Transcript 1.6 The Hacking Cycle

Internet Security 1 (IntSi1)
1.6 The Hacking Cycle
Prof. Dr. Peter Heinzmann
Prof. Dr. Andreas Steffen
Institute for Internet Technologies and Applications (ITA)
ITA, 26.09.20011 1.6-HackingCycle.pptx 1
The Hacking Cycle
Patch
available
Risk
Vulnerability
widely known
Vulnerabilitiy fixed
(Patch installed)
Vulnerability
detected
Vulnerability
not known
Vulnerability
announced
React fast to reduce
time of high risk
Time
days ...
months
days …
weeks
ITA, 26.09.20011 1.6-HackingCycle.pptx 2
Footprinting (gather target information)
 names, addresses, system types, ...
Fingerprinting (identify topologies & systems)
passive
Sniffing (collect network traffic)
Enumeration (collect access information)
passive
or
active
Scanning (detect systems and services)
active
 network layout, operating systems, services
 addresses, names, information (passwords, ...)
 list of user accounts, share names, …

response from network stack, applications, ...
Gain Access (use passwords, vulnerabilities)
 access to accounts, resources, ...
Escalate privileges (pilfering, vulnerab.)
 admin, root access, ...
Create Backdoors (install programs)
 batch jobs, remote control, services, sniffers, ...
Cover Tracks (clear logs, hide tools)
 read,
 write,
 make unavailable
Information Gathering
Anatomy of a Hack - Details
 no traces (root kits)
ITA, 26.09.20011 1.6-HackingCycle.pptx 4
Internet Security 1 (IntSec1)
1.7 Information Gathering
ITA, 26.09.20011 1.6-HackingCycle.pptx 5
Footprinting
•
Identify locations, domain names, IP address ranges, e-mail
addresses, dial-in phone numbers, systems used, administrator
names, network topology.
•
•
•
Using public information.
Without network connection to the target.
Without physical connection to the target.
ITA, 26.09.20011 1.6-HackingCycle.pptx 6
Information Search
•
General search engines (Google, Yahoo, …)
•
•
•
•
•
•
•
“Who is” service
• Web search
• Blogs, news feeds
Domain Name service (nslookup)
Vulnerability Data Bases
Special “Hacker Sites”
Social Media (Facebook, Google+, LinkedIn, Xing, …)
Chats and Fora
Instant Messaging sessions
ITA, 26.09.20011 1.6-HackingCycle.pptx 7
Social Engineering
•
Describes a non-technical kind of intrusion that relies heavily
on human interaction and often involves tricking other people
to break normal security procedures.
•
•
Probably the most powerful tool
See Kevin D. Mitnick’s book
“The Art of Deception: Controlling the
Human Element of Security”
John Wiley & Sons, October 2002
ITA, 26.09.20011 1.6-HackingCycle.pptx 8
Fingerprinting (Scanning)
•
Network Topology
• Identify network topology with network connection or (physical)
•
•
•
Operating System
• Identify operating system (type, version, patch level) with network
•
•
•
access to the target.
Methods: ping, traceroute (tracert on Windows systems)
Tools: fping, nmap, SuperScan
connection or (physical) access to the target.
Methods: banners, TCP/IP stack fingerprinting, SNMP
Tools: nmap, queso
Services
• Identify services (active hosts and ports) with network connection
•
or (physical access to the target).
Tools: netcat, nmap, LanGuard, SuperScan
ITA, 26.09.20011 1.6-HackingCycle.pptx 9
Banner
> ftp ftp.netscape.com
Trying 207.200.74.26 ...
Connected to ftp.netscape.com.
Escape character is '^]'.
220 ftp29 FTP server (UNIX(r) System V Release 4.0) ready.
SYST
215 UNIX Type: L8 Version: SUNOS
> telnet hpux.u-aizu.ac.jp
Trying 163.143.103.12 ...
Connected to hpux.u-aizu.ac.jp.
Escape character is '^]'.
