hacking exposed

NATO Security Workshop 11 Dec 2001

1

Hacking Exposed

May 5, 2004

Jan DecrockKarel Dekyvere


2

Agenda

• Some reflections

• The attackers process

• Things you must do


3

What is it about?

P

P

T

eople

rocess

echnology

In this order!


4

How it usually goes


5

Attacker Processes

• Footprinting

• Social Engineering

• Scanning

• Enumeration

• Gaining Access

• Privilege Escalation

• Buffer Overflows

• Shovel a Shell• Interactive

Control• Camouflaging• Island Hopping

• Viruses


6

Footprinting• Footprinting Defined:

– An attacker’s use of tools and information to create a complete profile of an organization’s security posture – “Casing the joint”

• Tools:

http://www.google.com Netcraft – http://www.netcraft.com

USENET http://groups.google.com

EDGAR - http://www.sec.gov

DNS Servers TRACERT

WHOIS – http://www.arin.net & http://www.samspade.org


7

• Social Engineering Defined:– An attacker’s use of personal interviewing

techniques, research skills and/or trickery to discover sensitive information from a target’s employees, partners or customers

• Tools– Telephone– Voice Mail– Email– USENET– Temporary Employment

Social Engineering


8

Scanning

• Scanning Defined:– An attacker’s use of tools and information to

determine what systems are alive and reachable from the Internet

• Tools:

fping (ICMP-based) nmap (TCP-port-based)

netcat SuperScan / Scanline

Typhon II LANGuard

Fluxay Many (many) more


9

Enumeration• Enumeration Defined:

– An attacker’s use of tools and information to determine what services are alive and listening from the Internet

• Tools:– LANGuard, N-Stealth, Fluxay, Nessus

• Countermeasures– Restrictanonymous helps (1 or 2)? – Rename admin helps?– Disable services!– Enable port filtering


10

Port Redirection

• Port Redirection Defined:– The use of tools to direct network traffic destined for

one port and send it to another host on another port

• Tools:– FPipe.exe, RINETD(8)

• Countermeasures– Port have to get installed on the target system.

Mitigate by staying secure– Use IPSEC or other to allow communications

from/to– Packet content!


11

Gaining Access

• Gaining Access Defined:– An attacker’s use of tools and information to make an

attempt to access the target system• Tools:

• Countermeasures– Syskey will protect me (offline encryption)?

Keystroke Loggers L0phtcrack

Password Grinders Remote Shells

John the Ripper Getadmin

GetAdmin2 Brutus

Samdump Pwdump


12

Are you careful with security?


13

Privilege Escalation• Privilege Escalation Defined:

– An attacker’s efforts to elevate his role from ‘user’ to ‘administrator’ by exploiting an operating system or application-specific flaw. Generally exploited from a console session of a non-privileged user.

• Tools:

• Your users have ‘debug programs’, ‘logon locally’ right?

GetAdmin, GetAdmin2 PipeUpAdmin

DebPloit L0phtcrack (LC3/LC4)

John the Ripper Brutus

Samdump Pwdump1,2,3,3e

LSADump, LSADump2


14

Buffer Overflows• Buffer Overflows Defined:

– Buffer Overflow tools exploit un-checked buffers in specific OS’s or applications to cause ‘shellcode’ to run (usually in the context of ‘SYSTEM’, ‘IWAM’ or ‘SQLUSER’ if exploiting Windows 2000, IIS or SQL.

• Tools:– Too many to name….

• Patch management: good idea!

• Wanna know how it works?


15

Public Enemy #1: The Buffer Overrun

• Attempting to copy >n bytes into an n-byte buffer

• If you’re lucky you get an AV• If you’re unlucky you get instability• If you’re really unlucky the attacker injects

code into your application–And executes it!–And everyone’s an admin :-(


16

How Does It Work?

Buffer in bar()Buffer in bar() ReturnReturnAddress to foo()Address to foo()

bar()bar()argumentsarguments

A Stack (foo() has just called bar())

A Dangerous buffer

Assembly codeAssembly code Address of startAddress of start

Add ‘em together (using a copy function)

Your allocated Your allocated datadata

ReturnReturnaddressaddress

FunctionFunctionargumentsarguments

Gotcha!

Gotcha!


