Introduction to Hacking

50 %
50 %
Information about Introduction to Hacking

Published on September 21, 2007

Author: Rajinder


Hacking Primer : Hacking Primer Martin G. Nystrom, CISSP-ISSAP Security Architect, Cisco Systems, Inc. April 2005 Outline : Outline Internet footprinting Hacking Windows Hacking Unix/Linux Hacking the network Slide 3: Internet Footprinting 3 3 3 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Internet Footprinting Outline : Internet Footprinting Outline Review publicly available information Perform network reconnaissance Discover landscape Determine vulnerable services Review publicly available information : Review publicly available information News: Look for recent news SEC filings Search for phone numbers, contacts Technical info: Look for stupid postings Router configs Admin pages Nessus scans Netcraft Whois/DNS info SamSpade dig Network reconnaissance : Network reconnaissance Use traceroute to find vulnerable servers Trout Can also query BGP tools Look up ASNs Landscape discovery : Landscape discovery Ping sweep: Find out which hosts are alive nmap, fping, gping, SuperScan, etc. Port scans: Find out which ports are listening Don’t setup a full connection – just SYN Netcat can be run in encrypted mode – cryptcat nmap advanced options XMAS scan sends all TCP options Source port scanning sets source port (e.g., port 88 to scan Windows systems) Time delays Banner grab & O/S guess telnet ftp netcat nmap Slide 8: Hacking Windows 8 8 8 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Hacking Windows outline : Hacking Windows outline Scan Enumerate Penetrate Escalate Pillage Get interactive Expand influence Scanning Windows : Scanning Windows Port scan, looking for what’s indicative of Windows 88 – Kerberos 139 – NetBIOS 445 – SMB/CIFS 1433 – SQL Server 3268, 3269 – Active Directory 3389 – Terminal Services Trick: Scan from source port = 88 to find IPSec secured systems Enumerating Windows : Enumerating Windows Accounts USER account used by most code, but escalates to SYSTEM to perform kernel-level operations System accounts tracked by their SIDs RID at end of SID identifies account type RID = 500 is admin account Need to escalate to Administrator to have any real power Tools userdump – enumerates users on a host sid2user & user2sid translates account names on a host SAM Contains usernames, SIDs, RIDs, hashed passwords Local account stored in local SAM Domain accounts stored in Active Directory (AD) Trusts Can exist between AD domains Allows accounts from one domain to be used in ACLs on another domain Enumerating Windows (cont.) : Enumerating Windows (cont.) Need access to ports 135, 139, 445 Enumerate hosts in a domain net view /domain:<domain name> Find domain controller(s) nltest /dsgetdc:<domain name> /pdc nltest /bdc_query:<domain name> nbtstcan – fast NetBIOS scanner null sessions are an important way to get info Runs over 445 Not logged by most IDS net use \\<target>\ipc$ “” /u:”” “local” (from ResKit) or Dumpsec can then enumerate accounts Countermeasures Block UDP/137 Set RestictAnonymous registry value Enumerating Windows (cont.) : Enumerating Windows (cont.) Look for hosts with 2 NICs “getmac” from Win2K resource kit Enumerate trusts on domain controller nltest /server:amer /trusted_domains Enumerate shares with DumpSec Hidden shares have “$” at the end Enumerate with LDAP LDAPminer Penetrating Windows : Penetrating Windows 3 methods Guess password Obtain hashes Emergency Repair Disk Exploit a vulnerable service Guessing passwords Review vulnerable accounts via dumpsec Use NetBIOS Auditing Tool to guess passwords Escalating privileges in Windows : Escalating privileges in Windows getadmin getad getad2 pipeupadmin Shatter Yields system-level privileges Works against Windows Server 2003 Pillaging Windows : Pillaging Windows Clear logs Some IDS’s will restart auditing once it’s been disabled Grab hashes Remotely with pwdump3 Backup SAM: c:\winnt\repair\sam._ Grab passwords Sniff SMB traffic Crack passwords L0phtcrack John the Ripper Getting interactive with Windows : Getting interactive with Windows Copy rootkit over a share Hide rootkit on the target server Low traffic area such as winnt\system32\OS2\dll\toolz Stream tools into files Remote shell remote.exe (resource kit tool) netcat How to fire up remote listener? trojan Leave a CD in the bathroom titled, “pending layoffs” ? Schedule it for remote execution at scheduler psexec Windows – Expand influence : Windows – Expand influence Get passwords Keystroke logger with stealth mail FakeGINA intercepts Winlogon Plant stuff in registry to run on reboot Hide files “attrib +h <directory>” Stream files Tripwire should catch this stuff Slide 19: Hacking Unix/Linux 19 19 19 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Hacking Unix/Linux outline : Hacking Unix/Linux outline Discover landscape Enumerate systems Attack Remote Local Get beyond root Discover landscape : Discover landscape Goals Discover available hosts Find all running services Methodology ICMP and TCP ping scans Find listening services with nmap and udp_scan Discover paths with ICMP, UDP, TCP Tools nmap SuperScan (Windows) udp_scan (more reliable than nmap for udp scanning) Enumerate systems : Enumerate systems Goal: Discover the following… Users Operating systems Running programs Specific software versions Unprotected files Internal information Tools OS/Application: telnet, ftp, nc, nmap Users: finger, rwho,rusers, SMTP RPC programs: rpcinfo NFS shares: showmount File retrieval: TFTP SNMP: snmpwalk snmpget Enumerate services : Enumerate services Users finger SMTP vrfy DNS info dig RPC services rpcinfo NFS shares showmount Countermeasures Turn off un-necessary services Block IP addresses with router ACLs or TCP wrappers Attack remotely : Attack remotely 3 primary methods Exploit a listening service Route through a system with 2 or more interfaces Get user to execute it for you Trojans Hostile web site Brute-force against service Countermeasure: strong passwords, hide user names Buffer-overflow attack Overflow the stack with machine-dependent code (assembler) Usually yields a shell – shovel it back with netcat Prime targets: programs that run as root or suid Countermeasures Disable stack execution Code reviews Limit root and suid programs Attack remotely (cont.) : Attack remotely (cont.) Buffer overflow example echo “vrfy `perl –e ‘print “a” x 1000’`” |nc 25 Replace this with something like this… char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…” Input validation attacks PHF CGI – newline character SSI passes user input to O/S Back channels X-Windows Send display back to attacker’s IP Reverse telnet Attack remotely (cont.) : Attack remotely (cont.) Countermeasures against back channels Get rid of executables used for this (x-windows, telnet, etc.) Commonly attacked services Sendmail NFS RPC X-windows (sniffing session data) ftpd (wu-ftpd) DNS Guessable query IDs BIND vulnerabilities Countermeasures Restrict zone transfers Block TCP/UDP 53 Don’t use HINFO records Attack locally : Attack locally Buffer overflow Setuid programs Password guessing/cracking Mis-configured file/dir permissions Get beyond root : Get beyond root Map the network (own more hosts) Install rootkit crypto checksum is the only way to know if it’s real Create backdoors Sniff other traffic dsniff arpredirect loki Hunt Countermeasures Encrypt all traffic Switched networks (not a panacaea) Clean logs Session hijacking Slide 29: Hacking the Network 29 29 29 © 2004 Cisco Systems, Inc. All rights reserved. mnystrom Vulnerabilities Dealing with firewalls Vulnerabilities : Vulnerabilities TTY access – 5 to choose from SNMP V2 community strings HTTP (Everthing is clear-text) TFTP No auth Easy to discern router config files “<router-name>.cfg Countermeasures ACLs TCP wrappers Encrypt passwords Vulnerabilities: routing issues : Vulnerabilities: routing issues Path integrity Source routing reveals path through the network Routing updates can be spoofed (RIP, IGRP) ARP spoofing Easy with dsniff Dealing with firewalls : Dealing with firewalls Enumerate with nmap or tcpdump Can show you which ports are filtered (blocked) Some proxies return a banner Eagle Raptor TCP traffic itself may provide signature Ping the un-pingable hping Look for ICMP type 13 (admin prohibited) Dealing with firewalls (cont.) : Dealing with firewalls (cont.) ACLs may allow scanning if source port is set nmap with “-g” option Port redirection fpipe netcat Questions? : Questions? Slide 35: 35 35 35 © 2003 Cisco Systems, Inc. All rights reserved. Presentation_ID

