Agenda - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Agenda

Description:

Setuid programs. Password guessing/cracking. Mis-configured file/dir permissions ... Network hacking. Vulnerabilities. TTY access 5 to choose from. SNMP V2 ... – PowerPoint PPT presentation

Number of Views:109
Avg rating:3.0/5.0
Slides: 30
Provided by: mgnys
Category:

less

Transcript and Presenter's Notes

Title: Agenda


1
Agenda
  • Internet footprinting
  • Windows hacking
  • Unix hacking
  • Network web hacking

2
Internet footprinting agenda
  • Review publicly available information
  • Perform network reconnaissance
  • Discover landscape
  • Determine vulnerable services

3
Review publicly available information
  • News Look for recent news
  • news.google.com
  • SEC filings
  • Search for phone numbers, contacts
  • Technical info Look for stupid postings
  • Router configs
  • Admin pages
  • Nessus scans
  • Netcraft
  • Whois/DNS info
  • SamSpade
  • dig

4
Network reconnaissance
  • Use traceroute to find vulnerable servers
  • Trout
  • Can also query BGP tools
  • http//nitrous.digex.net/mae/equinix.html
  • Look up ASNs

5
Landscape discovery
  • Ping sweep Find out which hosts are alive
  • nmap, fping, gping, SuperScan, etc.
  • Port scans Find out which ports are listening
  • Dont setup a full connection just SYN
  • netcat can be run in encrypted mode cryptcat
  • Nmap advanced options
  • XMAS scan sends all TCP options
  • Source port scanning sets source port (e.g., port
    88 to scan Windows systems)
  • Time delays
  • Banner grab O/S guess
  • telnet
  • ftp
  • netcat
  • nmap

6
Windows hacking
  • Scan
  • Enumerate
  • Penetrate
  • Escalate
  • Pillage
  • Get interactive
  • Expand influence

7
Windows scanning
  • Port scan, looking for whats peculiar to Windows
  • 88 Kerberos
  • 139 NetBIOS
  • 445 SMB/CIFS
  • 1433 SQL Server
  • 3268, 3269 Active Directory
  • 3389 Terminal Services
  • Trick Scan from source port 88 to find IPSec
    secured systems

8
Windows enumeration
  • Accounts
  • USER account used by most code, but escalates to
    SYSTEM to perform kernel-level operations
  • System accounts tracked by their SIDs
  • RID at end of SID identifies account type
  • RID 500 is admin account
  • Need to escalate to Administrator to have any
    real power
  • Tools
  • userdump enumerates users on a host
  • Sid2user user2sid translates account names on a
    host
  • SAM
  • Contains usernames, SIDs, RIDs, hashed passwords
  • Local account stored in local SAM
  • Domain accounts stored in Active Directory (AD)
  • Trusts
  • Can exist between AD domains
  • Allows accounts from one domain to be used in
    ACLs on another domain

9
Windows enumeration (cont.)
  • Need access to ports 135, 139, 445
  • Enumerate hosts in a domain
  • net view /domainltdomain namegt
  • Find domain controller(s)
  • nltest /dsgetdcltdomain namegt /pdc
  • nltest /bdc_queryltdomain namegt
  • nbtstcan fast NetBIOS scanner
  • null sessions are an important way to get info
  • Runs over 445
  • Not logged by most IDS
  • net use \\lttargetgt\ipc /u
  • local (from ResKit) or Dumpsec can then
    enumerate accounts
  • Countermeasures
  • Block UDP/137
  • Set RestictAnonymous registry value

10
Windows enumeration (cont.)
  • Look for hosts with 2 NICs
  • getmac from Win2K resource kit
  • Enumerate trusts on domain controller
  • nltest /serveramer /trusted_domains
  • Enumerate shares with DumpSec
  • Hidden shares have at the end
  • Enumerate with LDAP
  • LDAPminer

11
Windows Penetration
  • 3 methods
  • Guess password
  • Obtain hashes
  • Emergency Repair Disk
  • Exploit a vulnerable service
  • Guessing passwords
  • Review vulnerable accounts via dumpsec
  • Use NetBIOS Auditing Tool to guess passwords

12
Windows Escalation
  • Getadmin
  • Getad
  • Getad2
  • pipeupadmin
  • Shatter
  • Yields system-level privileges
  • Works against .NET

13
Windows Pillaging
  • Clear logs
  • Some IDSs will restart auditing once its been
    disabled
  • Grab hashes
  • Remotely with pwdump3
  • Backup SAM c\winnt\repair\sam._
  • Grab passwords
  • Sniff SMB traffic
  • Crack passwords
  • L0phtcrack
  • John the Ripper

14
Windows Get Interactive
  • Copy rootkit over a share
  • Hide rootkit on the target server
  • Low traffic area such as winnt\system32\OS2\dll\to
    olz
  • Stream tools into files
  • Remote shell
  • remote.exe (resource kit tool)
  • netcat
  • How to fire up remote listener?
  • trojan
  • Leave a CD in the bathroom titled, pending
    layoffs ?
  • Schedule it for remote execution
  • at scheduler
  • psexec

