Agenda

1
Agenda

• Internet footprinting
• Windows hacking
• Unix hacking
• Network web hacking

2
Internet footprinting agenda

• Review publicly available information
• Perform network reconnaissance
• Discover landscape
• Determine vulnerable services

3
Review publicly available information

• News Look for recent news
• news.google.com
• SEC filings
• Search for phone numbers, contacts
• Technical info Look for stupid postings
• Router configs
• Admin pages
• Nessus scans
• Netcraft
• Whois/DNS info
• SamSpade
• dig

4
Network reconnaissance

• Use traceroute to find vulnerable servers
• Trout
• Can also query BGP tools
• http//nitrous.digex.net/mae/equinix.html
• Look up ASNs

5
Landscape discovery

• Ping sweep Find out which hosts are alive
• nmap, fping, gping, SuperScan, etc.
• Port scans Find out which ports are listening
• Dont setup a full connection just SYN
• netcat can be run in encrypted mode cryptcat
• Nmap advanced options
• XMAS scan sends all TCP options
• Source port scanning sets source port (e.g., port
  88 to scan Windows systems)
• Time delays
• Banner grab O/S guess
• telnet
• ftp
• netcat
• nmap

6
Windows hacking

• Scan
• Enumerate
• Penetrate
• Escalate
• Pillage
• Get interactive
• Expand influence

7
Windows scanning

• Port scan, looking for whats peculiar to Windows
• 88 Kerberos
• 139 NetBIOS
• 445 SMB/CIFS
• 1433 SQL Server
• 3268, 3269 Active Directory
• 3389 Terminal Services
• Trick Scan from source port 88 to find IPSec
  secured systems

8
Windows enumeration

• Accounts
• USER account used by most code, but escalates to
  SYSTEM to perform kernel-level operations
• System accounts tracked by their SIDs
• RID at end of SID identifies account type
• RID 500 is admin account
• Need to escalate to Administrator to have any
  real power
• Tools
• userdump enumerates users on a host
• Sid2user user2sid translates account names on a
  host
• SAM
• Contains usernames, SIDs, RIDs, hashed passwords
• Local account stored in local SAM
• Domain accounts stored in Active Directory (AD)
• Trusts
• Can exist between AD domains
• Allows accounts from one domain to be used in
  ACLs on another domain

9
Windows enumeration (cont.)

• Need access to ports 135, 139, 445
• Enumerate hosts in a domain
• net view /domainltdomain namegt
• Find domain controller(s)
• nltest /dsgetdcltdomain namegt /pdc
• nltest /bdc_queryltdomain namegt
• nbtstcan fast NetBIOS scanner
• null sessions are an important way to get info
• Runs over 445
• Not logged by most IDS
• net use \\lttargetgt\ipc /u
• local (from ResKit) or Dumpsec can then
  enumerate accounts
• Countermeasures
• Block UDP/137
• Set RestictAnonymous registry value

10
Windows enumeration (cont.)

• Look for hosts with 2 NICs
• getmac from Win2K resource kit
• Enumerate trusts on domain controller
• nltest /serveramer /trusted_domains
• Enumerate shares with DumpSec
• Hidden shares have at the end
• Enumerate with LDAP
• LDAPminer

11
Windows Penetration

• 3 methods
• Guess password
• Obtain hashes
• Emergency Repair Disk
• Exploit a vulnerable service
• Guessing passwords
• Review vulnerable accounts via dumpsec
• Use NetBIOS Auditing Tool to guess passwords

12
Windows Escalation

• Getadmin
• Getad
• Getad2
• pipeupadmin
• Shatter
• Yields system-level privileges
• Works against .NET

13
Windows Pillaging

• Clear logs
• Some IDSs will restart auditing once its been
  disabled
• Grab hashes
• Remotely with pwdump3
• Backup SAM c\winnt\repair\sam._
• Grab passwords
• Sniff SMB traffic
• Crack passwords
• L0phtcrack
• John the Ripper

14
Windows Get Interactive

• Copy rootkit over a share
• Hide rootkit on the target server
• Low traffic area such as winnt\system32\OS2\dll\to
  olz
• Stream tools into files
• Remote shell
• remote.exe (resource kit tool)
• netcat
• How to fire up remote listener?
• trojan
• Leave a CD in the bathroom titled, pending
  layoffs ?
• Schedule it for remote execution
• at scheduler
• psexec

