Network
A*acks


6‐oct‐2009

What’s
threatening
us?


Lots
and
lots

Many
of
these

of
these!


Network
a*acks
 Worms,
viruses,
trojans


Mi@ga@on
techniques


So
few
of

these…


2

What
type
of
network
a*acks
are
there?


  Reconnaisance
a*acks


  Access
a*acks


  Denial‐of‐service
a*acks


3

Reconnaisance
a*acks

  First
of
all:
find
what
to
a*ack

  Get
as
much
info
as
possible
on
your
target

  Even
public
informa@on
can
be
useful.


  Purpose:
iden@fying
weaknesses


  Similar
to
a
thief
surveying
a
neighborhood

for
vulnerable
homes
to
break
into
or
cars

to
steal.


4

Reconnaisance
a*acks
–
hosts
and
ports

  Usual
steps:

  Perform
a
ping
sweep
to
determine
ac@ve
hosts
in
a
network.

  Scan
ac@ve
hosts
for
open
ports
to
determine
what
services

are
running

  Open
ports
oXen
provide
informa@on
about
the
service’s

version
and
opera@ng
system

  Vulnerable
services
can
be
exploited.


  Port
scanners:
nmap,
nessus


5

Nmap
example
1
 Ping
sweep

dhcp-132:~ andrei$ sudo nmap -sP 141.85.37.0/24
Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-09 18:12 EEST
Host csr.cs.pub.ro (141.85.37.1) is up (0.00040s latency).
MAC Address: 00:09:6B:89:06:67 (IBM)
Host ns.catc.ro (141.85.37.2) is up (0.00097s latency).
MAC Address: 00:17:31:49:3A:E4 (Asustek Computer)
Host prof.cs.pub.ro (141.85.37.3) is up (0.00043s latency).
MAC Address: 00:09:6B:89:05:24 (IBM)
Host turing.cs.pub.ro (141.85.37.7) is up (0.00089s latency).
MAC Address: 00:50:56:9A:33:46 (VMWare)
Host ns.cs.pub.ro (141.85.37.8) is up (0.00028s latency).
MAC Address: 00:09:6B:89:06:67 (IBM)
Host ef001.cs.pub.ro (141.85.37.9) is up (0.00088s latency).
MAC Address: 00:15:5D:25:14:00 (Microsoft)
Host dnscache.cs.pub.ro (141.85.37.11) is up (0.00047s latency).
MAC Address: 00:09:6B:89:06:67 (IBM)
Host xeno.cs.pub.ro (141.85.37.12) is up (0.00088s latency).
MAC Address: 00:50:56:9A:51:6D (VMWare)
Host nix.cs.pub.ro (141.85.37.13) is up (0.00088s latency).
MAC Address: 00:EE:B1:03:0A:DE (Unknown)
Host neuron.cs.pub.ro (141.85.37.14) is up (0.00085s latency).
MAC Address: 00:1C:C0:36:2B:51 (Intel Corporate)
Host sanctuary.cs.pub.ro (141.85.37.16) is up (0.0011s latency).

6

Nmap
example
2

dhcp-132:~ andrei$ sudo nmap -sS -O 141.85.37.132
OS
iden@fica@on

Open
ports
lis@ng

Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-09 18:21 EEST
Interesting ports on dhcp-132.cs.pub.ro (141.85.37.132):
Not shown: 996 closed ports
PORT STATE SERVICE
88/tcp open kerberos-sec
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3323/tcp open unknown
Device type: general purpose
Running: Apple Mac OS X 10.5.X
OS details: Apple Mac OS X 10.5 - 10.5.6 (Leopard) (Darwin 9.0.0
- 9.6.0)

OS detection performed. Please report any incorrect results at

http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.16 seconds

7

How
to
avoid
port
scanning?

  Theore@cally,
you
cannot

  All
open
ports
will
be
detected.

  How
can
you
hide
it
then?


  Answer:
port
knocking

  By
default,
the
desired
port
is
closed

  A
daemon
listens
for
a
specific
sequence
of
SYN
packets
sent
to

closed
ports.

