How to Fix A Broken Window

Outline

• Hacking• Penetration Testing.• Methodology• Foot printing.• Scanning.• Enumeration.• Gaining Access.• Escalating Privilege.• Covering track.• Creating Back door.• Denial of service.• Backtrack.

Hacking

Type of Hacking

• Black Hat• Grey Hat• White Hat

Black Hat vs White Hat

Black Hat vs White Hat

Pen Tester’s have prior approval from Senior Management while

Hackers are approved by themselves.

Black Hat vs White Hat

Pen Tester’s social engineering attacks are there to raise awareness.

Hackers social engineering attacks are there to trick the DMV into divulging sensitive information about the whereabouts of their estranged ex-spouse.

Penetration Testing

White Hat hacking is known as Penetration Testing or Pen Testing.

“A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a

malicious source, known as a Black Hat Hacker, or Cracker.”

- Wikipedia

Hacking methodology

An excellent description inside of the back cover page of “Hacking Exposed” text by McClure et al.

Scanning

Footprinting

Enumeration

Gaining Access

Escalating PrivilegePilferting

Covering Tracks

Creating Back Doors

Denial of Service

Footprinting

• Find out as much information as possible about the target host.

• Find out target IP address.• Find domain name, admin, name servers

• DNS transfer zone.

Techniques

Open Source search

Find domain name, admin, IP addresses, name servers

DNS zone transfer

Tools Google,search engine, Edgar

Whois NslookupSam Spade

Footprinting

Google - itself is very good hacking device

Techniques

Open Source search

Find domain name, admin, IP addresses, name servers

DNS zone transfer

Tools Google,search engine, Edgar

Whois NslookupSam Spade

Footprinting

Spyfu.com and Keywordspy.com

Techniques

Open Source search

Find domain name, admin, IP addresses, name servers

DNS zone transfer

Tools Google,search engine, Edgar

Whois NslookupSam Spade

Footprinting

www.sec.gov -> edgar database

Techniques

Open Source search

Find domain name, admin, IP addresses, name servers

DNS zone transfer

Tools Google,search engine, Edgar

Whois NslookupSam Spade

Footprinting

Steganography

Techniques

Open Source search

Find domain name, admin, IP addresses, name servers

DNS zone transfer

Tools Google,search engine, Edgar

Whois NslookupSam Spade

Reconnaissance

A way of collecting information physically.

Scanning

Three type scan-– Port– Network (live pc, pc name, OS).– Vulnerability scan.

Techniques Ping sweep TCP/UDP port scan

OS detection

Tools Fping, icmpenumWS_Ping ProPacknmap

NmapSuperscanfscan

Nmapquesosiphon

Scanning

Scanning step– Check live system– Open port– Service identification– OS finger printing(what os in server)– Vulnerability scan– draw network diagrams of vulnerable host– prepare proxy (ip spoofing)

Techniques Ping sweep TCP/UDP port scan

OS detection

Tools Fping, icmpenumWS_Ping ProPacknmap

NmapSuperscanfscan

Nmapquesosiphon

Enumeration

• Identify valid user accounts or poorly protected resource shares.

• Most intrusive probing than scanning step.

Techniques list user accounts

list file shares identify applications

Tools Null sessionsDumpACLSid2usreonSiteAdmin

ShowmountNATlegion

Banner grabing with telnet or netcat, rpcinfo

Gaining Access

Based on the information gathered so far, make an informed attempted to access the target.

Techniques

Password eavesdropping

File share brute forcing

Password File grab

Bufferoverflow

Tools Tcpdump/ssldumpL0phtcrackreadsmb

NATlegion

TftpPwddump2(NT)

Ttdb, bindIIS .HTR/ISM.DLL

Escalating Privilege

If only user-level access was obtained in the last step, seek to gain complete control of the system.

Techniques Password cracking Known Exploits

Tools John the ripperL0phtcrack

Lc_messages, Getadmin,sechole

Covering Tracks

Once total ownership of the target is secured, hiding this fact from system administrators become paramount, less they quickly end the romp.

Techniques Clear Logs Hide tools

Tools Zap, Event Log GUI Rootkitsfile streaming

Creating Back Doors

• Trap doors will be laid in various parts of the system to ensure that privilege access is easily regained whenever the intruder decides.

Techniques Create rogue user accounts

Schedule batch jobs

Infect startup files

Tools Members of wheel, admin

Cron, AT rc, startup folder, registry keys

Techniques Plant remote control services

Install monitoring mechanisms

Replace appls with Trojans

Tools Netcat, remote.exeVNC, B02Kremote desktop

Keystroke loggers, add acct. to secadmin mail aliases

Login, fpnwcint.dll

Denial of Services

• If atacker is unsuccessful in gaining access, they may use readily available exploit code to disable a target as a last resort.

Techniques Syn flood ICMP techniques Identical src/dst SYN requests

Tools synk4 Ping to deathsmurf

LandLatierra

Techniques Overlapping fragment/offset bugs

Out of bounds TCP options (OOB)

DDoS

Tools Netcat, remote.exeVNC, B02Kremote desktop

Keystroke loggers, add acct. to sec admin mail aliases

TrinooTFNstacheldraht

Backtrack

BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking.

Question and Answer