Professional Documents
Culture Documents
Hacking Primer: BY Intramantra Global Solution PVT LTD, Indore
Hacking Primer: BY Intramantra Global Solution PVT LTD, Indore
BY
HTTP://INTRAMANTRA.COM
Internet footprinting
Hacking Windows
Hacking Unix/Linux
Hacking the network
3
Internet Footprinting Outline
8
Hacking Windows outline
1. Scan
2. Enumerate
3. Penetrate
4. Escalate
5. Pillage
6. Get interactive
7. Expand influence
Scanning Windows
3 methods
Guess password
Obtain hashes
Emergency Repair Disk
Exploit a vulnerable service
Guessing passwords
Review vulnerable accounts via dumpsec
Use NetBIOS Auditing Tool to guess passwords
Escalating privileges in Windows
getadmin
getad
getad2
pipeupadmin
Shatter
Yields system-level privileges
Works against Windows Server 2003
Pillaging Windows
Clear logs
Some IDS’s will restart auditing once it’s been
disabled
Grab hashes
Remotely with pwdump3
Backup SAM: c:\winnt\repair\sam._
Grab passwords
Sniff SMB traffic
Crack passwords
L0phtcrack
John the Ripper
Getting interactive with Windows
Copy rootkit over a share
Hide rootkit on the target server
Low traffic area such as winnt\system32\OS2\dll\toolz
Stream tools into files
Remote shell
remote.exe (resource kit tool)
netcat
How to fire up remote listener?
trojan
Leave a CD in the bathroom titled, “pending layoffs”
Schedule it for remote execution
at scheduler
psexec
Windows – Expand influence
Get passwords
Keystroke logger with stealth mail
FakeGINA intercepts Winlogon
19
Hacking Unix/Linux outline
1. Discover landscape
2. Enumerate systems
3. Attack
– Remote
– Local
4. Get beyond root
Discover landscape
Goals
Discover available hosts
Find all running services
Methodology
ICMP and TCP ping scans
Find listening services with nmap and udp_scan
Discover paths with ICMP, UDP, TCP
Tools
nmap
SuperScan (Windows)
udp_scan (more reliable than nmap for udp scanning)
Enumerate systems
Goal: Discover the following…
Users
Operating systems
Running programs
Specific software versions
Unprotected files
Internal information
Tools
OS/Application: telnet, ftp, nc, nmap
Users: finger, rwho,rusers, SMTP
RPC programs: rpcinfo
NFS shares: showmount
File retrieval: TFTP
SNMP: snmpwalk snmpget
Enumerate services
Users
finger
SMTP vrfy
DNS info
dig
RPC services
rpcinfo
NFS shares
showmount
Countermeasures
Turn off un-necessary services
Block IP addresses with router ACLs or TCP wrappers
Attack remotely
3 primary methods
Exploit a listening service
Route through a system with 2 or more interfaces
Get user to execute it for you
Trojans
Hostile web site
Brute-force against service
http://packetstormsecurity.nl/Crackers/
Countermeasure: strong passwords, hide user names
Buffer-overflow attack
Overflow the stack with machine-dependent code (assembler)
Usually yields a shell – shovel it back with netcat
Prime targets: programs that run as root or suid
Countermeasures
Disable stack execution
Code reviews
Limit root and suid programs
Attack remotely (cont.)
Buffer overflow example
echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25
Replace this with something like this…
char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”
Buffer overflow
Setuid programs
Password
guessing/cracking
Mis-configured file/dir
permissions
Get beyond root
• Vulnerabilities
• Dealing with firewalls
29
Vulnerabilities
Path integrity
Source routing reveals path through the network
Routing updates can be spoofed (RIP, IGRP)
ARP spoofing
Easy with dsniff
Dealing with firewalls