hacking exposed
DESCRIPTION
Hacking Exposed. May 5, 2004 Jan Decrock Karel Dekyvere. Agenda. Some reflections The attackers process Things you must do. What is it about?. P P T. In this order!. eople rocess echnology. How it usually goes. Attacker Processes. Buffer Overflows Shovel a Shell - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/1.jpg)
NATO Security Workshop 11 Dec 2001
1
Hacking Exposed
May 5, 2004
Jan DecrockKarel Dekyvere
![Page 2: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/2.jpg)
NATO Security Workshop 11 Dec 2001
2
Agenda
• Some reflections
• The attackers process
• Things you must do
![Page 3: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/3.jpg)
NATO Security Workshop 11 Dec 2001
3
What is it about?
P
P
T
eople
rocess
echnology
In this order!
![Page 4: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/4.jpg)
NATO Security Workshop 11 Dec 2001
4
How it usually goes
![Page 5: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/5.jpg)
NATO Security Workshop 11 Dec 2001
5
Attacker Processes
• Footprinting
• Social Engineering
• Scanning
• Enumeration
• Gaining Access
• Privilege Escalation
• Buffer Overflows
• Shovel a Shell• Interactive
Control• Camouflaging• Island Hopping
• Viruses
![Page 6: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/6.jpg)
NATO Security Workshop 11 Dec 2001
6
Footprinting• Footprinting Defined:
– An attacker’s use of tools and information to create a complete profile of an organization’s security posture – “Casing the joint”
• Tools:
http://www.google.com Netcraft – http://www.netcraft.com
USENET http://groups.google.com
EDGAR - http://www.sec.gov
DNS Servers TRACERT
WHOIS – http://www.arin.net & http://www.samspade.org
![Page 7: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/7.jpg)
NATO Security Workshop 11 Dec 2001
7
• Social Engineering Defined:– An attacker’s use of personal interviewing
techniques, research skills and/or trickery to discover sensitive information from a target’s employees, partners or customers
• Tools– Telephone– Voice Mail– Email– USENET– Temporary Employment
Social Engineering
![Page 8: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/8.jpg)
NATO Security Workshop 11 Dec 2001
8
Scanning
• Scanning Defined:– An attacker’s use of tools and information to
determine what systems are alive and reachable from the Internet
• Tools:
fping (ICMP-based) nmap (TCP-port-based)
netcat SuperScan / Scanline
Typhon II LANGuard
Fluxay Many (many) more
![Page 9: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/9.jpg)
NATO Security Workshop 11 Dec 2001
9
Enumeration• Enumeration Defined:
– An attacker’s use of tools and information to determine what services are alive and listening from the Internet
• Tools:– LANGuard, N-Stealth, Fluxay, Nessus
• Countermeasures– Restrictanonymous helps (1 or 2)? – Rename admin helps?– Disable services!– Enable port filtering
![Page 10: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/10.jpg)
NATO Security Workshop 11 Dec 2001
10
Port Redirection
• Port Redirection Defined:– The use of tools to direct network traffic destined for
one port and send it to another host on another port
• Tools:– FPipe.exe, RINETD(8)
• Countermeasures– Port have to get installed on the target system.
Mitigate by staying secure– Use IPSEC or other to allow communications
from/to– Packet content!
![Page 11: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/11.jpg)
NATO Security Workshop 11 Dec 2001
11
Gaining Access
• Gaining Access Defined:– An attacker’s use of tools and information to make an
attempt to access the target system• Tools:
• Countermeasures– Syskey will protect me (offline encryption)?
Keystroke Loggers L0phtcrack
Password Grinders Remote Shells
John the Ripper Getadmin
GetAdmin2 Brutus
Samdump Pwdump
![Page 12: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/12.jpg)
NATO Security Workshop 11 Dec 2001
12
Are you careful with security?
![Page 13: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/13.jpg)
NATO Security Workshop 11 Dec 2001
13
Privilege Escalation• Privilege Escalation Defined:
– An attacker’s efforts to elevate his role from ‘user’ to ‘administrator’ by exploiting an operating system or application-specific flaw. Generally exploited from a console session of a non-privileged user.
• Tools:
• Your users have ‘debug programs’, ‘logon locally’ right?
GetAdmin, GetAdmin2 PipeUpAdmin
DebPloit L0phtcrack (LC3/LC4)
John the Ripper Brutus
Samdump Pwdump1,2,3,3e
LSADump, LSADump2
![Page 14: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/14.jpg)
NATO Security Workshop 11 Dec 2001
14
Buffer Overflows• Buffer Overflows Defined:
– Buffer Overflow tools exploit un-checked buffers in specific OS’s or applications to cause ‘shellcode’ to run (usually in the context of ‘SYSTEM’, ‘IWAM’ or ‘SQLUSER’ if exploiting Windows 2000, IIS or SQL.
• Tools:– Too many to name….
• Patch management: good idea!
• Wanna know how it works?
![Page 15: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/15.jpg)
NATO Security Workshop 11 Dec 2001
15
Public Enemy #1: The Buffer Overrun
• Attempting to copy >n bytes into an n-byte buffer
• If you’re lucky you get an AV• If you’re unlucky you get instability• If you’re really unlucky the attacker injects
code into your application–And executes it!–And everyone’s an admin :-(
![Page 16: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/16.jpg)
NATO Security Workshop 11 Dec 2001
16
How Does It Work?
Buffer in bar()Buffer in bar() ReturnReturnAddress to foo()Address to foo()
bar()bar()argumentsarguments
A Stack (foo() has just called bar())
A Dangerous buffer
Assembly codeAssembly code Address of startAddress of start
Add ‘em together (using a copy function)
Your allocated Your allocated datadata
ReturnReturnaddressaddress
FunctionFunctionargumentsarguments
Gotcha!
