One day RCFISET seminar, Hacked Revealed: Penetration Profession
WELCOME!19 January 2006 BS3, Faculty of Engineering, University of Malaya
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Haris a.k.a Slash
• 5 years experience in IT (penetration, administration, network security)
• Started with pascal and win32 programming at the age of 16 at SM Vocational Tawau, Sabah.
• Members of tigerteam.se
• Basically doing an underground projects with individual and private sectors all over the world.
• Two times champion for HackingTheBox Capture The Flag Competition.
me, myself and cyberworld
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Background
• History of Hacking 101
• From Tiger Teams to penetration Testing
Information Technology Security
• IT Security mechanisms
• Common and uncommon penetration methods
• The basic methodology
•Strategy, operative and tactical
• Discovery (Information gathering and scanning)
• Execution (Attack, penetration and privilege escalation)
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
HACKER HISTORYAND
PROFILE
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Dennis Ritchie and Ken Thompson created the UNIX (time-sharing) operating system at AT&T Bell Labs in 1969.
A few months after the birth of UNIX, Dennis Ritchie creates the C programming language.
Hacker ProfilesOne day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
”In 1971 when I joined the staff of the MIT Artificial Intelligence lab, all of us who helped develop the operating system software [ITS, Incompatible Timesharing System], we called ourselves hackers. We were not breaking any laws, at least not in doing the hacking we were paid to do. We were developing software and we were having fun. Hacking refers to the spirit of fun in which we were developing software. The hacker ethic refers to the feelings of right and wrong, to the ethical ideas this community of people had -- that knowledge should be shared with other people who can benefit from it, and that important resources should be utilized rather than wasted.”
- Richard M. Stallman from “An Interview with Richard Stallman” by David Bennahum, 1996
Richard M. Stallman
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Mark Barney (AKA The Midnight Skulker) attempts to set up a community of phone phreakers by putting stickers onto pay phones around the west coast in the US.
However, Mark doesn’t succeed in creating a community. A blind guy named Joe Engressia kick-starts a ”movement” of phreakers ”by mistake”.
Joe Engressia (AKA The Whistler) has the unusual gift of perfect pitch. He can whistle any tone he wants. With it, the blind mathematics student of University of South Florida stumbles onto the 2600Hz cycle and figures out how to make free phone calls during the late 60s… just by whistling into the receiver. Phreakers around the world supposedly called Joe to tune their Blue Boxes.
Joe Engressia is considered ”the father” of phone phreaking. He has legally changed his name to “Joybubbles”.
Joe Engressia
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
John T. DraperJohn Draper (AKA Captain Crunch) figured out how to make free phone calls using a plastic whistle pipe found in a Cap’n Crunch cereal box together with a Blue Box.
John was active during the 70s and taught Steve Wozniak (co-founder of Apple) how to use a Blue Box that Woz built.
John Draper and Steve Wozniak were the primary characters who started the Homebrew Computer Club in the early 70s.
John T. Draper co-founded ShopIP Information Security Solutions in 1999 -- http://shopip.com
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Mark Abene (AKA Phiber Optik) is a notorious self-taught hacker. In a sense he’s a symbol for the modern self-taught computer hacker, someone who didn’t learn his/her skills at a university or similar.
Phiber Optik started out with a TRS-80 from Radio Shack somewhere in the early 1980s. He quickly learned programming, got a modem and dialed local BBS’s.
Mark Abene wanted to learn from utilizing the real equipment that was out in the field, not reading a text-book or taking a course. This got him sent to prison for 1 year for breaking into computer and telephone systems, a sentence he served in 1994.
Mark Abene, AKA Phiber Optik
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Robert Morris was the son of the chief scientist at the National Computer Security Center – part of the National Security Agency (NSA).
In 1988 he released a worm on the Internet that exploited a Sendmail vulnerability and a fingerd vulnerability. The worm “got out of hand” and thousands of systems were infected and crashed repeatedly.
Although not clear if Robert Morris actually wrote the worm, he got sentenced to 3 years probation and 400 hours community service for releasing the worm.
Robert Morris
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Kevin Mitnick was the first hacker who ended up on FBI’s Most Wanted list.
