Hacking Exposed

Hacking Exposed May 5, 2004 Jan Decrock Karel Dekyvere NATO Security Workshop 11 Dec 2001 1 Agenda • Some reflections • The attackers process • Things you must do NATO Security Workshop 11 Dec 2001 2 What is it about? People Process Technology In this order! NATO Security Workshop 11 Dec 2001 3 How it usually goes NATO Security Workshop 11 Dec 2001 4 Attacker Processes • • • • • • Footprinting Social Engineering Scanning Enumeration Gaining Access Privilege Escalation • Buffer Overflows • Shovel a Shell • Interactive Control • Camouflaging • Island Hopping • Viruses 5 NATO Security Workshop 11 Dec 2001 Footprinting • Footprinting Defined: – An attacker‟s use of tools and information to create a complete profile of an organization‟s security posture – “Casing the joint” • Tools: http://www.google.com USENET http://groups.google.com DNS Servers Netcraft – http://www.netcraft.com EDGAR - http://www.sec.gov TRACERT WHOIS – http://www.arin.net & http://www.samspade.org NATO Security Workshop 11 Dec 2001 6 Social Engineering • Social Engineering Defined: – An attacker‟s use of personal interviewing techniques, research skills and/or trickery to discover sensitive information from a target‟s employees, partners or customers • Tools – – – – – Telephone Voice Mail Email USENET Temporary Employment NATO Security Workshop 11 Dec 2001 7 Scanning • Scanning Defined: – An attacker‟s use of tools and information to determine what systems are alive and reachable from the Internet • Tools: fping (ICMP-based) netcat Typhon II Fluxay nmap (TCP-port-based) SuperScan / Scanline LANGuard Many (many) more NATO Security Workshop 11 Dec 2001 8 Enumeration • Enumeration Defined: – An attacker‟s use of tools and information to determine what services are alive and listening from the Internet • Tools: – LANGuard, N-Stealth, Fluxay, Nessus • Countermeasures – Restrictanonymous helps (1 or 2)? – Rename admin helps? – Disable services! NATO Security Workshop 11 Dec – Enable port filtering 2001 9 Port Redirection • Port Redirection Defined: – The use of tools to direct network traffic destined for one port and send it to another host on another port • Tools: – FPipe.exe, RINETD(8) • Countermeasures – Port have to get installed on the target system. Mitigate by staying secure – Use IPSEC or other to allow communications from/to – Packet content! NATO Security Workshop 11 Dec 2001 10 Gaining Access • Gaining Access Defined: – An attacker‟s use of tools and information to make an attempt to access the target system • Tools: Keystroke Loggers Password Grinders John the Ripper GetAdmin2 L0phtcrack Remote Shells Getadmin Brutus Samdump Pwdump • Countermeasures – Syskey will protect me (offline encryption)? NATO Security Workshop 11 Dec 2001 11 Are you careful with security? NATO Security Workshop 11 Dec 2001 12 • Privilege Escalation Defined: Privilege Escalation – An attacker‟s efforts to elevate his role from „user‟ to „administrator‟ by exploiting an operating system or application-specific flaw. Generally exploited from a console session of a non-privileged user. • Tools: GetAdmin, GetAdmin2 DebPloit John the Ripper Samdump LSADump, LSADump2 NATO Security Workshop 11 Dec 13 • Your users have „debug programs‟, „logon locally‟ right? 2001 PipeUpAdmin L0phtcrack (LC3/LC4) Brutus Pwdump1,2,3,3e Buffer Overflows • Buffer Overflows Defined: – Buffer Overflow tools exploit un-checked buffers in specific OS‟s or applications to cause „shellcode‟ to run (usually in the context of „SYSTEM‟, „IWAM‟ or „SQLUSER‟ if exploiting Windows 2000, IIS or SQL. • Tools: – Too many to name…. • Patch management: good idea! • Wanna know how it works? NATO Security Workshop 11 Dec 2001 14 Public Enemy #1: The Buffer Overrun • Attempting to copy >n bytes into an n-byte buffer • If you‟re lucky you get an AV • If you‟re unlucky you get instability • If you‟re really unlucky the attacker injects code into your application –And executes it! –And everyone‟s an admin :-( NATO Security Workshop 11 Dec 2001 15 How Does It Work? A Stack (foo() has just called bar()) Buffer in bar() Return Address to foo() bar() arguments A Dangerous buffer Assembly code Address of start Add „em together (using a copy function) Your allocated data Return address Function arguments NATO Security Workshop 11 Dec 2001 16 Code injections • Insert malicious code in program through user interface • Usually possible due to lack of input parameter checking • Most