  If
the
sequence
is
correct,
the
desired
port
will
be
open
and

the
“knocker”
will
be
allowed
to
send
data.

  Of
course,
the
client
has
to
know
the
“knock”
sequence.


8

Port
knocking
phases
(1)


A) The client cannot connect to the B) The client attempts connection to a number
application. The client cannot establish a of ports in a predefined sequence. Client
connection to any port. receives no ACKs.

9

Port
knocking
phases
(2)


C) The PK daemon interprets the attempts D) The client can now connect to port n.
and carries out a task. For example, it opens
a specific port (n).

10

Reconnaisance
a*acks
–
packet
sniffing

  Sniffing
random
traffic
can
also
provide
useful
informa@on

about
the
network
and
its
services.

  Promiscuous
mode
sniffing

  The
network
card
will
process
traffic
that
is
normally
dropped

  The
OS
has
to
“agree”
with
this
–
not
all
OS’es
support
it


  Listening:

Shared
network
(no
switches)
 Switched
network

Traffic
between
any
two
hosts
is
seen
by
 Traffic
is
isolated
at
switchport
level.


all
(shared
segment,
hubs).


  Packet
sniffers:
wireshark,
tcpdump.

11

Wireshark

  General‐purpose
protocol
analyzer

  Displays
the
en@re
content
of
packets
passing
through
the

network
adapter.

  Iden@fies
a
great
range
of
protocols:
from
data
link
layer
to

applica@on
layer.

  Can
follow
streams
of
data
based
on
TCP
sequence
numbers.

  Can
define
filters,
save
results.

  Can
perform
VoIP
analysis.

  Supports
802.11,
PPP,
ATM,
Bluetooth,
etc.

  Displays
IPsec,
WEP,
WPA(2)
as
decrypted.

  Mul@‐plajorm


12

Wireshark
interface


Summary
of

captured
packets


Detailed
tree‐view

of
encapsulated

protocols


Hex/ASCII
view
of

packets


13

Wireshark
‐
DNS
query
example
(Layer
2)

Packet
summary


Encapsulated

protocols


Layer
2
source
and

des@na@on
addresses

Upper‐protocol
code
(IP)


14

Wireshark
–
DNS
query
example
(Layers
3
and
4)

IP
header;
source
and
des@na@on
addresses


UDP
header;
source
and
des@na@on
ports


15

Wireshark
–
DNS
query
example
(Applica@on)


Flags


One
query


16

Tcpdump
short
quiz
(1)

  Enter
the
command
for
capturing
10
packets:

AndreiMac:~
andrei$
sudo
tcpdump
‐i
en1
‐c
10

tcpdump:
verbose
output
suppressed,
use
‐v
or
‐vv
for
full
protocol
decode

listening
on
en1,
link‐type
EN10MB
(Ethernet),
capture
size
96
bytes

20:58:04.947521
IP
192.168.2.102.65193
>
64.236.76.160.h*p:
FP
3351223874:3351224692(818)
ack
3791731684
win
65535

20:58:05.048363
IP
192.168.2.102.64948
>
cs111.msg.sp1.yahoo.com.mmcc:
P
3808254532:3808254567(35)
ack
1468375673
win

65535
<nop,nop,@mestamp
1041121821
2502504253>

20:58:05.154875
IP
192.168.2.102.64397
>
dnscache.cs.pub.ro.domain:
23404+
PTR?
160.76.236.64.in‐addr.arpa.
(44)

20:58:05.928980
IP
dnscache.cs.pub.ro.domain
>
192.168.2.102.64397:
23404
NXDomain
0/1/0
(110)

20:58:05.931073
IP
192.168.2.102.60327
>
dnscache.cs.pub.ro.domain:
4591+
PTR?
16.217.180.68.in‐addr.arpa.
(44)

20:58:06.236795
IP
dnscache.cs.pub.ro.domain
>
192.168.2.102.60327:
4591
1/5/5
(251)

20:58:06.648490
arp
who‐has
192.168.2.112
tell
192.168.2.103

20:58:06.649205
arp
who‐has
192.168.2.113
tell
192.168.2.103

20:58:07.239861
IP
192.168.2.102.55585
>
dnscache.cs.pub.ro.domain:
9323+
PTR?
112.2.168.192.in‐addr.arpa.
(44)

