2004_05_05 Security Summit - Hacking Exposed Final - Copy

7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy

http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 1/32

NATO Security Workshop 11 Dec2001

1

Hacking Exposed

May 5, 2004

Jan Decrock

Karel Dekyvere




2

Agenda

• Some reflections

• The attackers process

• Things you must do




3

What is it about?

P

P

T

eople

rocess

echnology

In this order!




4

How it usually goes




5

Attacker Processes

• Footprinting

• Social Engineering

• Scanning

• Enumeration

• Gaining Access

• PrivilegeEscalation

• BufferOverflows

• Shovel a Shell

• InteractiveControl

• Camouflaging• Island Hopping

• Viruses




6

Footprinting• Footprinting Defined:

– An attacker‟s use of tools andinformation to create a complete profileof an organization‟s security posture – “Casing the joint”

• Tools:http://www.google.com Netcraft –

http://www.netcraft.com

USENET

http://groups.google.com

EDGAR - http://www.sec.gov

DNS Servers TRACERT

WHOIS – http://www.arin.net & http://www.samspade.org




7

• Social Engineering Defined: – An attacker‟s use of personal interviewing

techniques, research skills and/or trickery todiscover sensitive information from a target‟semployees, partners or customers

• Tools – Telephone

– Voice Mail

– Email

– USENET – Temporary Employment

Social Engineering




8

Scanning

• Scanning Defined: – An attacker‟s use of tools and information to

determine what systems are alive and

reachable from the Internet

• Tools:fping (ICMP-based) nmap (TCP-port-based)

netcat SuperScan / Scanline

Typhon II LANGuard

Fluxay Many (many) more




9

Enumeration

• Enumeration Defined: – An attacker‟s use of tools and information to

determine what services are alive and

listening from the Internet

• Tools:

– LANGuard, N-Stealth, Fluxay, Nessus

• Countermeasures

– Restrictanonymous helps (1 or 2)?

– Rename admin helps?

– Disable services!

– Enable port filtering




10

Port Redirection

• Port Redirection Defined: – The use of tools to direct network traffic destined for

one port and send it to another host on another port

• Tools:

– FPipe.exe, RINETD(8)

• Countermeasures

– Port have to get installed on the target system.

Mitigate by staying secure – Use IPSEC or other to allow communications

from/to

– Packet content!




11

Gaining Access

• Gaining Access Defined: – An attacker‟s use of tools and information to make an

attempt to access the target system

• Tools:

• Countermeasures – Syskey will protect me (offline encryption)?

Keystroke Loggers L0phtcrack

Password Grinders Remote ShellsJohn the Ripper Getadmin

GetAdmin2 Brutus

Samdump Pwdump




12

Are you careful with security?




13

Privilege Escalation• Privilege Escalation Defined:

– An attacker‟s efforts to elevate his role from„user‟ to „administrator‟ by exploiting anoperating system or application-specific flaw.Generally exploited from a console session ofa non-privileged user.

• Tools:

• Your users have „debug programs‟, „logon locally‟ right?

GetAdmin, GetAdmin2 PipeUpAdmin

DebPloit L0phtcrack (LC3/LC4)

John the Ripper Brutus

Samdump Pwdump1,2,3,3e

LSADump, LSADump2




14

Buffer Overflows

• Buffer Overflows Defined: – Buffer Overflow tools exploit un-checked

buffers in specific OS‟s or applications tocause „shellcode‟ to run (usually in thecontext of „SYSTEM‟, „IWAM‟ or „SQLUSER‟if exploiting Windows 2000, IIS or SQL.

• Tools: – Too many to name….

• Patch management: good idea!

• Wanna know how it works?




15

Public Enemy #1: The Buffer Overrun

• Attempting to copy >n bytes into ann-byte buffer

• If you‟re lucky you get an AV

• If you‟re unlucky you get instability

• If you‟re really unlucky the attacker injects

code into your application

– And executes it!

–And everyone‟s an admin :-(




16

How Does It Work?

Buffer in bar()Return

Address to foo()

bar()

arguments

A Stack (foo() has just called bar())

A Dangerous buffer

Assembly code Address of start

Add „em together (using a copy function)

Your allocated

data

Return

address

Function

arguments




17

Code injections

• Insert malicious code in program throughuser interface

• Usually possible due to lack of input

parameter checking

• Most commonly used mechanism to takeover websites!




18

SQL code injection

• Think of a website that allows you to query information,think harder.

• How could the code be build to capture your input:

– Select * from creditcards where username =‘x’

– Select * from PC_parts where model = „x‟

• Imagine what happens if your input would be: – hacker ’ or 1=1 (the good)

– hacker ’ drop table creditcards (the bad) – hacker ’ xp_cmdshell(‘fdisk.exe’) (the ugly)

• Try this @home, not @work !




19

You want to be in such a situation?

• Then startthinking in

terms of

security




20

DEMO?




