H4ck1n9 +3chiKW35

1
H4ck1n9 3chiKW35 D3m0n5R410N
2
Presentation Outline

• Theory about Hacker
• Some Common Attacks(Theory)
• Buffer Overflow Case Study
• Buffer Overflow in Microsoft RPC DCOM
  implementation
• Hacking Techniques Demonstration

3
We believe

• Think like Hacker, to stop the intrusion in your
  own Network
• Protect your Network, before they(evil hacker)
  attack the vulnerabilities in your Network

4
What is hacking

• Hacking is exploring the details of programmable
  systems
• Stretching the capabilities of computer systems
• Sharing their computer expertise
• Can also mean breaking into computer
  systems(cracking)

Hackers saw programming as a form of artistic
expression and the computer was the instrument of
their arts
5
Difference between Hackers and crackers

• HACKER
• A person who enjoys exploring the details of
  programmable systems and how to stretch their
  capabilities, as opposed to most users, who
  prefer to learn only the minimum necessary.
• One who programs enthusiastically (even
  obsessively) or who enjoys programming rather
  than simply theorizing about programming.
• Positive
• CRACKER
• gaining access to important information that you
  have. Surely you are a V.I.P. in the computer
  world and you are being seriously hunted
• gaining access to your system resources.
• interrupting your hosts efficiency (with no
  threat of exposure). This may be dangerous if
  your clients require uninterrupted service from
  your host
• forming a base to implement the above goals while
  attacking another computer. In this case, the
  logs of the attacked computer will show that the
  attack was performed from your address
• checking out the mechanism of attacks against
  other systems.
• Negative

6
Hacking History

• 1969 - Unix hacked together
• 1971 - Cap n Crunch phone exploit discovered
• 1988 - Morris Internet worm crashes 6,000 servers
• 1994 - 10 million transferred from CitiBank
  accounts
• 1995 - Kevin Mitnick sentenced to 5 years in jail
• 2000 - Major websites succumb to DDoS
• 2000 - 15,700 credit and debit card numbers
  stolen from Western Union (hacked while web
  database was undergoing maintenance)
• 2001 Code Red
• exploited bug in MS IIS to penetrate spread
• probes random IPs for systems running IIS
• had trigger time for denial-of-service attack
• 2nd wave infected 360000 servers in 14 hours
• Code Red 2 - had backdoor installed to allow
  remote control
• Nimda -used multiple infection mechanisms email,
  shares, web client, IIS
• 2002 Slammer Worm brings web to its knees by
  attacking MS SQL Server
• 2003- MS Blast worm exploited the vulnerability
  in the MS RPC DCOM implementation
• 2004- My DOOM worm performing the DDOS against MS
  and SCO web site
• ..

7
Hackerss Motivations

• Fun
• Profit
• Extortion
• Technical Reputation
• Scorekeeping
• Revenge/maliciousness
• Intellectual Challenges

• Desire to embarrass
• Experimentation
• Self Gratification
• Problem Solving
• Exposing System Weakness
• Want to be Hero of Wild Internet

8
Types of hackers

• Professional hackers
• Black Hats the Bad Guys
• White Hats Professional Security Experts
• Script kiddies
• Mostly kids/students
• User tools created by black hats,
• To get free stuff
• Impress their peers
• Not get caught
• Underemployed Adult Hackers
• Former Script Kiddies
• Cant get employment in the field
• Want recognition in hacker community
• Ideological Hackers
• hack as a mechanism to promote some political or
  ideological purpose
• Usually coincide with political events
• Criminal Hackers
• Real criminals, are in it for whatever they can
  get no matter who it hurts
• Corporate Spies

9
Types of Attacks

• Internal like Technical attacks
• External like Social Engineering

10
Without Hackers,

• Programming languages such as C and C would not
  exist
• Operating Systems such as Unix and Linux would
  not exist
• Microsoft might not been developed
• Basically, no one would be designing new types of
  software
• Antivirus Companies would not have became
  billionaire