20:58:09.053072
IP
192.168.2.102.64948
>
cs111.msg.sp1.yahoo.com.mmcc:
P
0:35(35)
ack
1
win
65535
<nop,nop,@mestamp

1041121861
2502504253>

10
packets
captured

20
packets
received
by
filter

0
packets
dropped
by
kernel

17

Tcpdump
short
quiz
(2)

  Enter
the
command
for
capturing
10
h*p
requests:

AndreiMac:~
andrei$
sudo
tcpdump
‐i
en1
–c
10
dst
port
80

tcpdump:
verbose
output
suppressed,
use
‐v
or
‐vv
for
full
protocol
decode

listening
on
en1,
link‐type
EN10MB
(Ethernet),
capture
size
96
bytes

21:04:27.331834
IP
192.168.2.102.65285
>
f36.ymdb.vip.sp2.yahoo.com.h*p:
S
3835386219:3835386219(0)
win
65535
<mss

1460,nop,wscale
3,nop,nop,@mestamp
1041125640
0,sackOK,eol>

21:04:27.541264
IP
192.168.2.102.65285
>
f36.ymdb.vip.sp2.yahoo.com.h*p:
.
ack
346088808
win
65535
<nop,nop,@mestamp

1041125642
3613110350>

21:04:27.541458
IP
192.168.2.102.65285
>
f36.ymdb.vip.sp2.yahoo.com.h*p:
P
0:184(184)
ack
1
win
65535
<nop,nop,@mestamp

1041125642
3613110350>

21:04:27.796773
IP
192.168.2.102.65250
>
65.55.12.249.h*p:
P
4197506267:4197507391(1124)
ack
211762492
win
65535

21:04:27.860367
IP
192.168.2.102.65285
>
f36.ymdb.vip.sp2.yahoo.com.h*p:
.
ack
2897
win
65535
<nop,nop,@mestamp

1041125645
3613110562>

21:04:28.076775
IP
192.168.2.102.65285
>
f36.ymdb.vip.sp2.yahoo.com.h*p:
.
ack
5793
win
65522
<nop,nop,@mestamp

1041125648
3613110879>

21:04:28.232615
IP
192.168.2.102.65250
>
65.55.12.249.h*p:
.
ack
4381
win
65535

21:04:28.236517
IP
192.168.2.102.65250
>
65.55.12.249.h*p:
.
ack
7301
win
65535

21:04:28.244273
IP
192.168.2.102.65250
>
65.55.12.249.h*p:
.
ack
10221
win
65535

21:04:28.260835
IP
192.168.2.102.65285
>
f36.ymdb.vip.sp2.yahoo.com.h*p:
.
ack
7241
win
65535
<nop,nop,@mestamp

1041125649
3613110879>


18

Tcpdump
short
quiz
(3)
–
Boss


  Enter
the
command
for
capturing
to
a
file
all
the
packets

that
are
not
intended
for
web
servers
and
with
numerical

address
format:

$ tcpdump -ni eth0 -w file.cap not port 22

  Enter
the
command
for
displaying
the
captured
file:


$ tcpdump –r file.cap

19

Reconnaisance
a*acks
–
who
is
running
what?

  To
sum
up:
Who
is
providing
the
informa@on?

  Ping
sweeps
determine
which
hosts
are
“alive”

  Port
scanning
determines
which
services
are
running

  Well‐known
services
run
on
well‐known
ports
(TCP
and
UDP)

  Telne@ng
to
an
open
port
will
most
likely
return
a
banner

informing
you
of
the
service
running
on
that
port.


AndreiMac:~ andrei$ telnet cs.pub.ro 22

Trying 141.85.37.5...
Connected to cs.pub.ro.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1p1 Debian-5

There’s
your
version

20

The
version
issue

  Hiding
the
service’s
version
is
NOT
REALLY
helpful…

  Hackers
usually
try
all
the
exploits
they
have

  If
your
version
has
a
vulnerability,
it’s
s@ll
there


  Not
all
services
allow
you
to
modify
it.