21

Shovel a Shell

• Shovel a Shell Defined: – An attacker‟s use of tools to gain a „remote

command shell‟ on a target server.

• Tools:

– Netcat – The attackers „swiss army knife‟

– PSExec.exe

• Countermeasures

– Limit outbound connections!

– Software restriction policies.




22

Island Hopping

• Island Hopping Defined:

– Attacker uses compromised platform tostage an attack on another host

– Attacker repeats entire „attack

methodology‟ process to expandinfluence far and wide

• Tools:

• Did you know: ¼ of all Internet routerscontained third party sniffers

netcat TftpFpipe SMB Relay

Hash „cramming‟




23

Viruses

• Main Sources: Internet, Mail, Floppy.

• You can protect yourself

• Keep upto date of new virusses (mailing

lists, automatic updates, Patch

management process...)




24

Why viruses/worms win

• Viruses/worms usually exploit buffer overruns.

• 1 change in 1010 to find a buffer overrun

• Or you reverse engineer announced flaws in the

system.

– Download a patch

– Install on a computer

– Verify modification to system/memory allocs

• Write virus based on patch information

• Hope that nobody installed to patch

• What are my changes to be successful?




25

Why viruses/worms should not

win• Virus/worm usually ships 10 to 20 days „after‟

the patch is released.

• Excuse #1: Good Anti-virus software will

protect me; somebody is always the first to beinfected; what if the worm spreads faster thanthe pattern file.

• Excuse #2: We have a firewall that blocks alltraffic; really, and you have one for all mobileusers, one to split your internal network, etc…

• Excuse #3: Only Microsoft writes bogus code,I run on non-MS products; statistics say thateach 1000 lines of code has 1bug (no matter

what software or vendor).




26

How much is enough security?



NATO Security Workshop 11 Dec2001 27

Thank you for attending

and remember,

PPT

K Y E




Know Your Enemy

• Some Good Books:

– Hacking Exposed Windows 2000 by Joel

Scambray and Stuart McClure, ISBN:

0072192623 – Windows 2000 Security Handbook by Philip

Cox and Tom Sheldon, ISBN: 0072124334

K Y E




Know Your Enemy

• Web Sites: – HNC at http://www.hack-net.com

– Attrition at http://www.attrition.org

– Counterpane Systems (home of Bruce Schneier) athttp://www.counterpane.com

– Cult of the Dead Cow at http://www.cultdeadcow.com

– Rootshell at http://rootshell.com

– 2600 at http://www.2600.com

– EEye at http://www.eeye.com – WSD at http://www.w00w00.org

– NTSecurity at http://www.ntsecurity.net

K Y E

http://www.hack-net.com/

http://www.attrition.org/

http://www.counterpane.com/

http://www.cultdeadcow.com/

http://rootshell.com/

http://www.2600.com/

http://www.eeye.com/

http://www.w00w00.org/

http://www.ntsecurity.net/

http://www.ntsecurity.net/

http://www.w00w00.org/

http://www.eeye.com/

http://www.2600.com/

http://rootshell.com/

http://www.cultdeadcow.com/

http://www.counterpane.com/

http://www.attrition.org/







Know Your Enemy

• Web Sites: – Slash Dot at http://www.slashdot.org

– Razor at http://razor.bindview.com

– Rainforest Puppy at http://www.wiretrip.net/rfp – Phrack at http://phrack.infonexus.com

– Security Focus at http://www.securityfocus.com . Geton the NTBugTraq mailing list here.

– BlackHat at http://www.blackhat.com/

– Nomad Mobile Research Centre athttp://www.nmrc.org/

– Secure I Team at http://www.secureiteam.com

K Y E

http://www.slashdot.org/

http://razor.bindview.com/

http://www.wiretrip.net/rfp

http://phrack.infonexus.com/

http://www.securityfocus.com/

http://www.blackhat.com/

http://www.nmrc.org/

http://www.secureiteam.com/

http://www.secureiteam.com/

http://www.nmrc.org/


http://www.securityfocus.com/

http://phrack.infonexus.com/

http://www.wiretrip.net/rfp

http://razor.bindview.com/

http://www.slashdot.org/




Know Your Enemy

• Events

– RSA Conference

http://www.rsaconference.com

– BlackHat http:///www.blackhat.com

– DefCon http://www.defcon.org (The Largest

Hacking Convention, bring your own 802.11b

wireless network card!)

http://www.rsaconference.com/


http://www.defcon.org/

http://www.defcon.org/


http://www.rsaconference.com/




References

• Hacking Exposed 4th Edition• Hacking Windows 2000 Exposed

• Special Ops

• Microsoft Solution for SecuringWindows 2000 Serverhttp://www.microsoft.com/technet/security/prodtech/windows/secwin2k/default.a

sp• NSA Security Guidelines

http://nsa1.www.conxion.com/

2004_05_05 Security Summit - Hacking Exposed Final - Copy

Documents

Transcript of 2004_05_05 Security Summit - Hacking Exposed Final - Copy