hacking and crecjing

1© 2003 Cisco Systems, Inc. All rights reserved.

Session NumberPresentation_ID

Hacking Primer

Martin G. Nystrom, CISSP-ISSAP

Security Architect, Cisco Systems, Inc.

April 2005

222© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

Outline

• Internet footprinting

• Hacking Windows

• Hacking Unix/Linux

• Hacking the network


Internet Footprinting

333© 2004 Cisco Systems, Inc. All rights reserved.mnystrom


Internet Footprinting Outline

• Review publicly available information

• Perform network reconnaissance

• Discover landscape

• Determine vulnerable services


Review publicly available information

• News: Look for recent news

news.google.com

SEC filings

Search for phone numbers, contacts

• Technical info: Look for stupid postings

Router configs

Admin pages

Nessus scans

• Netcraft

• Whois/DNS info

SamSpade

dig


Network reconnaissance

• Use traceroute to find vulnerable servers

Trout

• Can also query BGP tools

http://nitrous.digex.net/mae/equinix.html

Look up ASNs


Landscape discovery

• Ping sweep: Find out which hosts are alive

nmap, fping, gping, SuperScan, etc.

• Port scans: Find out which ports are listening

Don’t setup a full connection – just SYN

Netcat

can be run in encrypted mode – cryptcat

nmap advanced options

XMAS scan sends all TCP options

Source port scanning sets source port (e.g., port 88 to scan Windows systems)

Time delays

• Banner grab & O/S guess

telnet

ftp

netcat

nmap


Hacking Windows



Hacking Windows outline

1.Scan

2.Enumerate

3.Penetrate

4.Escalate

5.Pillage

6.Get interactive

7.Expand influence


Scanning Windows

• Port scan, looking for what’s indicative of Windows

88 – Kerberos

139 – NetBIOS

445 – SMB/CIFS

1433 – SQL Server

3268, 3269 – Active Directory

3389 – Terminal Services

• Trick: Scan from source port = 88 to find IPSec secured systems


Enumerating Windows

• Accounts

USER account used by most code, but escalates to SYSTEM to perform kernel-level operations

System accounts tracked by their SIDs

RID at end of SID identifies account type

RID = 500 is admin account

Need to escalate to Administrator to have any real power

Tools

userdump – enumerates users on a host

sid2user & user2sid translates account names on a host

SAM

Contains usernames, SIDs, RIDs, hashed passwords

Local account stored in local SAM

Domain accounts stored in Active Directory (AD)

Trusts

Can exist between AD domains

Allows accounts from one domain to be used in ACLs on another domain


Enumerating Windows (cont.)

• Need access to ports 135, 139, 445

• Enumerate hosts in a domain

net view /domain:<domain name>

• Find domain controller(s)

nltest /dsgetdc:<domain name> /pdc

nltest /bdc_query:<domain name>

nbtstcan – fast NetBIOS scanner

null sessions are an important way to get info

Runs over 445

Not logged by most IDS

net use \\<target>\ipc$ “” /u:””

“local” (from ResKit) or Dumpsec can then enumerate accounts

Countermeasures

Block UDP/137

Set RestictAnonymous registry value


Enumerating Windows (cont.)

• Look for hosts with 2 NICs

“getmac” from Win2K resource kit

• Enumerate trusts on domain controller

nltest /server:amer /trusted_domains

• Enumerate shares with DumpSec

Hidden shares have “$” at the end

• Enumerate with LDAP

LDAPminer


Penetrating Windows

• 3 methods

Guess password

Obtain hashes

Emergency Repair Disk

Exploit a vulnerable service

• Guessing passwords

Review vulnerable accounts via dumpsec

Use NetBIOS Auditing Tool to guess passwords


Escalating privileges in Windows

• getadmin

getad

getad2

pipeupadmin

• Shatter

Yields system-level privileges

Works against Windows Server 2003


Pillaging Windows

• Clear logsSome IDS’s will restart auditing once it’s been disabled

• Grab hashesRemotely with pwdump3

Backup SAM: c:\winnt\repair\sam._

• Grab passwordsSniff SMB traffic

• Crack passwordsL0phtcrack

John the Ripper


Getting interactive with Windows

• Copy rootkit over a share

• Hide rootkit on the target server

Low traffic area such as winnt\system32\OS2\dll\toolz

Stream tools into files

• Remote shell

remote.exe (resource kit tool)

netcat

• How to fire up remote listener?