15
Windows Expand influence

• Get passwords
• Keystroke logger with stealth mail
• FakeGINA intercepts Winlogon
• Plant stuff in registry to run on reboot
• Hide files
• attrib h ltdirectorygt
• Stream files
• Tripwire should catch this stuff

16
Unix hacking

• Landscape discovery
• System enumeration
• Remote attack
• Local attack
• Beyond root

17
Unix Landscape Discovery

• Goals
• Discover available hosts
• Find all running services
• Methodology
• ICMP and TCP ping scans
• Find listening services with nmap and udp_scan
• Discover paths with ICMP, UDP, TCP
• Tools
• nmap
• SuperScan (Windows)
• udp_scan (more reliable than nmap for udp
  scanning)

18
Unix System Enumeration

• Goal Discover the following
• Users
• Operating systems
• Running programs
• Specific software versions
• Unprotected files
• Internal information
• Tools
• OS/Application telnet, ftp, nc, nmap
• Users finger, rwho,rusers, SMTP
• RPC programs rpcinfo
• NFS shares showmount
• File retrieval TFTP
• SNMP snmpwalk snmpget

19
Unix Service Enumeration

• Users
• finger
• SMTP vrfy
• DNS info
• Dig
• RPC services
• Rpcinfo
• NFS shares
• Showmount
• Countermeasures
• Turn off un-necessary services
• Block IP addresses with router ACLs or TCP
  wrappers

20
Unix Remote Attack

• 3 primary methods
• Exploit a listening service
• Route through a system with 2 or more interfaces
• Get user to execute it for you
• Trojans
• Hostile web site
• Brute-force against service
• http//packetstormsecurity.nl/Crackers/
• Countermeasure strong passwords, hide user names
• Buffer-overflow attack
• Overflow the stack with machine-dependent code
  (assembler)
• Usually yields a shell shovel it back with
  netcat
• Prime targets programs that run as root or suid
• Countermeasures
• Disable stack execution
• Code reviews
• Limit root and suid programs

21
Unix Remote Attack (cont.)

• Buffer overflow example
• echo vrfy perl e print a x 1000 nc
  www.targetsystem.com 25
• Replace this with something like this
• char shellcode \xeb\xlf\x5e\x89\x76\x08
• Input validation attacks
• PHF CGI newline character
• SSI passes user input to O/S
• Back channels
• X-Windows
• Send display back to attackers IP
• Reverse telnet

22
Unix Remote Attack (cont.)

• Countermeasures against back channels
• Get rid of executables used for this (x-windows,
  telnet, etc.)
• Commonly attacked services
• Sendmail
• NFS
• RPC
• X-windows (sniffing session data)
• ftpd (wu-ftpd)
• DNS
• Guessable query IDs
• BIND vulnerabilities
• Countermeasures
• Restrict zone transfers
• Block TCP/UDP 53
• Dont use HINFO records

23
Unix local attacks

• Buffer overflow
• Setuid programs
• Password guessing/cracking
• Mis-configured file/dir permissions

24
Unix beyond root

• Map the network (own more hosts)
• Install rootkit
• crypto checksum is the only way to know if its
  real
• Create backdoors
• Sniff other traffic
• dsniff
• arpredirect
• loki
• Hunt
• Countermeasures
• Encrypt all traffic
• Switched networks (not a panacaea)
• Clean logs
• Session hijacking

25
Network hacking

• Vulnerabilities
• TTY access 5 to choose from
• SNMP V2 community strings
• HTTP (Everthing is clear-text)
• TFTP
• No auth
• Easy to discern router config files
  ltrouter-namegt.cfg
• Countermeasures
• ACLs
• TCP wrappers
• Encrypt passwords

26
Routing issues

• Path integrity
• Source routing reveals path through the network
• Routing updates can be spoofed (RIP, IGRP)
• ARP spoofing
• Easy with dsniff

27
Firewalls

• Enumerate with nmap or tcpdump
• Can show you which ports are filtered (blocked)
• Some proxies return a banner
• Eagle Raptor
• TCP traffic itself may provide signature
• Ping the un-pingable
• hping
• Look for ICMP type 13 (admin prohibited)

28
Firewalls (cont.)

• ACLs may allow scanning if source port is set
• nmap with -g option
• Port redirection
• fpipe
• netcat

29
Web hacking

• Scanning tools
• whisker
• nikto
• stealth
• www.coolcarts.com