  Open
SSH
doesn’t
allow
it,
by
default

  You
need
to
edit
and
recompile
the
sources
or…

  …
use
a
commercial
version


  Some
services
allow
it
and
it’s
quite
simple.

  For
example,
vsftpd’s
configura@on
file:

ftpd_banner=....

21

 Reconnaisance
a*acks
–
“whois”
informa@on

  Internet
informa@on
queries:
whois cisco.com
US
408-527-3842 fax: 408-526-4575

Technical Contact:
Network Services [email protected]
170 W. Tasman Drive
San Jose, CA 95134
US
408-527-9223 fax: 408-526-7373
Registrant:
Cisco Technology, Inc. Record expires on 15-May-2010.
170 W. Tasman Drive Record created on 14-May-1987.
San Jose, CA 95134 Database last updated on 9-Oct-2009 00:57:18 EDT.
US
Domain servers in listed order:
Domain Name: CISCO.COM
NS1.CISCO.COM 128.107.241.185
Administrative Contact: NS2.CISCO.COM 64.102.255.44
InfoSec [email protected]
170 West Tasman Drive
San Jose, CA 95134
22

Reconnaisance
a*acks
–
DNS
informa@on

  Lis@ng
mail
servers

AndreiMac:~ andrei$ host –t MX cisco.com
cisco.com mail is handled by 25 syd-inbound-a.cisco.com.
cisco.com mail is handled by 10 sj-inbound-a.cisco.com.
cisco.com mail is handled by 10 sj-inbound-b.cisco.com.
cisco.com mail is handled by 10 sj-inbound-c.cisco.com.
cisco.com mail is handled by 10 sj-inbound-d.cisco.com.
cisco.com mail is handled by 10 sj-inbound-e.cisco.com.
cisco.com mail is handled by 10 sj-inbound-f.cisco.com.
cisco.com mail is handled by 15 rtp-mx-01.cisco.com.
cisco.com mail is handled by 20 ams-inbound-a.cisco.com.

  Lis@ng
name
servers

AndreiMac:~ andrei$ host -t NS cs.pub.ro
cs.pub.ro name server ns.cs.pub.ro.
cs.pub.ro name server pub.pub.ro.

23

Access
a*acks

  Exploit
known
vulnerabili@es

  Target
services
that
(normally)
do
not
offer
access
to

everyone

  This
is
where
password
breaking
comes
into
play.

  Purpose:
to
gain
access
to
servers,
accounts
and

confiden@al
data.

  basically:
to
steal
or
destroy
stuff


  What
do
you
think
is
the
mo@va@on
behind:

  Informa@on
theX

  Destruc@on
of
informa@on

24

Types
of
access
a*acks

  Password
a*ack
–
dic@onary
or
brute‐force

  Trust
exploita@on
–
unauthorized
use
of
privileges

  Port
redirec@on
–
compromised
system
used
to
a*acks

other
targets

  Must
have
an
intrusion
tool
installed
on
the
system.

  Man‐in‐the‐middle
a*ack

  The
a*acker
intercepts
all
communica@ons
between
peers

  Purpose:
to
read
traffic
and/or
to
alter
it

  Buffer
overflow

  Sending
data
to
a
program
beyond
its
allocated
buffer

  Valid
data
gets
overwri*en
–
enables
other
func@ons


25

Detec@ng
access
a*acks

  Logs
–
look
for
failed
logins
and
repeated
a*empts

  Do
not
allow
unlimited
failed
login
a*empts
=>
brute‐force


  Unusually
high
network
traffic:
Possible
MiTM
a*ack

  MiTM
a*acks
replicate
data


  High
CPU
load,
program
crashes

  Possible
buffer
overflow


26

Mi@ga@ng
access
a*acks

  The
basics:
sTr0ng!
P4$$w0rdz!


  Strong
authen@ca@on
and
encryp@on
make
sniffing
very
li*le
effec@ve.

