Hacked Revealed: Penetration Profession

One day RCFISET seminar, Hacked Revealed: Penetration Profession

WELCOME!19 January 2006 BS3, Faculty of Engineering, University of Malaya


19 January 2006 BS3, Faculty of Engineering, University of Malaya

Haris a.k.a Slash

• 5 years experience in IT (penetration, administration, network security)

• Started with pascal and win32 programming at the age of 16 at SM Vocational Tawau, Sabah.

• Members of tigerteam.se

• Basically doing an underground projects with individual and private sectors all over the world.

• Two times champion for HackingTheBox Capture The Flag Competition.

me, myself and cyberworld



Background

• History of Hacking 101

• From Tiger Teams to penetration Testing

Information Technology Security

• IT Security mechanisms

• Common and uncommon penetration methods

• The basic methodology

•Strategy, operative and tactical

• Discovery (Information gathering and scanning)

• Execution (Attack, penetration and privilege escalation)



HACKER HISTORYAND

PROFILE



Dennis Ritchie and Ken Thompson created the UNIX (time-sharing) operating system at AT&T Bell Labs in 1969.

A few months after the birth of UNIX, Dennis Ritchie creates the C programming language.

Hacker ProfilesOne day RCFISET seminar, Hacked Revealed: Penetration Profession


”In 1971 when I joined the staff of the MIT Artificial Intelligence lab, all of us who helped develop the operating system software [ITS, Incompatible Timesharing System], we called ourselves hackers. We were not breaking any laws, at least not in doing the hacking we were paid to do. We were developing software and we were having fun. Hacking refers to the spirit of fun in which we were developing software. The hacker ethic refers to the feelings of right and wrong, to the ethical ideas this community of people had -- that knowledge should be shared with other people who can benefit from it, and that important resources should be utilized rather than wasted.”

- Richard M. Stallman from “An Interview with Richard Stallman” by David Bennahum, 1996

Richard M. Stallman



Mark Barney (AKA The Midnight Skulker) attempts to set up a community of phone phreakers by putting stickers onto pay phones around the west coast in the US.

However, Mark doesn’t succeed in creating a community. A blind guy named Joe Engressia kick-starts a ”movement” of phreakers ”by mistake”.

Joe Engressia (AKA The Whistler) has the unusual gift of perfect pitch. He can whistle any tone he wants. With it, the blind mathematics student of University of South Florida stumbles onto the 2600Hz cycle and figures out how to make free phone calls during the late 60s… just by whistling into the receiver. Phreakers around the world supposedly called Joe to tune their Blue Boxes.

Joe Engressia is considered ”the father” of phone phreaking. He has legally changed his name to “Joybubbles”.

Joe Engressia



John T. DraperJohn Draper (AKA Captain Crunch) figured out how to make free phone calls using a plastic whistle pipe found in a Cap’n Crunch cereal box together with a Blue Box.

John was active during the 70s and taught Steve Wozniak (co-founder of Apple) how to use a Blue Box that Woz built.

John Draper and Steve Wozniak were the primary characters who started the Homebrew Computer Club in the early 70s.

John T. Draper co-founded ShopIP Information Security Solutions in 1999 -- http://shopip.com



http://shopip.com/

Mark Abene (AKA Phiber Optik) is a notorious self-taught hacker. In a sense he’s a symbol for the modern self-taught computer hacker, someone who didn’t learn his/her skills at a university or similar.

Phiber Optik started out with a TRS-80 from Radio Shack somewhere in the early 1980s. He quickly learned programming, got a modem and dialed local BBS’s.

Mark Abene wanted to learn from utilizing the real equipment that was out in the field, not reading a text-book or taking a course. This got him sent to prison for 1 year for breaking into computer and telephone systems, a sentence he served in 1994.

Mark Abene, AKA Phiber Optik



Robert Morris was the son of the chief scientist at the National Computer Security Center – part of the National Security Agency (NSA).

In 1988 he released a worm on the Internet that exploited a Sendmail vulnerability and a fingerd vulnerability. The worm “got out of hand” and thousands of systems were infected and crashed repeatedly.

Although not clear if Robert Morris actually wrote the worm, he got sentenced to 3 years probation and 400 hours community service for releasing the worm.

Robert Morris



Kevin Mitnick was the first hacker who ended up on FBI’s Most Wanted list.

