Scribd
Upload
200 views35 pages

Hacking Primer: Martin G. Nystrom, CISSP-ISSAP Security Architect, Cisco Systems, Inc

The document provides an overview of hacking techniques for Windows and Unix/Linux systems. It discusses footprinting, reconnaissance, scanning and enumeration steps before covering specific attack methods. It also outlines privilege escalation and maintaining access on compromised systems.

Uploaded by

Sandeep Reddy
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
200 views35 pages

Hacking Primer: Martin G. Nystrom, CISSP-ISSAP Security Architect, Cisco Systems, Inc

The document provides an overview of hacking techniques for Windows and Unix/Linux systems. It discusses footprinting, reconnaissance, scanning and enumeration steps before covering specific attack methods. It also outlines privilege escalation and maintaining access on compromised systems.

Uploaded by

Sandeep Reddy
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 35

Hacking Primer

Martin G. Nystrom, CISSP-ISSAP


Security Architect, Cisco Systems, Inc.
April 2005

Session Number
Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 1
Outline

• Internet footprinting
• Hacking Windows
• Hacking Unix/Linux
• Hacking the network

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 2


Internet Footprinting

Presentation_ID
mnystrom © 2004
2003 Cisco Systems, Inc. All rights reserved. 3
Internet Footprinting Outline

• Review publicly available information


• Perform network reconnaissance
• Discover landscape
• Determine vulnerable services

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 4


Review publicly available information

• News: Look for recent news


news.google.com
SEC filings
Search for phone numbers, contacts
• Technical info: Look for stupid postings
Router configs
Admin pages
Nessus scans
• Netcraft
• Whois/DNS info
SamSpade
dig

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 5


Network reconnaissance

• Use traceroute to find vulnerable


servers
Trout
• Can also query BGP tools
http://nitrous.digex.net/mae/equinix.html
Look up ASNs

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 6


Landscape discovery

• Ping sweep: Find out which hosts are alive


nmap, fping, gping, SuperScan, etc.
• Port scans: Find out which ports are listening
Don’t setup a full connection – just SYN
Netcat
can be run in encrypted mode – cryptcat
nmap advanced options
XMAS scan sends all TCP options
Source port scanning sets source port (e.g., port 88 to scan
Windows systems)
Time delays
• Banner grab & O/S guess
telnet
ftp
netcat
nmap
Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 7
Hacking Windows

Presentation_ID
mnystrom © 2004
2003 Cisco Systems, Inc. All rights reserved. 8
Hacking Windows outline

1. Scan
2. Enumerate
3. Penetrate
4. Escalate
5. Pillage
6. Get interactive
7. Expand influence

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 9


Scanning Windows

• Port scan, looking for what’s indicative of Windows


88 – Kerberos
139 – NetBIOS
445 – SMB/CIFS
1433 – SQL Server
3268, 3269 – Active Directory
3389 – Terminal Services

• Trick: Scan from source port = 88 to find IPSec


secured systems

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 10


Enumerating Windows
• Accounts
USER account used by most code, but escalates to SYSTEM to perform kernel-level
operations
System accounts tracked by their SIDs
RID at end of SID identifies account type
RID = 500 is admin account
Need to escalate to Administrator to have any real power
Tools
userdump – enumerates users on a host
sid2user & user2sid translates account names on a host
SAM
Contains usernames, SIDs, RIDs, hashed passwords
Local account stored in local SAM
Domain accounts stored in Active Directory (AD)
Trusts
Can exist between AD domains
Allows accounts from one domain to be used in ACLs on another domain

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 11


Enumerating Windows (cont.)

• Need access to ports 135, 139, 445


• Enumerate hosts in a domain
net view /domain:<domain name>
• Find domain controller(s)
nltest /dsgetdc:<domain name> /pdc
nltest /bdc_query:<domain name>
nbtstcan – fast NetBIOS scanner
null sessions are an important way to get info
Runs over 445
Not logged by most IDS
net use \\<target>\ipc$ “” /u:””
“local” (from ResKit) or Dumpsec can then enumerate
accounts
Countermeasures
Block UDP/137
Set RestictAnonymous registry value
Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 12
Enumerating Windows (cont.)

• Look for hosts with 2 NICs


“getmac” from Win2K resource kit

• Enumerate trusts on domain controller


nltest /server:amer /trusted_domains

• Enumerate shares with DumpSec


Hidden shares have “$” at the end

• Enumerate with LDAP


LDAPminer

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 13


Penetrating Windows

• 3 methods
Guess password
Obtain hashes
Emergency Repair Disk
Exploit a vulnerable service
• Guessing passwords
Review vulnerable accounts via dumpsec
Use NetBIOS Auditing Tool to guess passwords

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 14


Escalating privileges in Windows

• getadmin
getad
getad2
pipeupadmin

• Shatter
Yields system-level privileges
Works against Windows Server 2003

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 15


Pillaging Windows

• Clear logs
Some IDS’s will restart auditing once it’s been disabled
• Grab hashes
Remotely with pwdump3
Backup SAM: c:\winnt\repair\sam._
• Grab passwords
Sniff SMB traffic
• Crack passwords
L0phtcrack
John the Ripper