  Example:
one‐@me‐password
(banking)

  Vital
business
traffic
should
be
encrypted

  Network
management
traffic
should
be
encrypted

  Switched
networks
isolate
traffic

  Port
scanning
can
be
detected
and
stopped
by
IPS

  Deac@va@ng
ICMP
prevents
ping
sweeps

  But
makes
network
troubleshoo@ng
more
difficult


  Why
should
network
management
traffic
be
encrypted?

27

Denial‐of‐service
a*acks

  Send
many
requests
in
a
short
@mespan.

  Purpose:
to
overwhelm
the
target
applica@on
or

computer
and
to
prevent
it
from
processing
normal

requests.

  DoS
a*acks
can
crash
and
slow
down
applica@ons
and

processes.


  DDoS
=
Distributed
Denial
of
Service

  Sends
many
requests
from
several
sources
at
a
@me.


28

DoS
a*acks


  DoS
a*acks
rely
on
the
fact
that
servers
must
maintain

state
informa@on

  That
is,
servers
use
memory
for
each
request,
un@l
it
is
completed


  Hard
to
avoid
because
servers
might
not
be
able
to
differen@ate

between
legi@mate
requests
and
flooded
requests.


  Very
simple
to
conduct,
many
tools
available


29

Iden@fying
DoS
(and
other
a*acks)

  Each
network
MUST
have
a
benchmark
of:

  Total
bandwidth
u@lisa@on

  Bandwidth
usage
per
protocol

  Protocols
ac@ve
in
the
network

  Hardware
load

  For
hosts

  For
network
devices


  All
the
above
measured
for
different
@mes
of
the
day


  These
sta@s@cs
can
be
used
to
detect
anomalies

  Anomalies
can
represent
a*acks

30

DDoS


Handlers = “masters”
Zombies = “slaves”

  Handlers
and
zombies

are
compromised
hosts.


  Once
started,
much
harder
to
stop
than
a
DoS.

  Why
is
it
harder?

31

Types
of
DoS
a*acks
(1)

  Ping
of
death
(POD)

  IP
packet
with
an
echo
request
larger
than
65535
bytes

  Variant:
ping
fragments
that
fill
the
reassembly
buffer

  It
used
to
crash
basically
everything:
Unix,
Linux,
Windows,

Mac,
routers
and
printers
about
10
years
ago!

  They’ve
all
been
patched
up
un@l
today.


32

 Types
of
DoS
a*acks
(2)

  Smurf
a*ack

  Large
number
of
ICMP
requests
(“smurfs”

)
to
a
network’s

broadcast
address.

  ICMP
packets
must
be
spoofed
–
source
address
must
look
like

one
in
the
same
network

  Result:

  All
hosts
reply
with
ICMP
echo‐
reply
packets.

  Large
networks
could
cause

hundreds
of
hosts
to
generate

traffic.


33

Types
of
DoS
a*acks
(3)

  How
to
avoid
smurf
a*acks?

  Install
a
trap
for
the
smurfs
!!!


  No,
in
fact
is
much
simpler
than
that.

  Routers
must
not
allow
directed
broadcasts.


  Just
to
get
a
hint:

Router(config-if)# no ip directed-broadcast
  And
you’re
done.


  How
simple
is
that?



34

TCP
SYN
Flood

  Sending
a
large
number
of
TCP
SYN
packets.

  Each
packet
is
handled
like
a
connec@on
request.

  The
server
sends
back
TCP
SYN‐ACK
packets
but
does
not

receive
responses
to
complete
the
three‐way
handshake.

  Result:
Many
half‐open
TCP
connec@ons


  The
server’s
connec@ons
become
saturated

  The
server
cannot
respond
to
legi@mate
requests


  Solu@on:
limit
the
number
of
half‐open
connec@ons


35

 Malicious
SoXware


Viruses,
worms,
trojans
and
other
species.


36

Viruses

  Legi@mate
code
a*ached
to
programs
or
executables.

  Require
user
interac@on
with
the
infected
file.

  When
ac@vated,
can
spread
to
other
files.


  Infec@ng
the
opera@ng
system
allows
the
virus
to
execute

any
code,
with
full
administra@ve
privileges.