17

Code injections

• Insert malicious code in program through user interface

• Usually possible due to lack of input parameter checking

• Most commonly used mechanism to take over websites!


18

SQL code injection• Think of a website that allows you to query information,

think harder.

• How could the code be build to capture your input:

– Select * from creditcards where username = ‘x’– Select * from PC_parts where model = ‘x’

• Imagine what happens if your input would be:– hacker’ or 1=1 (the good)– hacker’ drop table creditcards (the bad)– hacker’ xp_cmdshell(‘fdisk.exe’) (the ugly)

• Try this @home, not @work !


19

You want to be in such a situation?

• Then start thinking in terms of security


20

DEMO?


21

Shovel a Shell

• Shovel a Shell Defined:– An attacker’s use of tools to gain a ‘remote

command shell’ on a target server.

• Tools:– Netcat – The attackers ‘swiss army knife’– PSExec.exe

• Countermeasures– Limit outbound connections!– Software restriction policies.


22

Island Hopping• Island Hopping Defined:

– Attacker uses compromised platform to stage an attack on another host

– Attacker repeats entire ‘attack methodology’ process to expand influence far and wide

• Tools:

• Did you know: ¼ of all Internet routers contained third party sniffers

netcat Tftp

Fpipe SMB Relay

Hash ‘cramming’


23

Viruses

• Main Sources: Internet, Mail, Floppy.

• You can protect yourself

• Keep upto date of new virusses (mailing lists, automatic updates, Patch management process...)


24

Why viruses/worms win• Viruses/worms usually exploit buffer overruns. • 1 change in 1010 to find a buffer overrun

• Or you reverse engineer announced flaws in the system. – Download a patch– Install on a computer– Verify modification to system/memory allocs

• Write virus based on patch information• Hope that nobody installed to patch

• What are my changes to be successful?


25

Why viruses/worms should not win

• Virus/worm usually ships 10 to 20 days ‘after’ the patch is released.

• Excuse #1: Good Anti-virus software will protect me; somebody is always the first to be infected; what if the worm spreads faster than the pattern file.

• Excuse #2: We have a firewall that blocks all traffic; really, and you have one for all mobile users, one to split your internal network, etc…

• Excuse #3: Only Microsoft writes bogus code, I run on non-MS products; statistics say that each 1000 lines of code has 1bug (no matter what software or vendor).


26

How much is enough security?


27

Thank you for attendingand remember,

PPT


28

Know Your Enemy

• Some Good Books:– Hacking Exposed Windows 2000 by Joel

Scambray and Stuart McClure, ISBN: 0072192623– Windows 2000 Security Handbook by Philip Cox

and Tom Sheldon, ISBN: 0072124334


29

Know Your Enemy

• Web Sites:– HNC at http://www.hack-net.com – Attrition at http://www.attrition.org– Counterpane Systems (home of Bruce Schneier) at

http://www.counterpane.com– Cult of the Dead Cow at http://www.cultdeadcow.com – Rootshell at http://rootshell.com – 2600 at http://www.2600.com – EEye at http://www.eeye.com– WSD at http://www.w00w00.org– NTSecurity at http://www.ntsecurity.net


30

Know Your Enemy

• Web Sites:– Slash Dot at http://www.slashdot.org– Razor at http://razor.bindview.com – Rainforest Puppy at http://www.wiretrip.net/rfp– Phrack at http://phrack.infonexus.com – Security Focus at http://www.securityfocus.com . Get

on the NTBugTraq mailing list here.– BlackHat at http://www.blackhat.com/– Nomad Mobile Research Centre at

http://www.nmrc.org/– Secure I Team at http://www.secureiteam.com


31

Know Your Enemy

• Events– RSA Conference http://www.rsaconference.com – BlackHat http:///www.blackhat.com – DefCon http://www.defcon.org (The Largest

Hacking Convention, bring your own 802.11b wireless network card!)


32

References

• Hacking Exposed 4th Edition• Hacking Windows 2000 Exposed• Special Ops• Microsoft Solution for Securing Windows

2000 Serverhttp://www.microsoft.com/technet/security/prodtech/windows/secwin2k/default.asp

• NSA Security Guidelineshttp://nsa1.www.conxion.com/

hacking exposed

Documents