How Hacking Takes Place

8/7/2019 How Hacking Takes Place

1/31

2002 TechRepublic, Inc. www.techrepublic.com. All rights reserved.

How Hackers Attack Networks

This presentation is based on a PowerPoint by security expert Adrian Crenshaw.You can view his original presentation here.
http://homepages.ius.edu/adrian/irongeek/secit.ppthttp://homepages.ius.edu/adrian/irongeek/secit.ppt


2/31


Common platforms for attacks

Windows 98/Me/XP Home EditionLinux , OpenBSD , Trinux , and other low-costforms of UNIX
http://www.linux.org/http://www.openbsd.org/http://trinux.sourceforge.net/http://trinux.sourceforge.net/http://www.openbsd.org/http://www.linux.org/


3/31


Local and remote attacks

Local: Attacks performed with physicalaccess to the machine

Remote: Attacks launched over thenetwork


4/31


Why worry about local attacks onworkstations?

Hackers can collect more informationabout a network and its users.Hackers can obtain the administratorpassword on a workstation, which can leadto server access.Spyware can be installed to gather more

sensitive information.


5/31


Common local attacksGetting admin/root at the local machine

Windows Workstation: Rename or deletec:\winnt\system32\config\SAMLinux: at LILO prompt, type linux s

Cracking local passwordsL0phtcrack (LC)

Removing hard drive to install in another boxExploiting files or commands available upon login

C:\Documents and Settings\All Users\Start Menu\Programs\StartupRegistry commands, such as adding users


6/31


Cracking over the network:A four-step program1. Footprinting2. Scanning and enumerating3. Researching4. Exploiting


7/31


Footprinting

Finding out what an organization owns:Find the network block.

Ping the network broadcast address.


8/31


What services are running?

What accounts exist?How are things set up?

Scanning and enumerating


9/31


Scanning and enumerating:Methods and tools

Port scanning

NmapSniffing

ngrep

SNMPSolarwinds

Null sessionNBTenumNbtdump


10/31


Scanning and enumerating:Methods and tools (cont.)

Null sessionNBTenumNbtdump

NetBIOS browsingNetviewLegion

Vulnerabilityscanners

NessusWinfingerprint

LANGuard


11/31


Researching

http://www.securityfocus.com/ http://www.networkice.com/advice/Exploits/Portshttp://www.hackingexposed.com

http://www.ntsecurity.net/ http://www.insecure.org/

Researching security sites and hacker sites can reveal

exploits that will work on the systems discovered duringscanning and enumerating.
http://www.securityfocus.com/http://www.networkice.com/advice/Exploits/Portshttp://www.hackingexposed.com/http://www.ntsecurity.net/http://www.insecure.org/http://www.insecure.org/http://www.ntsecurity.net/http://www.hackingexposed.com/http://www.networkice.com/advice/Exploits/Portshttp://www.securityfocus.com/


12/31


Exploits

Brute force/dictionary attacksSoftware bugs

Bad inputBuffer overflowsSniffing


13/31


Countering hackers

Port scanningBlock all ports except those you needBlock ICMP if practicalNT: IPsec; Linux: iptables

Sniffing

Use switched mediaUse encrypted protocolsUse fixed ARP entries


14/31


Countering hackers (cont.)

Null sessionsSet the following registry value to 2

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RestrictAnonymous]

Use IDSSnortBlackICE


15/31


Identifying attacks

On Windows, check the event log underSecurity.

On Linux, check in /var/log/.Review IIS logs at

\winnt\system32\LogFiles.Check Apache logs at /var/log/httpd.


16/31


Administrative shares:

Make life easier for system admins.Can be exploited if a hacker knows theright passwords.Standard admin shares:

Admin$IPC$C$ (and any other drive in the box)


17/31


Control the target

Establish connection with target host.net use \\se-x-x\ipc$ /u:se-x-x\administrator

Use Computer Management in MMC orRegedit to change system settings.Start Telnet session.

at \\ se-x-x 12:08pm net start telnetTurning off file sharing thwarts theseconnections.


18/31


Counters to brute force/dictionaryattacks

Use good passwords.No dictionary words

Combination of alpha and numeric charactersAt least eight-character lengthUse account lockouts.

Limit services.If you dont need, it turn it off.

Limit scope.


19/31


Buffer overflowCracker sends more data then the buffer can handle, at theend of which is the code he or she wants executed.

Allotted space

on stack Data sent

Code

Stack smashed;

Egg maybe run.

Code


20/31


Hacker = Man in the middle


21/31


Sniffing on local networks

On Ethernet without a switch, all traffic issent to all computers.Computers with their NIC set topromiscuous mode can see everything thatis sent on the wire.

Common protocols like FTP, HTTP,SMTP, and POP3 are not encrypted, so youcan read the passwords as plain text.


22/31


Sniffing: Switched networks

Switches send data only to target hosts.Switched networks are more secure.

Switches speed up the network.


23/31


ARP Spoofing

Hackers can use programs like arpspoof to change the identify of a host on thenetwork and thus receive traffic notintended for them.


24/31


ARP spoofing steps

1. Set your machine to forward packets:Linux: echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 >/proc/sys/net/ipv4/ip_forwardBSD: sysctl -w net.inet.ip.forwarding=1

2. Start arpspoofing (using two terminal windows)arpspoof -t 149.160.x.x 149.160.y.yarpspoof -t 149.160.y.y 149.160.x.x

3. Start sniffingngrep host 149.160.x.x | lessORDsniff | less


25/31


Counters to ARP spoofing

Static ARP tablesARPWatch

Platforms: AIX, BSDI, DG-UX, FreeBSD,HP-UX, IRIX, Linux, NetBSD, OpenBSD,SCO, Solaris, SunOS, True64 UNIX, Ultrix,

UNIX
http://online.securityfocus.com/tools/142http://online.securityfocus.com/tools/142


26/31


IP spoofing:

Fakes your IP address.Misdirects attention.

Gets packets past filters.Confuses the network.


27/31


DoS

Denial of service attacks make it slow orimpossible for legitimate users to accessresources.

Consume resourcesDrive spaceProcessor time

Consume BandwidthSmurf attack

DDoS


28/31


SYN flooding

Numerous SYN packets are transmitted,thus tying up connections.

Spoofing IP prevents tracing back tosource.


29/31


Smurf attack Ping requests are sent to the broadcast address of a Subnet with a spoofed packet pretending to bethe target.All the machines on the network respond bysending replies to the target.Someone on a 56K line can flood a server on aT1 by using a network with a T3 as an amplifier.

Example command:nemesis-icmp -I 8 -S 149.160.26.29 -D149.160.31.255


30/31


Distributed denial of serviceUse agents (zombies) on computers connected tothe Internet to flood targets.

Client

Agent Agent Agent Agent Agent

Target

Master Master Master


31/31


Common DDoS zombie tools:

TrinooTFNStacheldrahtTroj_TrinooShaft

Sniff the network to detect them or useZombieZapper from Razor Team to put themback in their graves.
http://razor.bindview.com/tools/ZombieZapper_form.shtmlhttp://razor.bindview.com/tools/ZombieZapper_form.shtml