Hacking Exposed

1
Hacking Exposed

• The System Administrators Guild of Ireland
• www.sage-ie.org

2
Table of Contents

• Introduction
• Research
• Scanning
• Attacking
• Summary

3
Introduction

• Hackers
• make furniture with an axe No, really!
• are good programmers
• stretch computer systems
• Do Bad Things
• Cracker
• The symantic war is over. Deal with it.

4
Table of Contents

• Introduction
• Research
• Scanning
• Attacking
• Summary

5
A Picture with a Pretty Cloud
Hacker
The Internet
redirect
6
Research I

• Public Records
• Press Releases
• Voluntary Disclosures
• Companies Office Documents
• Mergers/stakes in other companies
• Contact Information/phone books
• HTML source
• Dumpster diving

7
Research II

• Network
• Indirection
• Spoofing
• Webcafes
• Walk-up machines on campus

8
Whois (www.easons.ie)

• donalc_at_cyclops whois 213.190.129.177
• inetnum 213.190.129.160 - 213.190.129.191
• netname B4N
• descr B4N, eircom customer assignment
• country IE
• tech-c DM6861-RIPE
• notify ripe_at_eircom.net
• route 213.190.128.0/19
• descr Eircom Net
• origin AS5466
• notify networks_at_eircom.net
• Person Dan Murphy
• address 27 Carysfort Avenue
• address Blackrock
• address Co Dublin
• address Ireland

9
DNS I

• Record Types
• NS (Name Server)
• MX (Mail eXchanger email)
• A and PTR (Addresses)
• CNAME (Aliases/nicknames)
• RP (Responsible Person)
• LOC (Location ICBM co-ordinates)
• HINFO (Host INFO OS, version, etc.)
• DNAME (Hierarchical CNAME)
• WKS (Well-Known Services)

10
DNS II

• Zone Transfers
• Give me Everything
• Use host/dig/nslookup/axfr
• sage-ie.org. 159089 IN MX
  10 mail.heanet.ie.
• sage-ie.org. 169190 IN NS
  ns2.heanet.ie.
• sage-ie.org. 169190 IN NS
  ns.heanet.ie.
• www.sage-ie.org CNAME sage-ie.webhost.heanet.ie
• sage-ie.webhost.heanet.ie A 193.1.219.86
• lists.sage-ie.org CNAME kilmainham.stdlib.net
• Kilmainham.stdlib.net A 65.214.160.134

11
Traceroute

• donalc_at_cyclops traceroute www.cs.tcd.ie
• traceroute to burke.cs.tcd.ie (134.226.32.57), 30
  hops max, 40 byte packets
• 1 Calpurnia-f0-0-2.hea.net (193.1.219.1) 5 ms
  8 ms 9 ms
• 2 Mantova-vlan3.hea.net (193.1.198.245) 0 ms
  0 ms 0 ms
• 3 tcd.site.hea.net (193.1.196.150) 0 ms 1 ms
  1 ms
• 4 193.1.192.187 (193.1.192.187) 1 ms 1 ms 0
  ms
• 5 csgate.tcd.ie (134.226.1.254) 1 ms 2 ms 1
  ms
• 6 burke.cs.tcd.ie (134.226.32.57) 1 ms 1 ms
  1 ms
• donalc_at_cyclops traceroute www.ucl.ac.uk
• traceroute to www.ucl.ac.uk (144.82.100.130), 30
  hops max, 40 byte packets
• 1 Calpurnia-f0-0-2.hea.net (193.1.219.1) 10 ms
  5 ms 8 ms
• 2 Miranda-g1-0.Dublin.core.hea.net
  (193.1.196.121) 0 ms 0 ms 0 ms
• 3 Phobos-g1-1.CityWest.core.hea.net
  (193.1.195.129) 1 ms 1 ms 1 ms
• 4 dublin-bar.ja.net (146.97.40.133) 1 ms 1 ms
  1 ms
• 5 po5-0.lond-scr3.ja.net (146.97.35.29) 13 ms
  13 ms 13 ms
• 6 po6-0.lond-scr.ja.net (146.97.33.9) 13 ms
  13 ms 13 ms
• 7 po0-0.london-bar1.ja.net (146.97.35.2) 13 ms
  13 ms 13 ms
• 8 ulcc-gsr.lmn.net.uk (146.97.40.34) 13 ms 13
  ms 13 ms

12
Table of Contents

• Introduction
• Research
• Scanning
• Attacking
• Summary

13
Intro to Scanning

• So far, everything weve done is legal.
• Indirection is key
• Spoofing
• Traceability
• Ping (ICMP and TCP)
• Fping,nmap,netcat and many more!

