0x4841434b45525a – h4x0r presentation for n00bs

All Your Base Are Belong To Us

0x48 0x41 0x43 0x4B 0x45 0x52 0x5A

Or: so, you wanted to be a hacker

By Gil Megidish (2004)


You think you know hackers?


Hacking, Cracking & Phreaking• Hacker n. (Jargon File)

• One who programs enthusiastically

and even obsessively.

• A person who enjoys exploring the

details of systems and such.

• Cracker n.

• One who breaks security on a system.

• Phreaking

• The pure art of telephony hacking (Captain Crunch)


Cracking• All software can be cracked:

If a program can be written with protection, it can surely exist without one.

• Crackers brag their accomplishments.

• Types of interesting cracking:

– Cracking software

– Cracking into servers

– Denial of Service (DoS)


Cracking Software

• Software will let you know if you have no permission to continue

• Starting there, it is possible to find the root cause of this limitation


Always Use Protection

Protection code

Registry

File System

Network

CPU

Devices (plug)

Since it is always possible to crack software, the codershave one thing in mind: make the cracker’s life a living hell

Introducing: Doc Witness’ OpSecure


Cracking Into Servers


Database Hacking

SELECT * FROM USERS_TABLE WHERE USER=$PARAM

Inexperienced programmers sometimes make the mistake above. No matter how many firewalls are in the middle, you can delete the entire database, or even destroy the machine it is running on.

What if

$USER = “userName%01EXEC rm –rf /”

Or

$USER = “userName OR 1=1” ?


Buffer Overflows

void store(char *str) {

char buffer[16];

strcpy(buffer, str); }

What is wrong with this function??


Call stack overview

void function(char *str) {

char buffer[16];

Low memory High memory

buffer(16)

oldsp(4)

ret(4)

*str(4)


buffer(16)

oldsp(4)

ret(4)

*str(4)

So, if we call:

store (“this is my name, what is your name ?”);

What will happen?

this is my name, what is your

After the function completes, the processor jumps to the address stored in ‘ret’. Right now, this address contains garbage. The process will crash immediately upon function return. Now, why is this interesting?


buffer(16)

oldsp(4)

ret(4)

*str(4)

Scary – if we get ‘ret’ to point to our buffer, we can send arbitrary code to be executed on the remote machine.

MOST server hacking, are done using this mechanism. So, if everybody knows about it, why nobody fixes the problem once and for all?

code


pH34R


Smurf Attack


ICMP Smurf

Evil sends an ICMP Echo Request to broadcast address on his network

All servers reply to the request and send ICMP Echo Reply to the spoofed source

64 K

64 K

64 K

64 K

64 K


One Last Slide: Root Kits!

* Root Kits are the fastest, and easiest way to hide the presence of a cracker.

• How do they work –

• Replacing ps; so you won’t see them running

• Replacing ls; so you won’t find the files

• Replacing cat; so you won’t notice altered configurations

• There are rootkits for Windows as well!

• Open Source projects, such as ChkRoot, find these kits


Links

www.blackhat.com

www.2600.com

www.bugtraq.org

www.securiteam.com

http://www.blackhat.com/

http://www.2600.com/

http://www.bugtraq.org/

http://www.securiteam.com/

0x4841434b45525a – h4x0r presentation for n00bs

Technology