Mitnick’s story is long and varied. By 1980 he was frequently dialing BBS’s and went under the handle “The Condor”. Kevin learned, just like Phiber Optik, by exploring computer systems. In 1987 he got caught in a system owned by the Santa Cruz Organization (SCO), his lawyer managed to cut the sentence to 3 years probation. However, in 1988 a friend (rightly?) ratted him out for hacking from his box. Mitnick was arrested for breaking into Digital Equipment Corporation (DEC) and stealing some of their source code. He got 1 year in prison. When released in 1989 he started working as an info-gatherer for a PI. Eventually, he ended up on the FBI agents’ desks and Kevin Mitnick decides it’s better to run than do time. He managed to stay a fugitive for 2 years until arrested and put in jail (without a trail, without bail) for 4 years. Today he runs Defensive Thinking, an information security and pen-test firm.

Kevin Mitnick



Kevin Poulsen is famous for taking over all telephone lines going into KIIS-FM, a radio station in Los Angeles. This ensured him to be the 102nd caller and made him win a Porsche 944 S2.

Kevin admitted breaking into computer systems to get names of undercover businesses operated by the FBI. After serving a 3 year prison sentence he wasn’t allowed to use a computer for another 3 years.

Today, Kevin Poulsen is a journalist and the editorial director of SecurityFocus.com

Kevin Poulsen



tiger team n. [U.S. military jargon] Originally, a team (of sneakers) whose purpose is to penetrate security, and thus test security measures.

sneaker n. An individual hired to break into places in order to test their security; analogous to tiger team.

Today, penetration testing is the formal title of tiger team activity. Because the US military were the first to use ARPANET, they were the first to conduct audits on computer security.

When the Internet was becoming useful to corporations, some businesses saw the same need as the military – security has to be tested in order to be confirmed secure. However, many corporations didn’t see any need for security at all…



MECHANISMS & METHODOLOGYEthical Hacking



Several vulnerabilities in each blue bubble!

Authentication

Anti-virus

Perimetersecurity(firewall)

Security Mechanisms Non-Security Mechanisms

Software

Human factor

Accessibility,connectivity,availability

IntrusionDetectionSystem



Security Mechanisms

• Brute-force• Cracking• Eavesdropping

Username+

Passwordauthentication

Physical key/card+

PIN-code/password

Authentication mechanisms: Vulnerabilities:

• Vulnerable if both card and PIN-code are compromised

• Vulnerable to phishing and/or sniffing

SSL certificate(on SmartCard or file)

+One-Time Passwords

• Vulnerable if both OTP card and SSL certificate are compromised

• Vulnerable to phishing



Penetration MethodsOne day RCFISET seminar, Hacked Revealed: Penetration Profession


Basic pen-test methodology

Planning/Strategic

Preparation/Operative

Execution/Tactical

123



1. Planning (strategic)• Guidelines

• Information gathering, categorization and analysis

• Premeditation

2. Preparations (operative)• Enumeration and vulnerability mapping

• Auditing source code

• Exploit research

• Testing and/or writing exploits

3. Execution (tactical)• No surprises! Penetration should be premeditated!

Basic pen-test methodologyOne day RCFISET seminar, Hacked Revealed: Penetration Profession




From NIST SP 800-42





FAKECRACK DEMONSTRATIONwhat will you see is 100% fake.It is only a demonstration how

“script-kiddies/intruders”penetrated sco.com.

AND THEN defaced the website.

• THIS IS NOT HAPPENED(at least not yet)



PENETRATION METHODOLOGY---

PLANNING(guidelines, kits preparation,

info gathering and analysis)



Law, Federal Regulations and Guidlines• Cyber Law

• Any security policy?

• A list of acceptable testing techniques (e.g. social engineering, DoS, etc.) and tools (password crackers, network sniffers, etc.)

• Time when testing is to be conducted (e.g. business hours or after, etc.)

• Identify a finite period for testing

• IP addresses of the machines from which penetration testing will be conducted so that administrators can be differentiate the legitimate penetration testing attacks from actual malicious attacks

PlanningOne day RCFISET seminar, Hacked Revealed: Penetration Profession


Fundamentals• Is your toolkit complete and in order?

• Should a rootkit be installed once the target is rooted?

• Be prepared and familiar with installing and operating the backdoor (whether it’s a trojan, a rootkit or a modified web application)

• What’s the overall tactic? Absolute stealth, normal, or something in between?

