Hacking Primer

BY

INTRAMANTRA GLOBAL SOLUTION PVT LTD, INDORE

HTTP://INTRAMANTRA.COM

Nimble Security Group, New Delhi 12/07/21

 Outline

Internet footprinting
Hacking Windows
Hacking Unix/Linux
Hacking the network

Nimble Security Group, New Delhi 12/07/21

Internet Footprinting

3
 Internet Footprinting Outline

Review publicly available information

Perform network reconnaissance
Discover landscape
Determine vulnerable services
 Review publicly available information

 News: Look for recent news

 news.google.com
 SEC filings
 Search for phone numbers, contacts
 Technical info: Look for stupid postings
 Router configs
 Admin pages
 Nessus scans
 Netcraft
 Whois/DNS info
 SamSpade
 dig

Nimble Security Group, New Delhi 12/07/21

 Network reconnaissance

Use traceroute to find vulnerable servers

 Trout
Can also query BGP tools
 http://nitrous.digex.net/mae/equinix.html
 Look up ASNs
 Landscape discovery

 Ping sweep: Find out which hosts are alive

 nmap, fping, gping, SuperScan, etc.
 Port scans: Find out which ports are listening
 Don’t setup a full connection – just SYN
 Netcat
 can be run in encrypted mode – cryptcat
 nmap advanced options
 XMAS scan sends all TCP options
 Source port scanning sets source port (e.g., port 88 to scan Windows systems)
 Time delays
 Banner grab & O/S guess
 telnet
 ftp
 netcat
 nmap
Hacking Windows

8
 Hacking Windows outline

1. Scan
2. Enumerate
3. Penetrate
4. Escalate
5. Pillage
6. Get interactive
7. Expand influence
 Scanning Windows

Port scan, looking for what’s indicative of

Windows
 88 – Kerberos
 139 – NetBIOS
 445 – SMB/CIFS
 1433 – SQL Server
 3268, 3269 – Active Directory
 3389 – Terminal Services
Trick: Scan from source port = 88 to find IPSec
secured systems
 Enumerating Windows
 Accounts
 USER account used by most code, but escalates to SYSTEM to perform kernel-
level operations
 System accounts tracked by their SIDs
 RID at end of SID identifies account type
 RID = 500 is admin account
 Need to escalate to Administrator to have any real power
 Tools
 userdump – enumerates users on a host
 sid2user & user2sid translates account names on a host
 SAM
 Contains usernames, SIDs, RIDs, hashed passwords
 Local account stored in local SAM
 Domain accounts stored in Active Directory (AD)
 Trusts
 Can exist between AD domains
 Allows accounts from one domain to be used in ACLs on another domain
 Enumerating Windows (cont.)

 Need access to ports 135, 139, 445

 Enumerate hosts in a domain
 net view /domain:<domain name>
 Find domain controller(s)
 nltest /dsgetdc:<domain name> /pdc
 nltest /bdc_query:<domain name>
 nbtstcan – fast NetBIOS scanner
 null sessions are an important way to get info
 Runs over 445
 Not logged by most IDS
 net use \\<target>\ipc$ “” /u:””
 “local” (from ResKit) or Dumpsec can then enumerate accounts
 Countermeasures
 Block UDP/137
 Set RestictAnonymous registry value
 Enumerating Windows (cont.)

Look for hosts with 2 NICs

 “getmac” from Win2K resource kit
Enumerate trusts on domain controller
 nltest /server:amer /trusted_domains
Enumerate shares with DumpSec
 Hidden shares have “$” at the end
Enumerate with LDAP
 LDAPminer
 Penetrating Windows

3 methods
 Guess password
 Obtain hashes
 Emergency Repair Disk
 Exploit a vulnerable service
Guessing passwords
 Review vulnerable accounts via dumpsec
 Use NetBIOS Auditing Tool to guess passwords
 Escalating privileges in Windows

getadmin
 getad
 getad2
 pipeupadmin
Shatter
 Yields system-level privileges
 Works against Windows Server 2003
 Pillaging Windows

Clear logs
 Some IDS’s will restart auditing once it’s been
disabled
Grab hashes
 Remotely with pwdump3
 Backup SAM: c:\winnt\repair\sam._
Grab passwords
 Sniff SMB traffic
Crack passwords
 L0phtcrack
 John the Ripper
 Getting interactive with Windows
 Copy rootkit over a share
 Hide rootkit on the target server
 Low traffic area such as winnt\system32\OS2\dll\toolz
 Stream tools into files
 Remote shell
 remote.exe (resource kit tool)
 netcat
 How to fire up remote listener?
 trojan
 Leave a CD in the bathroom titled, “pending layoffs” 
 Schedule it for remote execution
 at scheduler
 psexec
 Windows – Expand influence