  Viruses
spread
by:


  USB
s@cks

  Infected
downloaded
files

  Network
share

  E‐mail
a*achments


37

Virus
mi@ga@on
techniques

  Updated
an@virus
soXware

  NAC
implementa@on

  NAC
=
Network
Access
Control

  NAC:
consider
endpoint
security

prior
to
offering
access

  When
a
computer
connects,
it
is

completely
isolated
unless
it

complies
with
a
set
of
standards:

  Valid
iden@ty

  An@‐virus
system

  System
update

  Firewall

  Other
policies

38

Worms

  Worms
have
the
ability
to
run
and
replicate
by

themselves.

  Programmed
to
search
for
known
vulnerabili@es.

  When
found,
they
are
exploited
to
allow
the
worm
to

propagate.


  User
interac@on
not
required,


  unlike
viruses


This worm requires interaction  

39

Worm
mi@ga@on
procedure

  Containment

  Isolate
infected
parts
of
the
network

  Contain
the
worm’s
spread

  Innocula@on

  Patch
all
uninfected
systems

  Run
a
deep
scan
on
uninfected
systems

  Mobile
systems
are
most
likely
to
introduce
worms
in
the
network.

  Quaran@ne

  Isolate
each
infected
sta@on
from
the
network

  Treatment

  Patch
infected
systems,
if
possible

  Reinstall
completely
otherwise


40
 See? No worms!

Example:
SQL
Slammer
Worm
(2001‐2003)


41

Trojans

  Malicious
code
hidden
behind
a
legi@mate
func@on
or

applica@on.

  Most
do
not
have
immediate
effect,
but
open
backdoors.

  Can
be
designed
for
specific
targets

  extremely
hard
to
detect


The
program
executes

 
Normally


 The
trojan
code
runs
in
the

background

42

Types
of
trojans


  Remote
access
trojans

  Open
certain
ports
that
provide
remote
access

  Data‐sending
trojan

  Gathers
informa@on
from
the
computer
and
sends
them
to
a

specific
address

  Proxy
trojan

  Runs
a
proxy
server
in
the
background

  Security
trojan

  Stops
an@virus
and
firewall
soXware

  Destruc@ve
trojans
(rare)

  Deletes
or
corrupts
files
and
programs


43

 Hackers


44

Beginnings


  “Phreakers”

  Started
in
1960

  Clients
exploited
switches
from
telephone
companies
using

tone
generators
(“blue
boxes”),
to
make
long‐distance
calls

  Later
on,
they
managed
to
make
their
own
phone
numbers

free
to
call

  “Wardialers”

  Started
in
1980,
when
dial‐up
modems
were
introduced

  Users
dialed
random
numbers
in
search
of
modems
then

a*empted
to
break
the
computer’s
password

  The
“ancestor”
of
today’s
ping
sweep


45

History
fact:

  1972:
John
Draper,
soon
to
be
known
as
"Captain

Crunch,"
discovers
that
the
plas@c
whistle
in
a
box
of

breakfast
cereal
reproduces
a
2600‐hertz
tone.
With
a

blue
box,
the
whistle
unlocks
AT&T's
phone
network,

allowing
free
calls
and
manipula@on
of
the
network.


A
“blue
box”
tone

generator


46

History
fact:


  The
first
worm
was
created
by…
Xerox,
in
1979.

  Engineers
created
a
short
program
that
scanned
the

network
for
idle
processors
intending
to
provide
more

efficient
computer
use.

  The
scanning
and
replica@on
mechanism
is
now
used
by

modern
destruc@ve
worms.


47

The
meaning
of
“hacker”


Posi=ve
 Nega=ve

• 
Network
professional
 • 
Gains
unauthorized
access

• 
User
of
sophis@cated
tools
 • 
Targets
sensi@ve
data

• 
Internet
programming
skills
 • 
A*empts
to
destroy
data

• 
Security
tester
 • 
Restricts
network
access

• 
Slows
or
shuts
down
services


48

Hacker
“flavors”

  White
hat

  Also
known
as
“ethical
hacker”

  Breaks
for
non‐malicious
reasons,
but
for
tes@ng.

  Term
for
“security
consultant”

  Black
hat

  Or
“cracker”,
illegally
breaks
computer
security.