commonly used mechanism to take over websites! NATO Security Workshop 11 Dec 2001 17 SQL code injection • Think of a website that allows you to query information, think harder. • How could the code be build to capture your input: – Select * from creditcards where username = ‘x’ – Select * from PC_parts where model = „x‟ • Imagine what happens if your input would be: – hacker’ or 1=1 (the good) – hacker’ drop table creditcards (the bad) – hacker’ xp_cmdshell(‘fdisk.exe’) (the ugly) • Try this @home, not @work ! NATO Security Workshop 11 Dec 2001 18 You want to be in such a situation? • Then start thinking in terms of security NATO Security Workshop 11 Dec 2001 19 DEMO? NATO Security Workshop 11 Dec 2001 20 Shovel a Shell • Shovel a Shell Defined: – An attacker‟s use of tools to gain a „remote command shell‟ on a target server. • Tools: – Netcat – The attackers „swiss army knife‟ – PSExec.exe • Countermeasures – Limit outbound connections! – Software restriction policies. NATO Security Workshop 11 Dec 2001 21 Island Hopping • Island Hopping Defined: – Attacker uses compromised platform to stage an attack on another host – Attacker repeats entire „attack methodology‟ process to expand influence far and wide • Tools: netcat Fpipe Hash „cramming‟ Tftp SMB Relay • Did you know: ¼ of11all Internet routers NATO Security Workshop Dec 22 2001 contained third party sniffers Viruses • • • Main Sources: Internet, Mail, Floppy. You can protect yourself Keep upto date of new virusses (mailing lists, automatic updates, Patch management process...) NATO Security Workshop 11 Dec 2001 23 Why viruses/worms win • Viruses/worms usually exploit buffer overruns. • 1 change in 1010 to find a buffer overrun • Or you reverse engineer announced flaws in the system. – Download a patch – Install on a computer – Verify modification to system/memory allocs • Write virus based on patch information • Hope that nobody installed to patch • What are my changes to Dec successful? NATO Security Workshop 11 be 2001 24 • Virus/worm usually ships 10 to 20 days „after‟ the patch is released. • Excuse #1: Good Anti-virus software will protect me; somebody is always the first to be infected; what if the worm spreads faster than the pattern file. • Excuse #2: We have a firewall that blocks all traffic; really, and you have one for all mobile users, one to split your internal network, etc… • Excuse #3: Only Microsoft writes bogus code, I run on non-MS products; statistics say that each 1000 lines of code has 1bug (no matter 25 what software NATOvendor). 11 Dec or Security Workshop 2001 Why viruses/worms should not win How much is enough security? NATO Security Workshop 11 Dec 2001 26 Thank you for attending and remember, PPT NATO Security Workshop 11 Dec 2001 27 Know Your Enemy • Some Good Books: – Hacking Exposed Windows 2000 by Joel Scambray and Stuart McClure, ISBN: 0072192623 – Windows 2000 Security Handbook by Philip Cox and Tom Sheldon, ISBN: 0072124334 NATO Security Workshop 11 Dec 2001 28 Know Your Enemy • Web Sites: – HNC at http://www.hack-net.com – Attrition at http://www.attrition.org – Counterpane Systems (home of Bruce Schneier) at http://www.counterpane.com – Cult of the Dead Cow at http://www.cultdeadcow.com – Rootshell at http://rootshell.com – 2600 at http://www.2600.com – EEye at http://www.eeye.com – WSD at http://www.w00w00.org – NTSecurity at http://www.ntsecurity.net NATO Security Workshop 11 Dec 2001 29 Know Your Enemy • Web Sites: – – – – – Slash Dot at http://www.slashdot.org Razor at http://razor.bindview.com Rainforest Puppy at http://www.wiretrip.net/rfp Phrack at http://phrack.infonexus.com Security Focus at http://www.securityfocus.com . Get on the NTBugTraq mailing list here. – BlackHat at http://www.blackhat.com/ – Nomad Mobile Research Centre at http://www.nmrc.org/ – Secure I Team at http://www.secureiteam.com NATO Security Workshop 11 Dec 2001 30 Know Your Enemy • Events – RSA Conference http://www.rsaconference.com – BlackHat http:///www.blackhat.com – DefCon http://www.defcon.org (The Largest Hacking Convention, bring your own 802.11b wireless network card!) NATO Security Workshop 11 Dec 2001 31 References • • • • Hacking Exposed 4th Edition Hacking Windows 2000 Exposed Special Ops Microsoft Solution for Securing Windows 2000 Server http://www.microsoft.com/technet/securi ty/prodtech/windows/secwin2k/default.a sp • NSA Security Guidelines http://nsa1.www.conxion.com/ NATO Security Workshop 11 Dec 2001 32