Gotcha!
![Page 17: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/17.jpg)
NATO Security Workshop 11 Dec 2001
17
Code injections
• Insert malicious code in program through user interface
• Usually possible due to lack of input parameter checking
• Most commonly used mechanism to take over websites!
![Page 18: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/18.jpg)
NATO Security Workshop 11 Dec 2001
18
SQL code injection• Think of a website that allows you to query information,
think harder.
• How could the code be build to capture your input:
– Select * from creditcards where username = ‘x’– Select * from PC_parts where model = ‘x’
• Imagine what happens if your input would be:– hacker’ or 1=1 (the good)– hacker’ drop table creditcards (the bad)– hacker’ xp_cmdshell(‘fdisk.exe’) (the ugly)
• Try this @home, not @work !
![Page 19: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/19.jpg)
NATO Security Workshop 11 Dec 2001
19
You want to be in such a situation?
• Then start thinking in terms of security
![Page 20: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/20.jpg)
NATO Security Workshop 11 Dec 2001
20
DEMO?
![Page 21: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/21.jpg)
NATO Security Workshop 11 Dec 2001
21
Shovel a Shell
• Shovel a Shell Defined:– An attacker’s use of tools to gain a ‘remote
command shell’ on a target server.
• Tools:– Netcat – The attackers ‘swiss army knife’– PSExec.exe
• Countermeasures– Limit outbound connections!– Software restriction policies.
![Page 22: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/22.jpg)
NATO Security Workshop 11 Dec 2001
22
Island Hopping• Island Hopping Defined:
– Attacker uses compromised platform to stage an attack on another host
– Attacker repeats entire ‘attack methodology’ process to expand influence far and wide
• Tools:
• Did you know: ¼ of all Internet routers contained third party sniffers
netcat Tftp
Fpipe SMB Relay
Hash ‘cramming’
![Page 23: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/23.jpg)
NATO Security Workshop 11 Dec 2001
23
Viruses
• Main Sources: Internet, Mail, Floppy.
• You can protect yourself
• Keep upto date of new virusses (mailing lists, automatic updates, Patch management process...)
![Page 24: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/24.jpg)
NATO Security Workshop 11 Dec 2001
24
Why viruses/worms win• Viruses/worms usually exploit buffer overruns. • 1 change in 1010 to find a buffer overrun
• Or you reverse engineer announced flaws in the system. – Download a patch– Install on a computer– Verify modification to system/memory allocs
• Write virus based on patch information• Hope that nobody installed to patch
• What are my changes to be successful?
![Page 25: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/25.jpg)
NATO Security Workshop 11 Dec 2001
25
Why viruses/worms should not win
• Virus/worm usually ships 10 to 20 days ‘after’ the patch is released.
• Excuse #1: Good Anti-virus software will protect me; somebody is always the first to be infected; what if the worm spreads faster than the pattern file.
• Excuse #2: We have a firewall that blocks all traffic; really, and you have one for all mobile users, one to split your internal network, etc…
• Excuse #3: Only Microsoft writes bogus code, I run on non-MS products; statistics say that each 1000 lines of code has 1bug (no matter what software or vendor).
![Page 26: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/26.jpg)
NATO Security Workshop 11 Dec 2001
26
How much is enough security?
![Page 27: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/27.jpg)
NATO Security Workshop 11 Dec 2001
27
Thank you for attendingand remember,
PPT
![Page 28: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/28.jpg)
NATO Security Workshop 11 Dec 2001
28
Know Your Enemy
• Some Good Books:– Hacking Exposed Windows 2000 by Joel
Scambray and Stuart McClure, ISBN: 0072192623– Windows 2000 Security Handbook by Philip Cox
and Tom Sheldon, ISBN: 0072124334
![Page 29: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/29.jpg)
NATO Security Workshop 11 Dec 2001
29
Know Your Enemy
• Web Sites:– HNC at http://www.hack-net.com – Attrition at http://www.attrition.org– Counterpane Systems (home of Bruce Schneier) at
http://www.counterpane.com– Cult of the Dead Cow at http://www.cultdeadcow.com – Rootshell at http://rootshell.com – 2600 at http://www.2600.com – EEye at http://www.eeye.com– WSD at http://www.w00w00.org– NTSecurity at http://www.ntsecurity.net
![Page 30: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/30.jpg)
NATO Security Workshop 11 Dec 2001
30
Know Your Enemy
• Web Sites:– Slash Dot at http://www.slashdot.org– Razor at http://razor.bindview.com – Rainforest Puppy at http://www.wiretrip.net/rfp– Phrack at http://phrack.infonexus.com – Security Focus at http://www.securityfocus.com . Get
on the NTBugTraq mailing list here.– BlackHat at http://www.blackhat.com/– Nomad Mobile Research Centre at
http://www.nmrc.org/– Secure I Team at http://www.secureiteam.com
![Page 31: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/31.jpg)
NATO Security Workshop 11 Dec 2001
31
Know Your Enemy
• Events– RSA Conference http://www.rsaconference.com – BlackHat http:///www.blackhat.com – DefCon http://www.defcon.org (The Largest
Hacking Convention, bring your own 802.11b wireless network card!)
![Page 32: Hacking Exposed](https://reader036.vdocuments.net/reader036/viewer/2022081504/56814876550346895db57fcd/html5/thumbnails/32.jpg)
NATO Security Workshop 11 Dec 2001
32
References
• Hacking Exposed 4th Edition• Hacking Windows 2000 Exposed• Special Ops• Microsoft Solution for Securing Windows
2000 Serverhttp://www.microsoft.com/technet/security/prodtech/windows/secwin2k/default.asp
• NSA Security Guidelineshttp://nsa1.www.conxion.com/