  Steals
or
compromises
data.

  Grey
hat

  Middle‐ground
between
the
above
two.

  Script
kiddie

  Has
li*le
understanding
of
security

  Simply
uses
tools
developed
by
other
hackers

  Hack@vist

  Hacks
only
to
promote
a
message:
ideological,
poli@cal,
etc.


49

Example:
Sub7

  The
“classic”
script‐kiddie
tool
for
many
years

  Client‐server
applica@on

  Installs
on
vic@m
computer
and
provides
access
to:

  File
system

  Hardware
devices

  Opera@ng
system

  Keylogger

  Screen
capture


50

Example:
Project
Metasploit

  Project
for
iden@fiying
security
vulnerabili@es.

  Sub‐project:
Metasploit
Framework

  Tool
for
developing
and
execu@ng
exploit
code
on
target

machines.

  Contains
a
database
of
several
hundreds
of
known
exploits
for

all
opera@ng
systems.


  Useful
for:

  Penetra@on
tes@ng

  IDS
signature
development

  Exploit
research


51

Example:
Metasploit

msf > show exploits
windows/misc/hp_ovtrace
windows/misc/ib_isc_attach_database
windows/misc/ib_isc_create_database
windows/misc/ib_svc_attach
windows/misc/landesk_aolnsrvr
windows/misc/mercury_phonebook
windows/misc/ms07_064_sami
windows/misc/netcat110_nt
windows/misc/shixxnote_font
windows/misc/tiny_identd_overflow
windows/misc/windows_rsh
windows/mssql/ms02_039_slammer
windows/mssql/ms02_056_hello
windows/mysql/mysql_yassl
windows/nntp/ms05_030_nntp
windows/novell/groupwisemessenger_client
windows/novell/nmap_stor
windows/novell/zenworks_desktop_agent
windows/pop3/seattlelab_pass
windows/proxy/bluecoat_winproxy_host
windows/proxy/ccproxy_telnet_ping
windows/proxy/proxypro_http_get
windows/scada/realwin
windows/sip/aim_triton_cseq
Just a short list of available exploits for Windows systems.
52

HP OpenView Operations OVTrace Buffer Overflow
Borland InterBase isc_attach_database() Buffer Overflow
Borland InterBase isc_create_database() Buffer Overflow
Borland InterBase SVC_attach() Buffer Overflow
LANDesk Management Suite 8.7 Alert Service Buffer Overflow
Mercury/32 <= v4.01b PH Server Module Buffer Overflow
Microsoft DirectX DirectShow SAMI Buffer Overflow
Netcat v1.10 NT Stack Overflow
ShixxNOTE 6.net Font Field Overflow
TinyIdentD 2.2 Stack Overflow
Windows RSH daemon Buffer Overflow
Microsoft SQL Server Resolution Overflow
Microsoft SQL Server Hello Overflow
MySQL yaSSL SSL Hello Message Buffer Overflow
Microsoft Outlook Express NNTP Response Parsing Buffer Overflow
Novell GroupWise Messenger Client Buffer Overflow
Novell NetMail <= 3.52d NMAP STOR Buffer Overflow
Novell ZENworks 6.5 Desktop/Server Management Overflow
Seattle Lab Mail 5.5 POP3 Buffer Overflow
Blue Coat WinProxy Host Header Overflow
CCProxy <= v6.2 Telnet Proxy Ping Overflow
Proxy-Pro Professional GateKeeper 4.7 GET Request Overflow
DATAC RealWin SCADA Server Buffer Overflow
AIM Triton 1.0.4 CSeq Buffer Overflow
Example:
Nessus


  Client‐server
applica@on

  Vulnerability
scanning
tool

  Periodic
plugin
updates

  Ability
to
scan
remote
hosts


53

Buffer
overflow
vulnerability
found
(iTunes)


54

Something
to
laugh
about
on
your
way
home…


  "Nowadays, security guys break the Mac every single day. Every
single day, they come out with a total exploit, your machine can be
taken over totally. I dare anybody to do that once a month on the
Windows machine."

Bill Gates

55