cracking techniques onno w. purbo [email protected]
TRANSCRIPT
![Page 2: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/2.jpg)
Referensi http://www.rootshell.com Front-line Information Security
Team, “Techniques Adopted By 'System Crackers' When Attempting To Break Into Corporate or Sensitive Private Networks,” [email protected] & http://www.ns2.co.uk
![Page 3: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/3.jpg)
Referensi http://www.antionline.com/archives
/documents/advanced/ http://www.rootshell.com/beta/doc
umentation.html http://seclab.cs.ucdavis.edu/papers
.html http://rhino9.ml.org/textware/
![Page 4: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/4.jpg)
Introduction
![Page 5: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/5.jpg)
Just who is vulnerable anyway? Financial institutions and banks Internet service providers Pharmaceutical companies Government and defense agencies Contractors to various goverment
agencies Multinational corporations
![Page 6: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/6.jpg)
Profile of a typical 'system cracker' Usually male, aged 16-25. To improve their cracking skills, or to use
network resources for their own purposes.
Most are opportunists Run scanners for system vulnerabilities. Usually gain root access; then install a
backdoor and patch the host from common remote vulnerabilities.
![Page 7: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/7.jpg)
![Page 8: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/8.jpg)
Networking methodologies adopted by many companies
![Page 9: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/9.jpg)
Internet’s purposes .. The hosting of corporate
webservers E-mail and other global
communications via. the internet To give employees internet access
![Page 10: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/10.jpg)
Network separation Firewall Application Proxies
![Page 11: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/11.jpg)
![Page 12: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/12.jpg)
Understanding vulnerabilities in such networked systems
![Page 13: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/13.jpg)
Understanding vulnerabilities External mailserver must have
access to mailservers on the corporate network.
agressive-SNMP scanners & community string brute-force programs, turn router into bridge.
![Page 14: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/14.jpg)
![Page 15: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/15.jpg)
The attack
![Page 16: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/16.jpg)
Techniques used to 'cloak' the attackers location Bouncing through previously
compromised hosts via. telnet or rsh.
Bouncing through windows hosts via. Wingates.
Bouncing through hosts using misconfigured proxies.
![Page 17: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/17.jpg)
Network probing and information gathering Using nslookup to perform 'ls <domain
or network>' requests. View the HTML on your webservers to
identify any other hosts. View the documents on your FTP servers. Connect to your mailservers and perform
'expn <user>' requests. Finger users on your external hosts.
![Page 18: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/18.jpg)
Identifying trusted network components a trusted network component is usually
an administrators machine, or a server that is regarded as secure.
start out by checking the NFS export & access to critical directory /usr/bin, /etc and /home.
Exploit a machine using a CGI vulnerability, gain access to /etc/hosts.allow
![Page 19: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/19.jpg)
Identifying vulnerable network components Use Linux programs such as ADMhack,
mscan, nmap and many smaller scanners. binaries such as 'ps' and 'netstat' are
trojaned to hide scanning processes. If routers are present that are SNMP
capable, the more advanced crackers will adopt agressive-SNMP scanning techniques to try and 'brute force‘ the public and private community strings of such devices.
![Page 20: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/20.jpg)
Perform types of checks A TCP portscan of a host. A dump RPC services via. portmapper. A listing of exports present via. nfsd. A listing of shares via. samba / netbios. Multiple finger to identify default
accounts. CGI vulnerability scanning. Identification of vulnerable versions of
server daemons, including Sendmail, IMAP, POP3, RPC status & RPC mountd.
![Page 21: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/21.jpg)
Taking advantage of vulnerable components Identify vulnerable network
components compromise the hosts.
Upon executing such a program remotely to exploit a vulnerable server daemon
Gain root access to your host.
![Page 22: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/22.jpg)
Upon gain access to vulnerable components 'clean-up‘ operation of doctoring
your hosts logs 'backdooring' service binaries. place an .rhosts file in the /usr/bin
to allow remote bin access to the host via rsh & csh
![Page 23: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/23.jpg)
![Page 24: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/24.jpg)
Abusing access & privileges
![Page 25: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/25.jpg)
Downloading sensitive information 'bridge' between the internet -
corporate network. Abusing the trust with the external
host.
![Page 26: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/26.jpg)
Cracking other trusted hosts and networks Install trojans & backdoors +
remove logs. Install sniffers on your hosts.
![Page 27: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/27.jpg)
Installing sniffers Use 'ethernet sniffer' programs. To 'sniff' data flowing across the
internal network a remote root compromise of an internal host.
To detect promiscuous network interfaces the 'cpm' http://www.cert.org/ftp/tools/cpm/
![Page 28: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/28.jpg)
Taking down networks rm -rf / & 'mission critical' routers & servers
are always patched and secure.
![Page 29: Cracking Techniques Onno W. Purbo Onno@indo.net.id](https://reader036.vdocuments.net/reader036/viewer/2022081516/56649f1c5503460f94c31aec/html5/thumbnails/29.jpg)