Transcript Capture the flag, hacker tools

HackerPresentation
Tools,
Techniques
Title and
Forensics
Tim Schultz
Purpose




"Know your enemy and know yourself; in a
hundred battles, you will never be defeated."
Sun Tzu, The Art of War
Understand attacker methods
Detect those methods
Defend against the attacks
Caveats


Tools demonstrated may contain distasteful
language!!! If you feel you may be offended, please
feel free to leave.
Be careful when using these tools



None of the tools demonstrated are recommended nor
endorsed for usage
Tools should always be suspect (did you write them? do
you know everything they do?)
Always get permission before running any tools on
the production network!!!!

If you doubt how easy it is to get into hot water, read
"http://www.lightlink.com/spacenka/fors/"
Attacker Methodology





Reconnaissance
Scanning
Exploitation
Retaining Access
Covering Tracks
Reconnaissance

Online Sources


Whois, DNS, web site searches, Google, public
databases, web based recon tools
Public Sources

News articles, magazines, business partner press
releases
Reconnaissance Forensics


Very hard to detect if you've been a target
Some things to look for….



Look for DNS zone transfers
Web spider activity
Web site dumps
Scanning:
aka “Finding the Door”

Numerous techniques


Wardialing, wardriving, port scanning, firewalking,
vulnerability scanning, OS fingerprinting, network
mapping, web/cgi scanning, Windows null
sessions
Numerous tools

THC-Scan, NetStumbler, nmap, firewalk, nessus,
cheops, fragrouter, enum
TCP/IP Port Scanning

TCP/IP Communication Basics




UDP vs TCP
ICMP (ping)
IP addresses
Ports
TCP/IP Port Scanning

TCP/IP Communication Basics




TCP Three-way handshake
Alice sends “syn” to Bob to request a connection
Bob returns a “syn-ack” to Alice saying “sure,
here’s my info”
Alice returns a final “ack” saying “here’s my info,
lets go!”
Nmap Demo
Scanning:
Protection & Detection





Turn off unnecessary services and software
Install a firewall to control network
connections.
Analyze logs for pesky connection attempts
(questionable ports, half-open connections)
Setup and review honeypots for activity
Intrusion detection systems can analyze
network traffic for unusual patterns (packet
fragments, TTL shenanigans, etc…)
Exploitation:
aka "Opening the Door"

Network Exploitation


IP address spoofing, sniffing, session hijacking,
DNS poisoning, ARP cache poisoning
System Exploitation

Buffer overflows, format string attacks, application
level attacks, password grinding & cracking,
System Exploitation:
Buffer Overflows

What is a Buffer Overflow



Based on the principal of putting 20 pounds of
mud in a 10 pound sack…. the mud has to go
somewhere!
Gives the program more data than the
programmers planned for via an unchecked input.
If you put executable code into the unchecked
input of a program, you can try to execute that
code.
System Exploitation:
Buffer Overflows
System Exploitation:
Buffer Overflows

How can I do a Buffer Overflow?

Use one already discovered and exploit code has
been written.


Discover one for yourself by cramming input into
applications.


Thousands of exploits, hundreds of payloads,
Can be a chore!!
Or……
System Exploitation:
Buffer Overflows

Metasploit



Originally released October 2003
Ruby-based plug-in architecture (original versions
written in Perl)
Stitches together exploits, payloads and targeting
information into a seamless package
Exploitation Demo:
Metasploit
System Exploitation:
Application Layer Attacks

Unchecked input can produce other
unexpected results



Web servers can be exploited by manipulation of
the URL string
Microsoft realized that if you put “../..” into a URL
string, you could do “directory transversal”, which
allows you to move anywhere in the file system.
They fixed it.

But……
Exploitation Demo:
IIS Unicode Exploit
Exploitation:
Protection & Detection







Patch your system!!!
Remove unused accounts and services
Unusual system crashes
Unusual accounts
Unusual log entries
Know the processes that should be running
on your systems
Unusual system activity
Retaining Access:
aka "Installing Your Own Door"

Backdoor listeners


Backdoor suites


Netcat, tini, miscellaneous trojan horses
Subseven, Back Orifice, VNC
Rootkits


User-mode, Kernel-mode
LRK, knark, adore, …even NT rootkit
Backdoor Demo:
SubSeven
Retaining Access:
Detection and Forensics





Patch your systems!!!
Antivirus detects many of these
Unusual processes
Unusual files
Unusual configuration changes


"promisc" mode on network interface
Unusual scheduled tasks
Sleuthkit Forensics Demo
Covering Tracks
aka "Hiding Your Door"

Log files


Hiding data


Syslog files, service logs, shell history, accounting
logs, Windows security log
Unusual file names and directories, Windows
alternate data streams, cryptography,
steganography, "Hydan"
Hiding communications

Tunneled protocols, sniffing backdoors
Covering Tracks Forensics






Gaps in logs
Corrupt or missing logs
Windows only : Scan for files in alternate data
streams
Unusual processes and configurations
Analyze network traffic for inappropriate
content within the protocol
Unusual changes to files… especially images
and executables
Questions
?