23 agosto 2015 1

Introduction to hacking

Summary

FootprintingScanningEnumerationAttack

Footprinting

Footprinting of an organization enables attackers to create a complete profile of an organization's security posture.

Attackers can take an unknown entity and reduce it to a specific range of domain names, network blocks and individual IP addresses of systems directly connected to the Internet

Footprinting

Publicly available informationCompany web pagesPrivacy or security policies, and technical

details indicating the types of security mechanisms in place

Disgruntled employees Other information of interestTool of choice: Maltego

Footprinting

Whois & DNS EnumerationDomain-related searchesIP-related searches

Footprinting

Network reconnaissanceTraceroutetcptraceroute

Scanning

Scanning is equivalent to knocking on the walls of a building to find all the doors and windows

Attackers can determine which hosts are alive and which ports they are listening on

Tool of choice: nmap

Scanning

Determining if the system is aliveOne of the most basic steps in mapping

out a network consists in performing an automated ping sweep on a range of IP addresses and network blocks to determine if individual devices or systems are alive

Scanning

Determining which services are listening

Port scanning is the process of connecting to TCP and UDP ports on the target system to determine what services are running or are in a LISTENING state

Identifying listening ports is critical to discover the running services and consequently the vulnerabilities present from a remote location

Scanning

Detecting the operating systemSpecific operating system information

allows an attacker to map vulnerabilities to services with greater accuracy

There are a number of techniques for performing this work, mainly banner grabbing and stack fingerprinting

Enumeration

Enumeration consists in probing the identified services more fully for known weaknesses

Enumeration involves active connections to systems and directed queries. Therefore it has a higher level of intrusiveness than simple information gathering (i.e. It's likely to be noticed)

Enumeration

Basic banner grabbingTelnet & netcat

Enumeration

Enumerating common network services

FTP, TCP port 21 ftp x.x.x.x

SMTP, TCP port 25 telnet x.x.x.x 25

nbtscan TCP port 137/445 Nbtscan -v x.x.x.x

HTTP, TCP port 80 telnet x.x.x.x 80

Enumeration

Enumerating common network services (continued)

NetBIOS, UDP port 137/445 net view /domain net view /domain:domainname

NetBIOS, TCP port 139/445 net use \\x.x.x.x\IPC$ "" /u:""

Enumeration

NessusVulnerability scannerProbes services for known vulnerabilities,

and tries to exploit them but only in unsafe mode and only to confirm their presence

May alert the target

Attack

Attacking the softwareExploitsKnown vulnerabilitiesAttacking the credentials

Password guessingPassword crackingAttacking the network

Traffic sniffingDenial of service

Attacking the software

Applications and services often suffer from known vulnerabilities

An attacker can eventually take advantage of these vulnerabilities in order to:

Execute code or commands on the remote host

Obtain higher privilegesRender the remote service unusable

Attacking the software

Vulnerabilities are tied to specific software versions. Therefore, knowing the exact release of the target software is of critical importance

Attacking the software

New vulnerabilities are found and old ones are fixed every day. Exploits for unfixed vulnerabilities (0-days) are particularly valuable, and may have a very short lifespan, depending on how quickly the vulnerability is fixed

Attacking the credentials

Likelihood of having success depends heavily on the complexity of the password to be guessed and on the used dictionary

Stronger passwords require more time to be found

Larger dictionaries increase both the chance of having success and the computation time

Attacking the credentials

Password guessingThe attacker tries to guess a valid

password, submitting the words in a dictionary to a login prompt or form

Time-consumingGenerate a lot of traffic on the network.

Likely to be noticedTool of choice: medusa

Attacking the credentials

Password crackingStarting from an unencrypted password

file, the attacker tries to obtain passwords in clear text

The attacker tries to guess a valid password, encrypting the words in a dictionary and comparing them to the ones in the password file

Time-consuming but cannot be detected on the network

Tool of choice: john the ripper

Attacking the network

Traffic sniffingUsing arp poisoning or other means, the

attacker poses as a man-in-the-middle between two communicating hosts. By doing so, all the traffic exchanged by those two hosts passes through the attacker

Attacking the network

Denial of serviceThe attacker generates a volume of

network traffic too high for the victim to manage, saturating its resources and preventing it from accepting legit connections

Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24