Add a comment

Related presentations

Related pages

Introduction to Hacking - YouTube

Introduction to Hacking Eli the Computer Guy. Subscribe Subscribed Unsubscribe 739,102 739K. ... Introduction to the Darknet - Duration: 13:23.
Read more

Hacking-Introduction - Wikibooks, open books for an open world

Hacking is the art of exploiting computers to get access to otherwise unauthorised information. Now that the world is using IT systems to gather, store and ...
Read more

Introduction to Ethical Hacking -

What is ethical hacking? Get an overview of the principles, techniques, and tools used by the certified ethical hacker in this ethical hacking course.
Read more

What is computer hacking? Introduction to Hacking ...

What is computer hacking? In a cyber security world, the person who is able to discover weakness in a system and managed to exploit it to accomplish his ...
Read more

Chapter 1 Introduction to Ethical Hacking - TechTarget

Chapter 1 Introduction to Ethical Hacking In This Chapter Understanding hacker objectives Outlining the differences between ethical hackers and malicious ...
Read more

Eli the Computer Guy - YouTube

Introduction to Hacking - Duration: 1 hour, 9 minutes. 2,601,025 views; 5 years ago; 1:09:35. Play next; Play now; TCP/IP and Subnet Masking ...
Read more

Introduction to Hacking and Crimeware ebook |

eBook Shop: Introduction to Hacking and Crimeware als Download. Jetzt eBook sicher bei Weltbild runterladen & bequem mit Ihrem Tablet oder eBook Reader lesen.
Read more

African Dating & Singles at™

Since 2002, AfroIntroductions has connected thousands of African singles around the world, making it the largest and most trusted African dating site.
Read more