04/10/23

Security Boot CampIntro

04/10/23

Why this course

• A few years ago a few friends that used to be part of a very successful attack and pen team wrote a course very similar to this

• They now have remembered a course very similar to the original so that everyone can share the experience and gain a better understanding of the subject matter

04/10/23

Who is that Fat Man?

What did Mark Do: •The most popular 802.11 IDS• Invent an IDS collation engine•Discover several zero day vulnerabilities•Coin the term WAP-GAP •The London Hacker survey•Contribute to the CEH Cert•Expert witness a famous dirty tricks legal action etc etc etc

Mark holds the following certifications: •CISSP and CISM•Checkpoint CCSA + CCSE •Cisco CCNA + CSSP •BA Computing + MBA

04/10/23

Outline

• Overview of the types of hacking tools and platforms used

• Sites used by hackers

• Building your white-hat hacker toolkit

04/10/23

Origination of tools

• Tools tend to be freely downloadable from the web

• Many tools shared via IRC• Pirated – commercial tools are also available • Many available through peer to peer programs• Tools tend to be developed for specific

vulnerabilities

04/10/23

Types of tools

Network and system scanning/mapping

Vulnerability scanning and testing (Nessus, whisker)

Password crackers (Brutus, LC3)

Encryption tools

Network sniffers

War dialling

04/10/23

The Unix hacker toolkit

• Nmap – Port Scanner• Nessus – Port scanner &

Vulnerability assessment• Traceroute – with the source

route patch or LFT• Hping2 – Scanning and

tracerouting tool• Whisker – Web vulnerability

scanner (Nikto is also based on Whisker)

• Stunnel/SSLPROXY– De-SSL HTTP/s

• Sniffit – command line sniffer• Netcat – raw socket access

• Tcpdump – command line sniffer

• Icmptime

• juggernaut

• Net::SSLeay – SSL module for PERL (for many tools)

• John the Ripper – Password cracker

• Hunt/Sniper – TCP/IP connection hijacking tool

• nimrod – website enumerator

• Spike archives

• Ethereal – sniffer

• dsniff

04/10/23

The Windows hacker toolkit

• Brutus – Brute force utility

• Mingsweeper – TCP/IP scanning tool

• Superscan – TCP/IP scanning tool

• MPTraceroute/LFT

• SamSpade – Footprinting tool

• NessusWX – Nessus interface

• ISS Scanner / Cyber Cop

• Netstumbler – Wireless LAN Scanner

• WinDump – tcpdump for Windows

Toneloc – War dialling tool

Finger – Backdoor tool

NetBios Auditing Tool (NAT)

Netcat - Enumeration tool

Legion – Enumeration tool

LC3 (l0phtcrack)

04/10/23

The Windows hacker toolkit cont.

• Cygwin – Unix like environment for Windows (provides many UNIX command line tools including shell & compiler)

• ToneLoc – Wardialling tool • NT resource kit – many tools applicable to NT

network enumeration and penetration• NMAP (Win32 port) -- available from

insecure.org

04/10/23

Denial Of Service tools

From the spike package

Land and Latierra

Smurf & Fraggle

Synk4

Teardrop, newtear, bonk, syndrop

Zombies

04/10/23

Network Sniffers

tcpdump

Sniffit

dsniff

Observer

Sniffer Pro

Ethereal

Snoop

04/10/23

Underlying requirements

Certain tools, have pre-requisites before installation• Perl• SSLeay• Open SSL • Linux Variations• Example: Whisker requires Perl to be installed

04/10/23

Websites

Websites where tools can be found :

• www.securityfocus.com

• www.packetstormsecurity.org

• www.astalavista.box.sk

• www.securiteam.com

04/10/23

Lab

• Visit the sites used for the hacker toolkit and familiarise yourself with some of the tools available

• Good searches:– Denial of service– Backdoor / netbus / backoriface– http://www.securityfocus.com/ vulnerability

section

Time: 30 minutes

04/10/23

-- Knoppix 3.7

• Bootable CD

• Boots in most Intel/AMD systems

• Linux 2.x with basic security tools

Also see Trustix, Trinux and Packetmaster on sourceforge

04/10/23

Lab

• Boot Linux (trinux Knoppix or Packetmasters) and have a play

Time: 35 minutes

04/10/23

A methodology

04/10/23

A network penetration methodology

Test Objective

To identify insecure protocols or insecure settings of services related to available protocols or services

04/10/23

Research PhaseObjective and Strategy

• Objective: Find out technical information about the target site– Using external information sources– Not touching the target servers

• Strategy: Review information available from– DNS– RIPE– Netcraft– News groups (particularly firewall newsgroups)

04/10/23

Identifying router and firewall• Identify the Web or Mail server• Get the Next-Hop before this

– This will probably be the perimeter router or the firewall– PIX does not appear as a hop (Fw1 & NetScreen do)– 80% chance it will be NetScreen, PIX or Firewall 1

• To figure out which– ICMP ( i.e. Address Mask Request) – Use TCP Stack finger printing – Key ports (258, 259 + 263 could be firewall 1)– IPSEC

Exploit vulnerabilities with pre-written tools

04/10/23

Hacking the servers– Scan TCP ports

– Scan UDP ports

!!! Only HTTP or HTTPS ports should be visible

If it is a webserver etc

– Run CGI scanner (I.e. Whisker, Crazymad or Nikto) to look for web server exploits

– Check Scanner

– Identify exploits

04/10/23

Security Boot CampIntro