May 10, 2015
Sembang2 Sembang2 Keselamatan ItKeselamatan It
Sembang2 Sembang2 Keselamatan ItKeselamatan It
[email protected]@scan-associates.net
SpeaKer• Call me S.K.• While in UTM:
– Modify virus source code and spread it to Tar College, crack Virus Buster™ for fun
• After UTM:– Start up SCAN Associates– Legally do pen-test for many agencies– Document hacking tricks and share
with friends
Advertisement
Publications• SQL Injection Walkthrough, published in
more than a dozen security web site• Win32 Buffer Overflow Walkthrough,
details the process of buffer overflow• Thanks from Microsoft™ for finding bug
in their software• Creating firewall proof shellcode in
Blackhat and soon in Ruxcon conference
• Winner of Blackhat Hacking game!
Advertisement
Wat we wanna do today?
• Appetizer has:– some new terminologies– a bit of concepts– a few easy to use tools
• Main course:– Treat– Vulnerability– Exploitation– A bit of SQL injection
• Dessert:• demo on some tricks/tools
TOC
Threat• If there is a computer, there is a
threat…• If there are 2 computers, there are
2 times threats…• If there are N computers, there are
N x threats…
• The more computers you hafta manage, the more risk there is…
Threat
Threat, seriously…
• Running background services– Services running all the time– Allow direct connection from
anywhere– Favorite targets:
• HTTP (port 80)• FTP (port 21)• NetBIOS (port 135, 445)• HTTPS (port 443)• SSH (port 22), etc
Threat
More threats…
• Mistake and Configuration errors:– No password– User name = password– Write access allowed– Default Public/Private community
string– Poor Access Control in proxy server– Testing server in public network– Existing of default account
Threat
Threats from within…
• End-user attacks:– Email attachments– User download trojan horse– File sharing tool like Kazaa– Not to mention Instant Messaging
and IRC– Unprotected Wi-Fi Access Point
Threat
Vulnerability• Software bug leads to vulnerability,
vulnerability leads to system hack• Thus, software bug is our friend• Find the bug, you will find the way in• Fortunate for us, security experts
publish new vulnerability everyday• Our objective is to find a system with
any vulnerability
Vulnerability
Finding vulnerability• The easy way:
– nessus – general purpose vuln scanner
– nikto – web attack scanner• The semi-automatic approach:
– nmap – port scanner– sl – port scanner for windoze
• The free-styler:– netcat– your favorite browser
Vulnerability
nessus• General purpose
vulnerability scanner• http://www.nessus.org• GNU Public License• Test hundreds of
vulnerabilities effortlessly
• Can write your own plug-in using NASL
• Test only, will not let you control the server
Vulnerability - The easy way
nessus client-server
Nessus Client(Unix)
Nessus Server(Unix)
Targets
Nessus Client (Windows)
Targets
Vulnerability - The easy way
nikto• Web scanner• http://www.cirt.net/code/
nikto.shtml• Open source (GPL)• Over 2600 vulnerabilities
specific to Web only• Support HTTPS
connection to avoid IDS detection
• Test only, will not let you control the server
Vulnerability - The easy way
Other Tools• General purpose scanner
– Internet Security Scanner (www.iss.net)
– Eeye’s Retina (www.eeye.com)• Web Server Scanner
– Stealth HTTP Scan (www.hideaway.net)
– Whisker (www.wiretrip.net/rfp/p/doc.asp/i2/d21.htm)
Vulnerability - The easy way
Port Scanner • Tell you what type of services are
running in a server• Indirectly tell you the OS too• nmap
– www.insecure.org/nmap/– Versatile port scanner for *nix
• sl– www.foundstone.com– easy to use port scanner for windoze
Vulnerability - semi-automatic
Favorite targets• Port 53 – try bind exploit• Port 21 – try anonymous login, simple passwd
or exploits for Pro-Ftp, Wu-ftp, serv-u, etc• Port 22 – try simple passwd and x2 exploit• Port 25 – sendmail exploit for slackware or
exchange exploit• Port 80 – Apache chunked bug, IIS .printer,
unicode, ASP chunked, Webdav, Frontpage, etc.• Port 135, 445 – try netbios sharing with simple
passwd or Locator, Dcom, messenger, workstation, Lsass exploits
• Port 443 – SSL-too-open, THCISSLame.c• Port 1433, 1434 – MS Sql Server Resolution
Bug, HelloBug or SA without password
Vulnerability - semi-automatic
Free styler• Using netcat to connect to popular
services and backdoor port:– port 22 review SSH version– port 1080 might allow you to connect to
internal IP– port 5554 might drop you a shell
• Use your favorite browser to surf around the target web server, look for:– Hidden info in HTML code– Web attack via SQL injection, PHP, Perl, etc
Vulnerability
Exploitation• The process of taking advantage of a
vulnerability to either:– Get a shell (thus, control the victim)– Retrieve/modify information (source code,
files, database)– Denial of Service (DOS), etc
• To get an exploit:– Find/trade from www/irc/friends– Create it yourself– Purchase it from Core Impact or
CANVAS
Exploitation
Find from Internet• www.metasploit.com • Bugtraq Mailing list • Full Disclosure Mailing list • http://packetstormsecurity.nl/
• http://www.security.nnov.ru/search/exploits.asp
• #vuln, #badcode, #darknet, #phrack
Exploitation
Creating it yourself
• Read and understand the vulnerability from the advisory:– www.securitytracker.com– www.microsoft.com/security
• Might require different skill set in:– Perl/PHP/SQL– Reverse engineering– C or ASM programming, etc
Exploitation
metasploit• www.metasploit.com• Developed by HD Moore and a few
ghettohackers (they won Defcon Ctf 3 times in a row)
• Integrated many exploits in one easy to use package
• Support command line and web interface
• Packed with many useful component for exploit development
• Its free!
Exploitation
Web attack
• Developers are putting more functionality into Web (port 80)
• There are many type of attacks specific to port 80 alone:– SQL injection– Perl and CGI insecurities– PHP insecurities– Cross scripting (XSS)
Web attack
SQL Injection• A technique to manipulate data in a
way that it will change the original SQL statement
• It could happened in the following manner:– Program takes your input as a variable– It appends your input into an SQL
statement– The program then pass the statement
to the Database
Web attack
...SQL Injection• What if your input is an SQL command?• By carefully insert SQL command as
your input, you can change the original SQL statement to something else and make the Database to execute your command
• Usual command to test for SQL injection:– Type a single quote as input (‘)– Type “ union select 1” to see if injection is
possible
Web attack
Perl & CGI
• File access problem• User supply variable which in turn
used by Perl/CGI to open a file• Manipulating this variable may
allow you to open any file or even remote execution
Web attack
PHP
• Just like Perl/CGI, only more powerful (in a sense of hacking)
• Not only you may manipulate variable to open any file, you also can control it to open any file in the Internet
Web attack
XSS
• Allow injection of HTML code (including Javascript/VBScript) into existing HTML page
• If a user open the page, your code execute
• Best used in Forum, to steal user cookie
Web attack
Can we go now?
• Q & A Session• Thanks