Mitnick’s story is long and varied. By 1980 he was frequently dialing BBS’s and went under the handle “The Condor”. Kevin learned, just like Phiber Optik, by exploring computer systems. In 1987 he got caught in a system owned by the Santa Cruz Organization (SCO), his lawyer managed to cut the sentence to 3 years probation. However, in 1988 a friend (rightly?) ratted him out for hacking from his box. Mitnick was arrested for breaking into Digital Equipment Corporation (DEC) and stealing some of their source code. He got 1 year in prison. When released in 1989 he started working as an info-gatherer for a PI. Eventually, he ended up on the FBI agents’ desks and Kevin Mitnick decides it’s better to run than do time. He managed to stay a fugitive for 2 years until arrested and put in jail (without a trail, without bail) for 4 years. Today he runs Defensive Thinking, an information security and pen-test firm.
Kevin Mitnick
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Kevin Poulsen is famous for taking over all telephone lines going into KIIS-FM, a radio station in Los Angeles. This ensured him to be the 102nd caller and made him win a Porsche 944 S2.
Kevin admitted breaking into computer systems to get names of undercover businesses operated by the FBI. After serving a 3 year prison sentence he wasn’t allowed to use a computer for another 3 years.
Today, Kevin Poulsen is a journalist and the editorial director of SecurityFocus.com
Kevin Poulsen
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
tiger team n. [U.S. military jargon] Originally, a team (of sneakers) whose purpose is to penetrate security, and thus test security measures.
sneaker n. An individual hired to break into places in order to test their security; analogous to tiger team.
Today, penetration testing is the formal title of tiger team activity. Because the US military were the first to use ARPANET, they were the first to conduct audits on computer security.
When the Internet was becoming useful to corporations, some businesses saw the same need as the military – security has to be tested in order to be confirmed secure. However, many corporations didn’t see any need for security at all…
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
MECHANISMS & METHODOLOGYEthical Hacking
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Several vulnerabilities in each blue bubble!
Authentication
Anti-virus
Perimetersecurity(firewall)
Security Mechanisms Non-Security Mechanisms
Software
Human factor
Accessibility,connectivity,availability
IntrusionDetectionSystem
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Security Mechanisms
• Brute-force• Cracking• Eavesdropping
Username+
Passwordauthentication
Physical key/card+
PIN-code/password
Authentication mechanisms: Vulnerabilities:
• Vulnerable if both card and PIN-code are compromised
• Vulnerable to phishing and/or sniffing
SSL certificate(on SmartCard or file)
+One-Time Passwords
• Vulnerable if both OTP card and SSL certificate are compromised
• Vulnerable to phishing
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Penetration MethodsOne day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Basic pen-test methodology
Planning/Strategic
Preparation/Operative
Execution/Tactical
123
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
1. Planning (strategic)• Guidelines
• Information gathering, categorization and analysis
• Premeditation
2. Preparations (operative)• Enumeration and vulnerability mapping
• Auditing source code
• Exploit research
• Testing and/or writing exploits
3. Execution (tactical)• No surprises! Penetration should be premeditated!
Basic pen-test methodologyOne day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
From NIST SP 800-42
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
FAKECRACK DEMONSTRATIONwhat will you see is 100% fake.It is only a demonstration how
“script-kiddies/intruders”penetrated sco.com.
AND THEN defaced the website.
• THIS IS NOT HAPPENED(at least not yet)
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
PENETRATION METHODOLOGY---
PLANNING(guidelines, kits preparation,
info gathering and analysis)
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Law, Federal Regulations and Guidlines• Cyber Law
• Any security policy?
• A list of acceptable testing techniques (e.g. social engineering, DoS, etc.) and tools (password crackers, network sniffers, etc.)
• Time when testing is to be conducted (e.g. business hours or after, etc.)
• Identify a finite period for testing
• IP addresses of the machines from which penetration testing will be conducted so that administrators can be differentiate the legitimate penetration testing attacks from actual malicious attacks
PlanningOne day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Fundamentals• Is your toolkit complete and in order?
• Should a rootkit be installed once the target is rooted?
• Be prepared and familiar with installing and operating the backdoor (whether it’s a trojan, a rootkit or a modified web application)
• What’s the overall tactic? Absolute stealth, normal, or something in between?
• Any restricted hosts (i.e., hosts, systems, subnets, not to be tested)
• How about wireless?
PlanningOne day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Hands On – DiscoveryNetwork MappingNetwork Enumeration
• Identify active hosts
• Identify network products (routers, firewalls, load balancing, etc.)
• Identify subnet range
• Identify the ISP or web hosting company
Try to draw the network diagram and identify the “open or weakness” hosts.