15
Windows Expand influence
  • Get passwords
  • Keystroke logger with stealth mail
  • FakeGINA intercepts Winlogon
  • Plant stuff in registry to run on reboot
  • Hide files
  • attrib h ltdirectorygt
  • Stream files
  • Tripwire should catch this stuff

16
Unix hacking
  • Landscape discovery
  • System enumeration
  • Remote attack
  • Local attack
  • Beyond root

17
Unix Landscape Discovery
  • Goals
  • Discover available hosts
  • Find all running services
  • Methodology
  • ICMP and TCP ping scans
  • Find listening services with nmap and udp_scan
  • Discover paths with ICMP, UDP, TCP
  • Tools
  • nmap
  • SuperScan (Windows)
  • udp_scan (more reliable than nmap for udp
    scanning)

18
Unix System Enumeration
  • Goal Discover the following
  • Users
  • Operating systems
  • Running programs
  • Specific software versions
  • Unprotected files
  • Internal information
  • Tools
  • OS/Application telnet, ftp, nc, nmap
  • Users finger, rwho,rusers, SMTP
  • RPC programs rpcinfo
  • NFS shares showmount
  • File retrieval TFTP
  • SNMP snmpwalk snmpget

19
Unix Service Enumeration
  • Users
  • finger
  • SMTP vrfy
  • DNS info
  • Dig
  • RPC services
  • Rpcinfo
  • NFS shares
  • Showmount
  • Countermeasures
  • Turn off un-necessary services
  • Block IP addresses with router ACLs or TCP
    wrappers

20
Unix Remote Attack
  • 3 primary methods
  • Exploit a listening service
  • Route through a system with 2 or more interfaces
  • Get user to execute it for you
  • Trojans
  • Hostile web site
  • Brute-force against service
  • http//packetstormsecurity.nl/Crackers/
  • Countermeasure strong passwords, hide user names
  • Buffer-overflow attack
  • Overflow the stack with machine-dependent code
    (assembler)
  • Usually yields a shell shovel it back with
    netcat
  • Prime targets programs that run as root or suid
  • Countermeasures
  • Disable stack execution
  • Code reviews
  • Limit root and suid programs

21
Unix Remote Attack (cont.)
  • Buffer overflow example
  • echo vrfy perl e print a x 1000 nc
    www.targetsystem.com 25
  • Replace this with something like this
  • char shellcode \xeb\xlf\x5e\x89\x76\x08
  • Input validation attacks
  • PHF CGI newline character
  • SSI passes user input to O/S
  • Back channels
  • X-Windows
  • Send display back to attackers IP
  • Reverse telnet

22
Unix Remote Attack (cont.)
  • Countermeasures against back channels
  • Get rid of executables used for this (x-windows,
    telnet, etc.)
  • Commonly attacked services
  • Sendmail
  • NFS
  • RPC
  • X-windows (sniffing session data)
  • ftpd (wu-ftpd)
  • DNS
  • Guessable query IDs
  • BIND vulnerabilities
  • Countermeasures
  • Restrict zone transfers
  • Block TCP/UDP 53
  • Dont use HINFO records

23
Unix local attacks
  • Buffer overflow
  • Setuid programs
  • Password guessing/cracking
  • Mis-configured file/dir permissions

24
Unix beyond root
  • Map the network (own more hosts)
  • Install rootkit
  • crypto checksum is the only way to know if its
    real
  • Create backdoors
  • Sniff other traffic
  • dsniff
  • arpredirect
  • loki
  • Hunt
  • Countermeasures
  • Encrypt all traffic
  • Switched networks (not a panacaea)
  • Clean logs
  • Session hijacking

25
Network hacking
  • Vulnerabilities
  • TTY access 5 to choose from
  • SNMP V2 community strings
  • HTTP (Everthing is clear-text)
  • TFTP
  • No auth
  • Easy to discern router config files
    ltrouter-namegt.cfg
  • Countermeasures
  • ACLs
  • TCP wrappers
  • Encrypt passwords

26
Routing issues
  • Path integrity
  • Source routing reveals path through the network
  • Routing updates can be spoofed (RIP, IGRP)
  • ARP spoofing
  • Easy with dsniff

27
Firewalls
  • Enumerate with nmap or tcpdump
  • Can show you which ports are filtered (blocked)
  • Some proxies return a banner
  • Eagle Raptor
  • TCP traffic itself may provide signature
  • Ping the un-pingable
  • hping
  • Look for ICMP type 13 (admin prohibited)

28
Firewalls (cont.)
  • ACLs may allow scanning if source port is set
  • nmap with -g option
  • Port redirection
  • fpipe
  • netcat

29
Web hacking
  • Scanning tools
  • whisker
  • nikto
  • stealth
  • www.coolcarts.com
Write a Comment
User Comments (0)
About PowerShow.com