trojan

Leave a CD in the bathroom titled, “pending layoffs”

Schedule it for remote execution

at scheduler

psexec


Windows – Expand influence

• Get passwords

Keystroke logger with stealth mail

FakeGINA intercepts Winlogon

• Plant stuff in registry to run on reboot

• Hide files

“attrib +h <directory>”

Stream files

Tripwire should catch this stuff


Hacking Unix/Linux



Hacking Unix/Linux outline

1.Discover landscape

2.Enumerate systems

3.Attack

– Remote

– Local

4.Get beyond root


Discover landscape

• Goals

Discover available hosts

Find all running services

• Methodology

ICMP and TCP ping scans

Find listening services with nmap and udp_scan

Discover paths with ICMP, UDP, TCP

• Tools

nmap

SuperScan (Windows)

udp_scan (more reliable than nmap for udp scanning)


Enumerate systems

• Goal: Discover the following…

Users

Operating systems

Running programs

Specific software versions

Unprotected files

Internal information

• Tools

OS/Application: telnet, ftp, nc, nmap

Users: finger, rwho,rusers, SMTP

RPC programs: rpcinfo

NFS shares: showmount

File retrieval: TFTP

SNMP: snmpwalk snmpget


Enumerate services

• Users

finger

SMTP vrfy

• DNS info

dig

• RPC services

rpcinfo

• NFS shares

showmount

• Countermeasures

Turn off un-necessary services

Block IP addresses with router ACLs or TCP wrappers


Attack remotely

• 3 primary methods

Exploit a listening service

Route through a system with 2 or more interfaces

Get user to execute it for you

Trojans

Hostile web site

• Brute-force against service

http://packetstormsecurity.nl/Crackers/

Countermeasure: strong passwords, hide user names

• Buffer-overflow attack

Overflow the stack with machine-dependent code (assembler)

Usually yields a shell – shovel it back with netcat

Prime targets: programs that run as root or suid

Countermeasures

Disable stack execution

Code reviews

Limit root and suid programs


Attack remotely (cont.)

• Buffer overflow exampleecho “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25

Replace this with something like this…

char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”

• Input validation attacks

PHF CGI – newline character

SSI passes user input to O/S

• Back channels

X-Windows

Send display back to attacker’s IP

Reverse telnet


Attack remotely (cont.)

• Countermeasures against back channels

Get rid of executables used for this (x-windows, telnet, etc.)

• Commonly attacked services

Sendmail

NFS

RPC

X-windows (sniffing session data)

ftpd (wu-ftpd)

DNS

Guessable query IDs

BIND vulnerabilities

Countermeasures

Restrict zone transfers

Block TCP/UDP 53

Don’t use HINFO records


Attack locally

• Buffer overflow

• Setuid programs

• Password guessing/cracking

• Mis-configured file/dir permissions


Get beyond root

• Map the network (own more hosts)

• Install rootkit

crypto checksum is the only way to know if it’s real

Create backdoors

Sniff other traffic

dsniff

arpredirect

loki

Hunt

Countermeasures

Encrypt all traffic

Switched networks (not a panacaea)

Clean logs

Session hijacking


Hacking the Network


• Vulnerabilities• Dealing with firewalls


Vulnerabilities

• TTY access – 5 to choose from

• SNMP V2 community strings

• HTTP (Everthing is clear-text)

• TFTP

No auth

Easy to discern router config files “<router-name>.cfg

• Countermeasures

ACLs

TCP wrappers

Encrypt passwords


Vulnerabilities: routing issues

• Path integrity

Source routing reveals path through the network

Routing updates can be spoofed (RIP, IGRP)

• ARP spoofing

Easy with dsniff


Dealing with firewalls

• Enumerate with nmap or tcpdump

Can show you which ports are filtered (blocked)

• Some proxies return a banner

Eagle Raptor

• TCP traffic itself may provide signature

• Ping the un-pingable

hping

Look for ICMP type 13 (admin prohibited)


Dealing with firewalls (cont.)

• ACLs may allow scanning if source port is set

nmap with “-g” option

• Port redirection

fpipe

netcat


Questions?

353535© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID 353535© 2003 Cisco Systems, Inc. All rights reserved.Presentation_ID

hacking and crecjing

Education

cisco systems

id penetrating windows

id hacking windows outline

id review

windows server

id scanning windows

ipsec secured systems

id escalating privileges