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Information Technology Security – Preparation stage
Hands On – DiscoveryVulnerability ScanningEnumeration & Vulnerability Mapping
• Conduct stealthy port scans against the target network
• Identify open ports and listening services
• Identify the dial-in phone number (most of telco company have this)
• Grab banners version
• Run a stealthy and well-configured scan using Nessus or Retina against the target system
• Conduct innocent verification tests against any suspected web application vulnerability
If no exploitable vulnerability is found, go back and gather more information, dig deeper (premeditate!).
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Information Technology Security – Preparation stage
Information Gathering• Surfing the target’s web site(s), looking for possible security holes
(remote file inclusion, arbitrary command execution and SQL injection)
• Target’s operating system(s)
• Search engines
• Usenet (Google Usenet search is good)
• whois databases, notably net block and other domain names by the same owner
• Mapping key-personnel (phone book records, Usenet and forum posts, etc.)
• Peer-to-peer networks
• Zone-H.org and/or other defacement mirrors
Discovery
19 January 2006 BS3, Faculty of Engineering, University of Malaya
DiscoveryMirror environment and exploit testing
• If the vulnerability is a buffer overflow, a format string bug, or similar, set up a lab environment as identical as possible with the target system
• If the vulnerability is a web application bug (or some other script-related bug), the need of a lab environment may vary or be non-existent
• Write an exploits for vulnerable bug if necessary
• Test your exploits or any exploits against your own lab environment before running it against the target system!
Information Technology Security – Preparation stage
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Hands On:web application vulnerability
- remote execution -
Information Technology Security – CASE STUDY: bugs finding
DISCOVERY
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Information Technology Security – CASE STUDY: bugs finding
Web application vulnerabilities by category• HTTP offers more vulnerabilities than any other service
• The httpd itself can be vulnerable to buffer overflows, format string bugs, etc.
• CGI or embedded script language vulnerabilities:
• Arbitrary command execution (input validation error)
• Remote file inclusion (PHP)
• SQL injection
• Arbitrary command execution through SQL injection (MS SQL extended stored procedures - “exec master..xp_cmdshell”
• Cross-site scripting (XSS)
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Information Technology Security – CASE STUDY: bugs finding
Remote executionWeb application vulnerabilities by category
• HTTP offers more vulnerabilities than any other service
• The httpd itself can be vulnerable to buffer overflows, format string bugs, etc.
• CGI or embedded script language vulnerabilities:
• Arbitrary command execution (input validation error)
• Remote file inclusion (PHP)
• SQL injection
• Arbitrary command execution through SQL injection (MS SQL extended stored procedures - “exec master..xp_cmdshell”
• Cross-site scripting (XSS)
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Information Technology Security – CASE STUDY: bugs finding
Assumed the target is running cgi as follow
Remote execution
19 January 2006 BS3, Faculty of Engineering, University of Malaya
And you have found the source and ready to audit
Remote executionOne day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
vulnerable code
if ($ENV{'REQUEST_METHOD'} eq "POST") {my $uname = param('uname'); my $passwd = param('passwd');
my $ret = `print $uname`;
print "Content-type: text/plain\r\n\r\n";print "$ret";exit 0;
}
vulnerable variable: my $ret = `print $uname`;
Remote executionOne day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
$uname variable doesn’t filter special characters like ; | ` ‘ #
• So its like executing……
- original code was: my $ret = `print $uname`;- execute : my $ret = `print special_character shell_command`;
- example:
my $ret = `print ; uname -a`;my $ret = `print | cat /etc/passwd`;
Remote executionOne day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Hands On:web application vulnerability
- remote file inclusion -
DISCOVERY
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Assumed the target is running nucleus weblog
Remote file inclusionOne day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Download the source code (if available)
• Get the same and exact version - v3.15
• Read the changed log
• Again, run your favorite tools or audit the codes manually.
Remote file inclusionOne day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Quick and dirty way to find remote file inclusion bugs
Remote file inclusionOne day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Search for open $variable
• bug finding: globalfunctions.php have an open variable $DIR_LIBS
Remote file inclusionOne day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Information Technology Security – CASE STUDY: bugs finding
Execute and see if its really a bug!