HP-UX hpux B.10.01 A 9000/715 (ttyp2)
login:
ITA, 26.09.20011 1.6-HackingCycle.pptx 10
TCP/IP-Stack Fingerprinting
•
•
OS use different default parameters
•
•
•
•
•
Initial TTL value, sequence number, window size
ACK value may be SEQ or SEQ+1
“Don’t fragement bit” set
Type of Service
Window size
OS respond specifically to certain probes
• Target should not respond to a FIN probe – Win NT responds with
•
•
FIN/ACK
handling of overlapping IP fragments
ICMP response
•…
ITA, 26.09.20011 1.6-HackingCycle.pptx 11
Rootkits
•
Goal: get root privileges and hide programs
• Hide intruder’s processes (pwdlogger.exe, backdoor.exe, etc…)
• Hide registry keys responsible for starting intruder’s tools after system
•
•
reboot
Sometimes to hide some files (intruder’s tools)
Types
• User-mode
•
•
•
•
Function hooking or patching of commonly used APIs, for example, to
mask a running process or file that resides on a filesystem
Kernel-mode
Adds code or replaces portions of the core operating system, including
both the kernel and associated device drivers.
Bootkits
Hypervisor Level
Hardware/Firmware
ITA, 26.09.20011 1.6-HackingCycle.pptx 12
Internet Security 1 (IntSec1)
1.8 Integrated Tools
ITA, 26.09.20011 1.6-HackingCycle.pptx 13
Nmap Security Scanner
•
•
•
•
•
•
Probably most used
port scanner
Support for different
scanning techniques
Detects operating system
of remote hosts
Many configuration options
- timing
- scanned port range
- scan method
-…
Console tool
Various front ends
for easier handling
ITA, 26.09.20011 1.6-HackingCycle.pptx 14
Tenable Nessus Vulnerability Scanner
ITA, 26.09.20011 1.6-HackingCycle.pptx 15
GFI LanGuard Network Security Scanner
ITA, 26.09.20011 1.6-HackingCycle.pptx 16
Cain Password Recovery Tool
•
•
Cain available from http://www.oxid.it/cain.html
ARP poisoning, SSL/TLS man-in-the-middle attacks
ITA, 26.09.20011 1.6-HackingCycle.pptx 17
Cain – Password Cracking
•
•
Cain available from http://www.oxid.it/cain.html
ARP poisoning, SSL/TLS man-in-the-middle attacks
ITA, 26.09.20011 1.6-HackingCycle.pptx 18
Cain – MAC Address Scanner
ITA, 26.09.20011 1.6-HackingCycle.pptx 19
Cain – ARP Cache Poisoning
ITA, 26.09.20011 1.6-HackingCycle.pptx 20
Cain – Faked TLS Server Certificates
ITA, 26.09.20011 1.6-HackingCycle.pptx 21
Cain – Self-Signed ZKB Certificate
ITA, 26.09.20011 1.6-HackingCycle.pptx 22
Internet Security 1 (IntSec1)
1.9 Cybercrime Convention
ITA, 26.09.20011 1.6-HackingCycle.pptx 23
Cybercrime Convention des Europarats
•
Die “Budapest Convention on Cybercrime” aus dem Jahr 2001
tritt in der Schweiz am 1. Januar 2012 in Kraft.
•
Konsequenzen
• Hacken wird auch dann bestraft, wenn es ohne nachgewiesene
Bereicherungsabsicht erfolgt ist. Das alleinige Eindringen in ein
System kann also bestraft werden.
• Neu macht sich strafbar, wer Passwörter oder ähnliche Daten im
Wissen zugänglich macht, dass diese für das illegale Eindringen
in ein Computersystem verwendet werden sollen.
• Verboten ist auch die Herstellung und Verbreitung von technischen
Mitteln zur Begehung von Computerdelikten (insbesondere
Hackersoftware).
•
Verschärfung des bestehenden Strafrechts!
ITA, 26.09.20011 1.6-HackingCycle.pptx 24