Get passwords
 Keystroke logger with stealth mail
 FakeGINA intercepts Winlogon

Plant stuff in registry to run on reboot

Hide files
 “attrib +h <directory>”
 Stream files
 Tripwire should catch this stuff
Hacking Unix/Linux

19
 Hacking Unix/Linux outline

1. Discover landscape
2. Enumerate systems
3. Attack
– Remote
– Local
4. Get beyond root
 Discover landscape

 Goals
 Discover available hosts
 Find all running services
 Methodology
 ICMP and TCP ping scans
 Find listening services with nmap and udp_scan
 Discover paths with ICMP, UDP, TCP
 Tools
 nmap
 SuperScan (Windows)
 udp_scan (more reliable than nmap for udp scanning)
 Enumerate systems
 Goal: Discover the following…
 Users
 Operating systems
 Running programs
 Specific software versions
 Unprotected files
 Internal information
 Tools
 OS/Application: telnet, ftp, nc, nmap
 Users: finger, rwho,rusers, SMTP
 RPC programs: rpcinfo
 NFS shares: showmount
 File retrieval: TFTP
 SNMP: snmpwalk snmpget
 Enumerate services

 Users
 finger
 SMTP vrfy
 DNS info
 dig
 RPC services
 rpcinfo
 NFS shares
 showmount
 Countermeasures
 Turn off un-necessary services
 Block IP addresses with router ACLs or TCP wrappers
 Attack remotely
 3 primary methods
 Exploit a listening service
 Route through a system with 2 or more interfaces
 Get user to execute it for you
 Trojans
 Hostile web site
 Brute-force against service
 http://packetstormsecurity.nl/Crackers/
 Countermeasure: strong passwords, hide user names
 Buffer-overflow attack
 Overflow the stack with machine-dependent code (assembler)
 Usually yields a shell – shovel it back with netcat
 Prime targets: programs that run as root or suid
 Countermeasures
 Disable stack execution
 Code reviews
 Limit root and suid programs
 Attack remotely (cont.)
Buffer overflow example
 echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25
 Replace this with something like this…
 char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”

Input validation attacks

 PHF CGI – newline character
 SSI passes user input to O/S
Back channels
 X-Windows
 Send display back to attacker’s IP
 Reverse telnet
 Attack remotely (cont.)
 Countermeasures against back channels
Get rid of executables used for this (x-windows, telnet, etc.)
 Commonly attacked services
 Sendmail
 NFS
 RPC
 X-windows (sniffing session data)
 ftpd (wu-ftpd)
 DNS
 Guessable query IDs
 BIND vulnerabilities
 Countermeasures
 Restrict zone transfers
 Block TCP/UDP 53
 Don’t use HINFO records
 Attack locally

Buffer overflow
Setuid programs
Password
guessing/cracking
Mis-configured file/dir
permissions
 Get beyond root

 Map the network (own more hosts)

 Install rootkit
 crypto checksum is the only way to know if it’s real
 Create backdoors
 Sniff other traffic
 dsniff
 arpredirect
 loki
 Hunt
 Countermeasures
 Encrypt all traffic
 Switched networks (not a panacaea)
 Clean logs
 Session hijacking
 Hacking the Network

• Vulnerabilities
• Dealing with firewalls

29
 Vulnerabilities

TTY access – 5 to choose from

SNMP V2 community strings
HTTP (Everthing is clear-text)
TFTP
 No auth
 Easy to discern router config files “<router-name>.cfg
Countermeasures
 ACLs
 TCP wrappers
 Encrypt passwords
 Vulnerabilities: routing issues

Path integrity
 Source routing reveals path through the network
 Routing updates can be spoofed (RIP, IGRP)
ARP spoofing
 Easy with dsniff
 Dealing with firewalls

 Enumerate with nmap or tcpdump

 Can show you which ports are filtered (blocked)
 Some proxies return a banner
 Eagle Raptor
 TCP traffic itself may provide signature
 Ping the un-pingable
 hping
 Look for ICMP type 13 (admin prohibited)
 Dealing with firewalls (cont.)

ACLs may allow scanning if source port is

set
 nmap with “-g” option
Port redirection
 fpipe
 netcat
 Questions?

Nimble Security Group, New Delhi 12/07/21