 How Hacking Takes Place
16/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Administrative shares:
Make life easier for system admins.Can be exploited if a hacker knows theright passwords.Standard admin shares:
Admin$IPC$C$ (and any other drive in the box)
8/7/2019 How Hacking Takes Place
17/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Control the target
Establish connection with target host.net use \\se-x-x\ipc$ /u:se-x-x\administrator
Use Computer Management in MMC orRegedit to change system settings.Start Telnet session.
at \\ se-x-x 12:08pm net start telnetTurning off file sharing thwarts theseconnections.
8/7/2019 How Hacking Takes Place
18/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Counters to brute force/dictionaryattacks
Use good passwords.No dictionary words
Combination of alpha and numeric charactersAt least eight-character lengthUse account lockouts.
Limit services.If you dont need, it turn it off.
Limit scope.
8/7/2019 How Hacking Takes Place
19/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Buffer overflowCracker sends more data then the buffer can handle, at theend of which is the code he or she wants executed.
Allotted space
on stack Data sent
Code
Stack smashed;
Egg maybe run.
Code
8/7/2019 How Hacking Takes Place
20/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Hacker = Man in the middle
8/7/2019 How Hacking Takes Place
21/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Sniffing on local networks
On Ethernet without a switch, all traffic issent to all computers.Computers with their NIC set topromiscuous mode can see everything thatis sent on the wire.
Common protocols like FTP, HTTP,SMTP, and POP3 are not encrypted, so youcan read the passwords as plain text.
8/7/2019 How Hacking Takes Place
22/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Sniffing: Switched networks
Switches send data only to target hosts.Switched networks are more secure.
Switches speed up the network.
8/7/2019 How Hacking Takes Place
23/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
ARP Spoofing
Hackers can use programs like arpspoof to change the identify of a host on thenetwork and thus receive traffic notintended for them.
8/7/2019 How Hacking Takes Place
24/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
ARP spoofing steps
1. Set your machine to forward packets:Linux: echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 >/proc/sys/net/ipv4/ip_forwardBSD: sysctl -w net.inet.ip.forwarding=1
2. Start arpspoofing (using two terminal windows)arpspoof -t 149.160.x.x 149.160.y.yarpspoof -t 149.160.y.y 149.160.x.x
3. Start sniffingngrep host 149.160.x.x | lessORDsniff | less
8/7/2019 How Hacking Takes Place
25/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Counters to ARP spoofing
Static ARP tablesARPWatch
Platforms: AIX, BSDI, DG-UX, FreeBSD,HP-UX, IRIX, Linux, NetBSD, OpenBSD,SCO, Solaris, SunOS, True64 UNIX, Ultrix,
UNIX
http://online.securityfocus.com/tools/142http://online.securityfocus.com/tools/1428/7/2019 How Hacking Takes Place
26/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
IP spoofing:
Fakes your IP address.Misdirects attention.
Gets packets past filters.Confuses the network.
8/7/2019 How Hacking Takes Place
27/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
DoS
Denial of service attacks make it slow orimpossible for legitimate users to accessresources.
Consume resourcesDrive spaceProcessor time
Consume BandwidthSmurf attack
DDoS
8/7/2019 How Hacking Takes Place
28/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
SYN flooding
Numerous SYN packets are transmitted,thus tying up connections.
Spoofing IP prevents tracing back tosource.
8/7/2019 How Hacking Takes Place
29/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Smurf attack Ping requests are sent to the broadcast address of a Subnet with a spoofed packet pretending to bethe target.All the machines on the network respond bysending replies to the target.Someone on a 56K line can flood a server on aT1 by using a network with a T3 as an amplifier.
Example command:nemesis-icmp -I 8 -S 149.160.26.29 -D149.160.31.255
8/7/2019 How Hacking Takes Place
30/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Distributed denial of serviceUse agents (zombies) on computers connected tothe Internet to flood targets.
Client
Agent Agent Agent Agent Agent
Target
Master Master Master
8/7/2019 How Hacking Takes Place
31/31
2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.
Common DDoS zombie tools:
TrinooTFNStacheldrahtTroj_TrinooShaft
Sniff the network to detect them or useZombieZapper from Razor Team to put themback in their graves.
http://razor.bindview.com/tools/ZombieZapper_form.shtmlhttp://razor.bindview.com/tools/ZombieZapper_form.shtml