11
With Hackers that crack,

• Security is thought of and efforts are put
  forward to making information more private
• Free software is made available because of these
  people
• These crackers create jobs for others to stop
  them
• Since home users are more vulnerable with less
  security they are an easy target for people to
  hack into for fun
• Software developers improve their software

Hacking is healthy to the computer industry?
12
Threats to the Information System

• Autonomous Agents, Back Doors, Backup Theft, Call
  Forwarding Fakery, Condition Bombs, Covert
  Channels, Cracking, Data Aggregation, Data
  Diddling, Data Theft, Degradation of Service,
  Denial of Service, Dumpster Diving, E-mail
  Overflow, E-Mail Spoofing, Excess Privileges,
  False Updates, Get a Job, Hangup Hooking, Illegal
  Value Insertion, Invalid Values on Calls, Induced
  Stress Failures, Infrastructure Interference,
  Infrastructure Observation, Input Overflow, IP
  Spoofing, Logic Bombs, Login Spoofing,
  Masquerading, MIP Sucking, Network Services
  Attacks, Backup Information, Open Microphone
  Listening, Packet Insertion, Packet Sniffing,
  Password Cracking, Password Guessing, Password
  Sniffing, PABX Bugging, Phracking, Phreaking,
  Ping of Death, Piracy, Process Bypassing,
  Protection Limit Poking, Salami Technique,
  Scanning, Session Hijacking, Shoulder Surfing,
  Social Engineering, Spamming, Sympathetic
  Vibration, Time Bombs, Timing Attacks, Toll Fraud
  Networks, Traffic Analysis, Trap Doors, Trojan
  Horses, Tunneling, Use Bombs, Van Eck Bugging,
  Viruses, Wiretapping, Worms

13
How Hackers can Access Your Network
Internet
Wireless
Modem
Door
14
Once inside, the hacker can...

• Modify logs
• To cover their tracks
• To mess with you
• Steal files
• Sometimes destroy after stealing
• A pro would steal and cover their tracks so to be
  undetected
• Modify files
• To let you know they were there
• To cause mischief
• Install back doors
• So they can get in again
• Attack other systems

15
Some Common Attacks
16
TCP SYN flood
server
client
17
Distributed Denial of Service
Zombies on innocent computers
18
Smurf Amplification
zombie
amp/255.255.255.0
victim
19
Spoofing
Mr. Z is that you?
Yes Im here!
X
Z
Y
20
Social Engineering
social engineering is a term that is used by
hackers and crackers to denote unauthorized
access by methods other than cracking software
Good afternoon., Is this Mr. Devesh
Yes
Sorry to disturb you. I understand that you are
very busy, but I cannot log into the network.
Attacker
Devesh
And what does the computer tell you?
Wrong password.
Are you sure you are using the correct password?
I dont know. I dont remember the password very
well.
What is your login name?
Devesh
OK, Ill assign you a new password Hmmlet it be
art25. Got it?
Ill try. Thank you.
21
Passive Sniffing
In Hub Networks
login
devesh
passwd
india123
SNIFFER
22
Active Sniffing
Port 1- 000000AAAAAA Port 2-
000000BBBBBB Port 3- 000000CCCCCC
Switch
1
2
3
000000AAAAAA
000000BBBBBB
000000CCCCCC
23
How ARP Works
A
B
IP -gt 192.168.51.35 MAC -gt 000000AAAAAA
IP -gt 192.168.51.36 MAC -gt 000000BBBBBB
Internal ARP Cache 192.168.51.36
000000BBBBBB
Internal ARP Cache 192.168.51.35
000000AAAAAA
24
ARP Cache Poisoning
System A
System B
IP -gt 192.168.51.36 MAC -gt 000000BBBBBB
IP -gt 192.168.51.35 MAC -gt 000000AAAAAA
Internal ARP Cache 192.168.51.36
000000CCCCCC
Internal ARP Cache 192.168.51.35
000000CCCCCC
Attacker
192.168.51.36 is at 000000CCCCCC
IP -gt 192.168.51.37 MAC -gt 000000CCCCCC
192.168.51.35 is at 000000CCCCCC
Internal ARP Cache 192.168.51.36
000000BBBBBB 192.168.51.35
000000AAAAAA
25
Attack Methodology