14
Nmap output
15
Scan options I

• Full connect
• Syn
• Fin
• Null
• Xmas Tree
• Ack (established)

16
OS Fingerprinting

• cyclops/home/donalc nmap -O www.hea.net
• Starting nmap V. 2.54BETA31 ( www.insecure.org/nma
  p/ )
• Interesting ports on cyclops.heanet.ie
  (193.1.219.104)
• (The 1547 ports scanned but not shown below are
  in state closed)
• Port State Service
• 21/tcp open ftp
• 22/tcp open ssh
• 80/tcp open http
• 113/tcp open auth
• 443/tcp open https
• 514/tcp open shell
• 5432/tcp open postgres
• Remote operating system guess Linux Kernel 2.4.0
  - 2.4.17 (X86)
• Uptime 111.198 days (since Wed Dec 18 110720
  2002)
• Nmap run completed -- 1 IP address (1 host up)
  scanned in 1 second

17
Banner Grabbing

• 220 mail.me.ie ESMTP Exim 4.05 Tue, 08 Apr 2003
  170040 0100
• SunOS 5.7
• igor login
• 220- Welcome to the Irish National Information
  Server FTP site.
• 220- All connections are logged if this is
  disagreeable, please
• 220- disconnect now.
• 220-
• 220- This is a 2 Terabyte server with Gigabit
  access to the
• 220- HEAnet backbone.
• 220-
• 220- This is a European mirror. If you are in
  the USA, please
• 220- use a mirror closer to home.
• 220-
• 220 canyonero.heanet.ie FTP server ready.

18
Nessus

• Vulnerability scanner
• Can use nmap automagically
• Can do non-destructive testing
• Limited password guessing
• Many, many options
• Pretty reports
• Tweak to do non-standard tests

19
Web vulnerabilities

• Whisker
• Nikto
• SQL insertions
• xxx DROP DATABASE
• Cross-site scripting
• Cookie stealing

20
Sniffing for fun profit

• Sniff, and then crack (if necessary)
• Were all using ssh, right?
• dsniff
• L0phtcrack/LC4
• Crack
• Capture first 512 bytes of all connections
• telnet, ftp, email, web
• Keypress timing

21
Null sessions on Windows

• C\gt net use \\1.2.3.4\IPC /u
• C\gt net view /domain
• Domain
• --------------------------------------------------
  ----
• RLYEH
• ARKHAM
• INNSMOUTH
• LENG
• KADATH
• C\gt net view /domainrlyeh
• Server Name Remark
• --------------------------------------------------
  ----
• \\CTHULHU The Dreamer
• \\SHOGGOTH The Minion
• \\BYAKHEE The Steed
• C\gt nltest /dclistrlyeh
• \\CTHULHU (PDC)
• \\SHOGGOTH

22
Table of Contents

• Introduction
• Research
• Scanning
• Attacking
• Summary

23
Goals

• Poison DNS cache redirect customers
• Steal domain name sex.com
• DOS and DDOS (see next slide)
• Press attacks
• Commercial attacks
• Confidence attacks
• because I can!

24
DOS and DDOS

• Denial-of-Service attacks
• Usually single-source
• Easy to trace and filter
• Distributed DOS attacks
• Use layer of compromised machines
• Many sources
• Difficult to trace and filter
• Etrade/Ebay/Yahoo and DNS root servers

25
Old School attacks

• Ping O Death (Überhuge packets)
• Smurfing (ping broadcast storms)
• Fraggling (fragment evil)
• Teardrop (overlapping IP fragments)
• SYN flooding

26
Exploits rootkits

• Use scan info as an index
• Dedicated vuln. Scanners available
• Tailored to the OS
• Lack O Patch
• Once youre in
• Rootkits
• Replace binaries
• Run sniffers

27
More damage

• Clear log files
• Run zombie services
• IRC a particular favourite
• Patch exploited holes
• Counter-intuitive, but
• hackers are selfish

28
Summary

• Evil people are out there
• They can research you legally
• They can do Bad Things
• How can you tell?
• Next months SAGE-IE talk on Forensics!
• Thank you