Hacking Information Security - ief.uni-rostock.de · Hacking - Network Security Introduction 0....
Transcript of Hacking Information Security - ief.uni-rostock.de · Hacking - Network Security Introduction 0....
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 1
Hacking
Information Security
A practical course in Ethical Hacking
1
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 2
I. Exercise:• You shall conduct a penetration test for a dedicated
WLAN setup for this BaSoTi course
• It is a blackbox test
• Describe all tasks and steps you are doing any test!
• Develop a form for the report
• What else do you need for the preparation
—> Make a short presentation of your plan
before
groups of 5 student
202-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 3
II. Exercise:
• Install Kali Linux in a virtual machine (virtual box or VM), if not done yet (one installation per group)
• Start aircrack to monitor the airuse e.g. kismet to find out the SSID of the target network
• Find out the WPA pass phrase to connect to the WLAN
confirm with me that you connect to the right network!
3
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 4
III. Exercise:
• Scan the network with zenmap and describe what you found
confirm with me that you connect to the right network!
402-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 5
Ethical Hacking*
Scanning
5
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 6
Ethical Hacking*
Scanning:
‘This slides are produced according to the lecture ‘Ethical Hacking!’ from Lasse Øverlier, Høgskolen i Gjøvik
• Scanning:- war dialling- war driving
• Network scanning:- sweeping, tracing, ports, OS, versions —> vulnerabilities
• ZenMap gives us an overview of the entire network we are connected.
• amap or Nessus
602-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 7
War Dialling:• Looking for modems to dial into
more and more obsolete • May still find closed networks
• War dialers (ref. “War Games”)THC-Scan (THC: The Hackers Choice)
• DefencesModems needed? Modem policy? Dial-out only!
7
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 8
War Driving:• Looking for wireless access points
Many examples especially in business areas to find a lot of open APs(war: walking, biking, flying, …)
• Accessible to max. 300m
• Collecting the ESSIDs (32 chars) “name of the WLAN”SSIDs = ESSIDS + BSSIDs (MAC address)
• Methods:- active scanning- passive scanning- forcing deauthentification
802-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 9
Active scanning:• Sending probe packets with ESSID=“Any”
• NetStumpler: tool for collecting automatically information:- 802.11 a, b, g - GPS support for direct plotting of ESSIDs on maps
• Including security information- open, or encrypted- WEP - WPA - WPA2 - …
9
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 10
Passive scanning:• Sniffing the traffic
• ESSID is included in clear text
• No-one knows that the attacker is listening - no unwanted activity
• KISMET
• aircrack-ng
1002-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 11
Passive scanning:
the wireless Europe on 29.08.2014
11
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 12
Ware driving defence:• Setting ESSID to a neutral name:
“abrakadabra” vs “Special-Bank-of-the-Rich”
• Use WPA2 with AES encryption- avoid WEP or WPA with TKIP
• Use VPNs- IPSec
• Use Intrusion Detection/Prevention Systems (IDS / IPS)
• Physical Protection- reduce transmitter power - avoid perimeter networks
1202-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 13
Network Scanning:• Sweeping
• Tracing
• Port scanning
• Identifying OS and applications
• Identifying SW and HW versions
• Identifying vulnerabilities
13
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 14
Network Sweeping:Identify which hosts are alive within an IP range “ping sweeps”
# for x in 1..255; do ping -c 1 -q -a 10.1.1.$x; done• Tools: (choice)
- nmap, zenmap- Angry IP Scanner- ICMPQuery- ping, hping - netdiscovery- unicornscan
nmap -sP 10.22.0.0/24
1402-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 15
Scanning:
zenmap screen shoot
15
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 16
Size of ScanSize of networks/24 → scanning 256 hosts/16 → scanning 65.536 hosts/8 → scanning 16.777.216 hosts
IF Timeout == 5s and serial scanning:/24 → 21 min /16 → 91 hours /8 → 970 days...
1602-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 17
TracingLocating network structure / topology
Additional information identifiedRouters Subnets GatewaysTools
- traceroute - cheops-ng - zenmap
17
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 18
Traceroute
1802-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 19
Traceroute, Layer Four Traceroute (LFT)Much more flexible than traceroute/tracert.exe
Enables traceroute using:
- ICMP echo request - TCP- UDP- AS number lookup - IP options- setting source port
19
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 20
Port ScanningYou identified live hosts:
• Need to identify open ports (UDP and TCP)
• Scan size important again...
- 65536 ports for TCP and - 65536 ports for UDP
scanning all ports on all computers1s/port – optimistic guess → 36h for one IP address ...and if you have a large network of 100+ computers...
2002-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 21
Port Scanning• Only probe ports that are most commonly used
20(FTP data), 21(FTP), 22(SSH), 23(Telnet), 25(SMTP), 53(DNS), 67(BOOTPs), 68(BOOTPc), 80(HTTP), 110(POP3), 135(NetBIOS), 137(NetBIOS), 139(NetBIOS), 143(IMAP), 443(HTTPS), 445(SMB/TCP), 465(sSMTP), 585(sIMAP), 587(SMTP submission) ,993(IMAPS), 995(sPOP3),...
• Many scanners / parallel probing • Speed up send-rate
21
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 22
Port ScanningSome TCP port scanning types:
- Connect- SYN - FIN - Xmas tree - Null - TCP ACK
only a selection
2202-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 23
Port Scanning
TCP Header:
23
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 24
Port ScanningConnect Scan:
Sets up a complete TCP connection for each port (that answers)
If port is not open→ no response, TCP RESET or ICMP port unreachable is returned
“The polite scan”
Easy to detect, connections are normally logged (with IP addresses)
2402-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 25
Port ScanningSYN Scan:
“Half-open” scan Closed port? no response |TCP RESET | ICMP port unreachable Open port : SYN|ACK receivedNo logs recorded at server (normally)Faster, no complete connection setupCould create a Denial-of-Service (DoS) attackSYN floods create many half-open connections
25
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 26
Port ScanningFIN Scan:
Tears down connectionsClosed port: TCP RESETOpen port: no responseNo logs recorded at server (normally) FastFirewalls may block incoming FIN | response
2602-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 27
Port ScanningXMAS tree Scan:
“Lit' up like a Christmas tree”Closed port: TCP RESETOpen port: no responseMay traverse firewalls looking for special flags Firewalls may block incoming Xmas | response Invalid use of flags... Not defined response
27
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 28
Port ScanningNULL Scan:
No flags set in probeClosed port: TCP RESETOpen port: no responseFirewalls may block incoming response use of no flags... Not defined response Does not work on Windows computers
2802-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 29
Port ScanningAck Scan:
Probes ports at filtering deviceClosed: no response | ICMP port unreachable Packet filter device Open: TCP RESET from server behind PFD if ACK reaches server (= open port in PFD) Measures filtering capability in PFD (not open/closed ports)
29
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 30
IV. Exercise:
• Use nmap to scan the server (x.x.x.x)
• describe open ports and services
• Do you can identify vulnerabilitiesif yes please describe in the reportif yes —> short presentation
05.08.2016
3002-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 31
V. Exercise:
• You get access to the server
• try to find out as many as you can about the server (30min)
• give a short presentation
05.08.2016
31
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 32
VI. Exercise:
• capture traffic with wireshark and evaluate the traffic
05.08.2016
3202-Scanning - 25 July 2016
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn 33
Discussion about the procedures and the results:
05.08.2016
33
Thomas Kemmerich
Hacking - Network Security Introduction0. introduction
BaSoTi 2016 - Tallinn
Questions?
Feedback!
34
3402-Scanning - 25 July 2016