Remote file inclusion
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Blinding IDSSignature-based NIDS
• A sniffer that searches each packet for specific strings
• Simple signature-based NIDS: Inspects 1 packet at a time, can not handle packet-overlapped contents or fragmented packets
• Advanced signature-based NIDS (Snort): Inspects traffic flow, whether 1 packet, overlapped contents or fragmented (packets are reassembled)
• Cons: Requires IT security expertise, false positives
“Anomaly detection”-based NIDS
• A good anomaly detection NIDS uses a signature-based NIDS as base
• Attempts to identify anomalies in network traffic and alerts from the signature-based NIDS
• Cons: Requires very good security expertise to operate, too many false positives, easy to evade
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Information Technology Security – Preparation stage
alert tcp !$HOME any -> $HOME any (content: “foo”; msg: “detected foo”;)
Simple Snort rule
This rule simple looks for “foo” in any TCP packet on the network not originating from $HOME. If it’s detected, it’ll alert with “detected foo” as alert message.
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Hiding from a NIDS• A signature-based NIDS has one single outstanding vulnerability: It
can’t defeat strong encryption, or even simple scrambling
• Encryption is like “camouflage” to Snort and the like. However…
• Initial penetration through a buffer overflow or a format string bug is extremely hard to scramble successfully
• Initial penetration through a web application bug is also hard to scramble successfully (although, unlike with buffer overflows, there are possibilities)
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Hands On:blinding IDS
- snort -
DISCOVERY
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Analysis – A simple exampleX has scanned one web server owned by an ISP that X wants to penetrate. Let’s assume that this web server holds one web site that is vulnerable to the PHP remote file inclusion “feature” and that it’s exploitable.
X doesn’t know which virtual website that has the vulnerability or that the server is vulnerable since the scan didn’t yield anything useful. The ISP’s own website has nothing but static web pages to offer.
If X had made a simple search for clients of the ISP, X could have found the vulnerable website, and been able to penetrate the ISP’s web server despite that no known vulnerabilities were initially discovered.
• It’s all about details!
DiscoveryOne day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
PENETRATION METHODOLOGY---
Attacks & Executions(writing exploits, sniffing, snooping,
keylogging)
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
ExecutionExploitation & Penetration
• Run exploit code against target system
• Make sure you’re alone (advanced hacking)
• Immediately download a backdoor that offers strong encryption and place it in an obscure, not-easy-to-find location (advanced hacking)
• Go encrypted and drop the unencrypted exploit shell (advanced hacking)
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Execution
Privilege Escalation• Conduct local discovery, attempt to find the best and easiest way to
obtain root access (basic and advanced hacking)
• If initial privilege escalation attempts fail, choose either to continue trying or see what you can do as an un-privileged user
• If root is obtained, install the backdoor (trojan, rootkit, web application, etc. – of course if they allowed)
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Privilege escalation
• Try looking for writeable files- find / -perm 0002 –user [current_user] –exec file \; > writeable.log
• Try looking for suid files- find / -perm +4000 –user root –exec file \; > suid.log- download them to your local machine/computer- identify suid files version
• Mysql passwords
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Basic Buffer Overflow:stack overflow
- hands-on -
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Stack OverflowVulnerable example code 1:
#include <stdio.h>#include <string.h>
int main(int argc, char **argv, char **envp) {char buff[8];
if(argc < 2) exit(0);
strcpy(buff, argv[1]);printf("%s\n", buff);return(0);
}
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Stack OverflowVulnerable example code 2:
#include <stdio.h>#include <string.h>
int main(int argc, char **argv){
char buff[512], *envpoint;if((envpoint = (char *)getenv("TEST")) == NULL){
printf("No environmental variable TEST.\n");return 0;
}strcpy(buff, envpoint);printf("The environmental variable TEST holds: %s\n", buff);return 0;
}
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Format stringsVulnerable example code 3:
int main(int argc, char *argv[]) {char buf[8];
strncpy(buf, argv[1], sizeof(buf));printf(argv[1]);printf("\n");
}
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Basic Buffer Overflow:return to libc
- hands-on -
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
ExecutionMonitoring/Sniffing/Hijacking
• trojans
• favorite monitoring tools (ettercap, *sniffer)
• hijack the connection and watch them on fly (advanced hacking)
• Install key logger (linux and windows)
• Snoop everything for more results – advanced hacking course
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Trojans and Backdoor:hands-on
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
Sniffing and Keylogging:hands-on
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
PENETRATION METHODOLOGY---
Reports(records, disclosed advisory,
management papers )
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya
END Thank You
Where do we go from here …..
[email protected]+6012 694 7243
One day RCFISET seminar, Hacked Revealed: Penetration Profession
19 January 2006 BS3, Faculty of Engineering, University of Malaya