• The Beginning Goal Decide why this system
  should be attacked.
• Steps
• Gather the Information about the victim hosts
• Locate the victim hosts by some scanning program
• Identify the victim host vulnerability
• Attack the victim host via this vulnerability
• Establish backdoors for later access
• After break-in, use this victim host to
• Install rootkit to cover tracks
• run sniffer to collect user password information
• hack or attack other network
• use this victim host resource to carry out their
  activities
• Web page defacement for certain assertion

26
Buffer Overflow

• In general, buffer overflow attack involves the
  following steps
• stuffing more data into a buffer than it can
  handle
• overwrites the return address of a function
• switches the execution flow to the hacker code

27
Case Study Buffer Overflow

• Buffer Overflow Vulnerability in Windows RPC DCOM
  Implementation

28
About Vulnerability

• Vulnerability within the Microsofts RPC DCOM
  vulnerability was made public on July 16th 2003
• Attackers can execute the code of their choice
  with system privilege by exploiting this buffer
  Overflow problem
• First version of the exploit was released on July
  23, 2003 by XFOCUS(Only DOS by crashing the
  SVChost.exe)
• Second version of the exploit was released on
  July 25th 2003 by Metasploit (Allow the spawn and
  binding of the Command shell with system
  privilege on remote machine)
• Backdoor trojan was found on the affected Machine
  on 2nd August 2003
• On august 11th the worm known as MS Blast was
  discovered which infected hundred of thousands of
  machines within few hours

29
Reason for Buffer Overflow

• Problem due to unchecked parameter within a DCOM
  function
• HRESULT CoGetInstanceFromFile(
• IN COSERVERINFO pServerInfo,
• IN CLSID pClsid,
• IN IUnknown punkOuter, // only relevant
  locally
• IN DWORD dwClsCtx,
• IN DWORD grfMode,
• IN OLECHAR szName
• IN DWORD dwCount,
• IN OUT MULTI_QI pResults )
• This function is used to create a new object and
  initialize it from file
• The sixth parameter i..e. szName is allocated a
  space of 0x20(32 bytes) for the file name
• Input is not checked here.
• When a larger value is input, anything beyond
  0x20 space is overflowed and then allow the
  arbitrary code to get executed with system
  privilege

hr CoGetInstanceFromFile (pServerInfo, NULL, 0,
CLSCTX_REMOTE_SERVER, STGM_READWRITE, "C\\1234561
111111111111111111111111.doc",1,qi)
30
Steps Performed by Exploit Code
Victim
Attacker
Exploit establishes the connection to TCP port
135 on Victim Machine
192.168.51.35(gt1024)
192.168.51.36135
Exploit send the DCE/RPC Bind Request for the
file \\victim\c\1234561111111111111111111111.doc
to victim machine and uses the buffer
overflow to spawn the shell on TCP port 4444
192.168.51.36135
192.168.51.35(gt1024)
Exploits connects to shell on newly opened TCP
port 4444 and has the System privilege
192.168.51.364444
192.168.51.35(gt1024)
31
Recently Announced buffer Overflow Problem in MS

• MSASN.1 Vulnerability Could allow the remote code
  execution
• Abstract Syntax Notation(ASN.1) is a data
  standard that is used by many applications and
  devices in the technology industry for allowing
  the normalization and understanding of data
  across various platform
• MSASN1.dll is widely used by Windows security
  Subsystem.
• Announced on Feb 10, 2004 by Microsoft
• All the Microsoft OS Platform is affected
• Exploit released on feb 14th
• But only crash the LSASS.exe service and force
  the system to reboot
• Next possible WORM will be under the Development.

32
Thank You