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 16


Getting interactive with Windows
• Copy rootkit over a share
• Hide rootkit on the target server
Low traffic area such as winnt\system32\OS2\dll\toolz
Stream tools into files
• Remote shell
remote.exe (resource kit tool)
netcat
• How to fire up remote listener?
trojan
Leave a CD in the bathroom titled, “pending layoffs” 
Schedule it for remote execution
at scheduler
psexec

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 17


Windows – Expand influence

• Get passwords
Keystroke logger with stealth mail
FakeGINA intercepts Winlogon
• Plant stuff in registry to run on reboot
• Hide files
“attrib +h <directory>”
Stream files
Tripwire should catch this stuff

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 18


Hacking Unix/Linux

Presentation_ID
mnystrom © 2004
2003 Cisco Systems, Inc. All rights reserved. 19
Hacking Unix/Linux outline

1. Discover landscape
2. Enumerate systems
3. Attack
– Remote
– Local

4. Get beyond root

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 20


Discover landscape

• Goals
Discover available hosts
Find all running services
• Methodology
ICMP and TCP ping scans
Find listening services with nmap and udp_scan
Discover paths with ICMP, UDP, TCP
• Tools
nmap
SuperScan (Windows)
udp_scan (more reliable than nmap for udp scanning)

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 21


Enumerate systems
• Goal: Discover the following…
Users
Operating systems
Running programs
Specific software versions
Unprotected files
Internal information
• Tools
OS/Application: telnet, ftp, nc, nmap
Users: finger, rwho,rusers, SMTP
RPC programs: rpcinfo
NFS shares: showmount
File retrieval: TFTP
SNMP: snmpwalk snmpget

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 22


Enumerate services

• Users
finger
SMTP vrfy
• DNS info
dig
• RPC services
rpcinfo
• NFS shares
showmount
• Countermeasures
Turn off un-necessary services
Block IP addresses with router ACLs or TCP wrappers

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 23


Attack remotely
• 3 primary methods
Exploit a listening service
Route through a system with 2 or more interfaces
Get user to execute it for you
Trojans
Hostile web site
• Brute-force against service
http://packetstormsecurity.nl/Crackers/
Countermeasure: strong passwords, hide user names
• Buffer-overflow attack
Overflow the stack with machine-dependent code (assembler)
Usually yields a shell – shovel it back with netcat
Prime targets: programs that run as root or suid
Countermeasures
Disable stack execution
Code reviews
Limit root and suid programs

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 24


Attack remotely (cont.)
• Buffer overflow example
echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25
Replace this with something like this…
char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”

• Input validation attacks


PHF CGI – newline character
SSI passes user input to O/S

• Back channels
X-Windows
Send display back to attacker’s IP
Reverse telnet

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 25


Attack remotely (cont.)
• Countermeasures against back channels
Get rid of executables used for this (x-windows, telnet, etc.)
• Commonly attacked services
Sendmail
NFS
RPC
X-windows (sniffing session data)
ftpd (wu-ftpd)
DNS
Guessable query IDs
BIND vulnerabilities
Countermeasures
Restrict zone transfers
Block TCP/UDP 53
Don’t use HINFO records

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 26


Attack locally

• Buffer overflow
• Setuid programs
• Password
guessing/cracking
• Mis-configured file/dir
permissions

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 27


Get beyond root

• Map the network (own more hosts)


• Install rootkit
crypto checksum is the only way to know if it’s real
Create backdoors
Sniff other traffic
dsniff
arpredirect
loki
Hunt
Countermeasures
Encrypt all traffic
Switched networks (not a panacaea)
Clean logs
Session hijacking

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 28


Hacking the Network

• Vulnerabilities
• Dealing with firewalls

Presentation_ID
mnystrom © 2004
2003 Cisco Systems, Inc. All rights reserved. 29
Vulnerabilities

• TTY access – 5 to choose from


• SNMP V2 community strings
• HTTP (Everthing is clear-text)
• TFTP
No auth
Easy to discern router config files “<router-name>.cfg
• Countermeasures
ACLs
TCP wrappers
Encrypt passwords

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 30


Vulnerabilities: routing issues

• Path integrity
Source routing reveals path through the network
Routing updates can be spoofed (RIP, IGRP)

• ARP spoofing
Easy with dsniff

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 31


Dealing with firewalls

• Enumerate with nmap or tcpdump


Can show you which ports are filtered (blocked)
• Some proxies return a banner
Eagle Raptor
• TCP traffic itself may provide signature
• Ping the un-pingable
hping
Look for ICMP type 13 (admin prohibited)

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 32


Dealing with firewalls (cont.)

• ACLs may allow scanning if source port


is set
nmap with “-g” option
• Port redirection
fpipe
netcat

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 33


Questions?

Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 34


Presentation_ID © 2003 Cisco Systems, Inc. All rights reserved. 35

You might also like