2c Introduction to Hacking
description
Transcript of 2c Introduction to Hacking
-
23 agosto 2015 1
Introduction to hacking
-
Summary
FootprintingScanningEnumerationAttack
-
Footprinting
Footprinting of an organization enables attackers to create a complete profile of an organization's security posture.
Attackers can take an unknown entity and reduce it to a specific range of domain names, network blocks and individual IP addresses of systems directly connected to the Internet
-
Footprinting
Publicly available informationCompany web pagesPrivacy or security policies, and technical
details indicating the types of security mechanisms in place
Disgruntled employees Other information of interestTool of choice: Maltego
-
Footprinting
Whois & DNS EnumerationDomain-related searchesIP-related searches
-
Footprinting
Network reconnaissanceTraceroutetcptraceroute
-
Scanning
Scanning is equivalent to knocking on the walls of a building to find all the doors and windows
Attackers can determine which hosts are alive and which ports they are listening on
Tool of choice: nmap
-
Scanning
Determining if the system is aliveOne of the most basic steps in mapping
out a network consists in performing an automated ping sweep on a range of IP addresses and network blocks to determine if individual devices or systems are alive
-
Scanning
Determining which services are listening
Port scanning is the process of connecting to TCP and UDP ports on the target system to determine what services are running or are in a LISTENING state
Identifying listening ports is critical to discover the running services and consequently the vulnerabilities present from a remote location
-
Scanning
Detecting the operating systemSpecific operating system information
allows an attacker to map vulnerabilities to services with greater accuracy
There are a number of techniques for performing this work, mainly banner grabbing and stack fingerprinting
-
Enumeration
Enumeration consists in probing the identified services more fully for known weaknesses
Enumeration involves active connections to systems and directed queries. Therefore it has a higher level of intrusiveness than simple information gathering (i.e. It's likely to be noticed)
-
Enumeration
Basic banner grabbingTelnet & netcat
-
Enumeration
Enumerating common network services
FTP, TCP port 21 ftp x.x.x.x
SMTP, TCP port 25 telnet x.x.x.x 25
nbtscan TCP port 137/445 Nbtscan -v x.x.x.x
HTTP, TCP port 80 telnet x.x.x.x 80
-
Enumeration
Enumerating common network services (continued)
NetBIOS, UDP port 137/445 net view /domain net view /domain:domainname
NetBIOS, TCP port 139/445 net use \\x.x.x.x\IPC$ "" /u:""
-
Enumeration
NessusVulnerability scannerProbes services for known vulnerabilities,
and tries to exploit them but only in unsafe mode and only to confirm their presence
May alert the target
-
Attack
Attacking the softwareExploitsKnown vulnerabilitiesAttacking the credentials
Password guessingPassword crackingAttacking the network
Traffic sniffingDenial of service
-
Attacking the software
Applications and services often suffer from known vulnerabilities
An attacker can eventually take advantage of these vulnerabilities in order to:
Execute code or commands on the remote host
Obtain higher privilegesRender the remote service unusable
-
Attacking the software
Vulnerabilities are tied to specific software versions. Therefore, knowing the exact release of the target software is of critical importance
-
Attacking the software
New vulnerabilities are found and old ones are fixed every day. Exploits for unfixed vulnerabilities (0-days) are particularly valuable, and may have a very short lifespan, depending on how quickly the vulnerability is fixed
-
Attacking the credentials
Likelihood of having success depends heavily on the complexity of the password to be guessed and on the used dictionary
Stronger passwords require more time to be found
Larger dictionaries increase both the chance of having success and the computation time
-
Attacking the credentials
Password guessingThe attacker tries to guess a valid
password, submitting the words in a dictionary to a login prompt or form
Time-consumingGenerate a lot of traffic on the network.
Likely to be noticedTool of choice: medusa
-
Attacking the credentials
Password crackingStarting from an unencrypted password
file, the attacker tries to obtain passwords in clear text
The attacker tries to guess a valid password, encrypting the words in a dictionary and comparing them to the ones in the password file
Time-consuming but cannot be detected on the network
Tool of choice: john the ripper
-
Attacking the network
Traffic sniffingUsing arp poisoning or other means, the
attacker poses as a man-in-the-middle between two communicating hosts. By doing so, all the traffic exchanged by those two hosts passes through the attacker
-
Attacking the network
Denial of serviceThe attacker generates a volume of
network traffic too high for the victim to manage, saturating its resources and preventing it from accepting legit connections
Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24