• Any restricted hosts (i.e., hosts, systems, subnets, not to be tested)

• How about wireless?

PlanningOne day RCFISET seminar, Hacked Revealed: Penetration Profession


Hands On – DiscoveryNetwork MappingNetwork Enumeration

• Identify active hosts

• Identify network products (routers, firewalls, load balancing, etc.)

• Identify subnet range

• Identify the ISP or web hosting company

Try to draw the network diagram and identify the “open or weakness” hosts.



Information Technology Security – Preparation stage

Hands On – DiscoveryVulnerability ScanningEnumeration & Vulnerability Mapping

• Conduct stealthy port scans against the target network

• Identify open ports and listening services

• Identify the dial-in phone number (most of telco company have this)

• Grab banners version

• Run a stealthy and well-configured scan using Nessus or Retina against the target system

• Conduct innocent verification tests against any suspected web application vulnerability

If no exploitable vulnerability is found, go back and gather more information, dig deeper (premeditate!).



Information Gathering• Surfing the target’s web site(s), looking for possible security holes

(remote file inclusion, arbitrary command execution and SQL injection)

• Target’s operating system(s)

• Search engines

• Usenet (Google Usenet search is good)

• whois databases, notably net block and other domain names by the same owner

• Mapping key-personnel (phone book records, Usenet and forum posts, etc.)

• Peer-to-peer networks

• Zone-H.org and/or other defacement mirrors

Discovery


DiscoveryMirror environment and exploit testing

• If the vulnerability is a buffer overflow, a format string bug, or similar, set up a lab environment as identical as possible with the target system

• If the vulnerability is a web application bug (or some other script-related bug), the need of a lab environment may vary or be non-existent

• Write an exploits for vulnerable bug if necessary

• Test your exploits or any exploits against your own lab environment before running it against the target system!



Hands On:web application vulnerability

- remote execution -

Information Technology Security – CASE STUDY: bugs finding

DISCOVERY



Web application vulnerabilities by category• HTTP offers more vulnerabilities than any other service

• The httpd itself can be vulnerable to buffer overflows, format string bugs, etc.

• CGI or embedded script language vulnerabilities:

• Arbitrary command execution (input validation error)

• Remote file inclusion (PHP)

• SQL injection

• Arbitrary command execution through SQL injection (MS SQL extended stored procedures - “exec master..xp_cmdshell”

• Cross-site scripting (XSS)



Remote executionWeb application vulnerabilities by category

• HTTP offers more vulnerabilities than any other service

• The httpd itself can be vulnerable to buffer overflows, format string bugs, etc.

• CGI or embedded script language vulnerabilities:

• Arbitrary command execution (input validation error)

• Remote file inclusion (PHP)

• SQL injection

• Arbitrary command execution through SQL injection (MS SQL extended stored procedures - “exec master..xp_cmdshell”

• Cross-site scripting (XSS)



Assumed the target is running cgi as follow

Remote execution


And you have found the source and ready to audit

Remote executionOne day RCFISET seminar, Hacked Revealed: Penetration Profession


vulnerable code

if ($ENV{'REQUEST_METHOD'} eq "POST") {my $uname = param('uname'); my $passwd = param('passwd');

my $ret = `print $uname`;

print "Content-type: text/plain\r\n\r\n";print "$ret";exit 0;

}

vulnerable variable: my $ret = `print $uname`;



$uname variable doesn’t filter special characters like ; | ` ‘ #

• So its like executing……

- original code was: my $ret = `print $uname`;- execute : my $ret = `print special_character shell_command`;

- example:

my $ret = `print ; uname -a`;my $ret = `print | cat /etc/passwd`;



Hands On:web application vulnerability

- remote file inclusion -

DISCOVERY



Assumed the target is running nucleus weblog

Remote file inclusionOne day RCFISET seminar, Hacked Revealed: Penetration Profession


Download the source code (if available)

• Get the same and exact version - v3.15

• Read the changed log

• Again, run your favorite tools or audit the codes manually.



Quick and dirty way to find remote file inclusion bugs



Search for open $variable

• bug finding: globalfunctions.php have an open variable $DIR_LIBS




Execute and see if its really a bug!

Remote file inclusion


Blinding IDSSignature-based NIDS

• A sniffer that searches each packet for specific strings

• Simple signature-based NIDS: Inspects 1 packet at a time, can not handle packet-overlapped contents or fragmented packets

• Advanced signature-based NIDS (Snort): Inspects traffic flow, whether 1 packet, overlapped contents or fragmented (packets are reassembled)

• Cons: Requires IT security expertise, false positives

“Anomaly detection”-based NIDS

• A good anomaly detection NIDS uses a signature-based NIDS as base

• Attempts to identify anomalies in network traffic and alerts from the signature-based NIDS

• Cons: Requires very good security expertise to operate, too many false positives, easy to evade






alert tcp !$HOME any -> $HOME any (content: “foo”; msg: “detected foo”;)

Simple Snort rule

This rule simple looks for “foo” in any TCP packet on the network not originating from $HOME. If it’s detected, it’ll alert with “detected foo” as alert message.


Hiding from a NIDS• A signature-based NIDS has one single outstanding vulnerability: It

can’t defeat strong encryption, or even simple scrambling

• Encryption is like “camouflage” to Snort and the like. However…

• Initial penetration through a buffer overflow or a format string bug is extremely hard to scramble successfully

• Initial penetration through a web application bug is also hard to scramble successfully (although, unlike with buffer overflows, there are possibilities)



Hands On:blinding IDS

- snort -

DISCOVERY



Analysis – A simple exampleX has scanned one web server owned by an ISP that X wants to penetrate. Let’s assume that this web server holds one web site that is vulnerable to the PHP remote file inclusion “feature” and that it’s exploitable.

X doesn’t know which virtual website that has the vulnerability or that the server is vulnerable since the scan didn’t yield anything useful. The ISP’s own website has nothing but static web pages to offer.

If X had made a simple search for clients of the ISP, X could have found the vulnerable website, and been able to penetrate the ISP’s web server despite that no known vulnerabilities were initially discovered.

• It’s all about details!

DiscoveryOne day RCFISET seminar, Hacked Revealed: Penetration Profession



Attacks & Executions(writing exploits, sniffing, snooping,

keylogging)





ExecutionExploitation & Penetration

• Run exploit code against target system

• Make sure you’re alone (advanced hacking)

• Immediately download a backdoor that offers strong encryption and place it in an obscure, not-easy-to-find location (advanced hacking)

• Go encrypted and drop the unencrypted exploit shell (advanced hacking)



Execution

Privilege Escalation• Conduct local discovery, attempt to find the best and easiest way to

obtain root access (basic and advanced hacking)

• If initial privilege escalation attempts fail, choose either to continue trying or see what you can do as an un-privileged user

• If root is obtained, install the backdoor (trojan, rootkit, web application, etc. – of course if they allowed)



Privilege escalation

• Try looking for writeable files- find / -perm 0002 –user [current_user] –exec file \; > writeable.log

• Try looking for suid files- find / -perm +4000 –user root –exec file \; > suid.log- download them to your local machine/computer- identify suid files version

• Mysql passwords



Basic Buffer Overflow:stack overflow

- hands-on -



Stack OverflowVulnerable example code 1:

#include <stdio.h>#include <string.h>

int main(int argc, char **argv, char **envp) {char buff[8];

if(argc < 2) exit(0);

strcpy(buff, argv[1]);printf("%s\n", buff);return(0);

}



Stack OverflowVulnerable example code 2:

#include <stdio.h>#include <string.h>

int main(int argc, char **argv){

char buff[512], *envpoint;if((envpoint = (char *)getenv("TEST")) == NULL){

printf("No environmental variable TEST.\n");return 0;

}strcpy(buff, envpoint);printf("The environmental variable TEST holds: %s\n", buff);return 0;

}



Format stringsVulnerable example code 3:

int main(int argc, char *argv[]) {char buf[8];

strncpy(buf, argv[1], sizeof(buf));printf(argv[1]);printf("\n");

}



Basic Buffer Overflow:return to libc

- hands-on -



ExecutionMonitoring/Sniffing/Hijacking

• trojans

• favorite monitoring tools (ettercap, *sniffer)

• hijack the connection and watch them on fly (advanced hacking)

• Install key logger (linux and windows)

• Snoop everything for more results – advanced hacking course



Trojans and Backdoor:hands-on



Sniffing and Keylogging:hands-on




Reports(records, disclosed advisory,

management papers )



END Thank You

Where do we go from here …..

[email protected]+6012 694 7243



Education

Hacked Revealed: Penetration Profession