Slides - PRA Lab
advertisement
davide.ariu@diee.unica.it
P
R
A
Group
Pattern Recognition and
Applications Group
http://prag.diee.unica.it/pra/eng/home
!
>@:=?:>A
• !%.''2!6')(.2"!6!(6!''(.!
$&$"(&'/"&$&"$&,/(8
• '(&.+.&!"& )
'
!!!''&""&"')"!:
.)22"
– !'." $"!!)&0&;".(&60(6&0<&
" .!%.'"0&9
• '(
!;
6&"0'&6
!(6(8<'(!2' $%.')
"!(!!""9
• "$"''"!"''&/&!(.&88
"."B
+"'( !"& )
@
*% !'!&(%!$.#''&
($&.7
– !!!&" &"$&%.
'(("&22("
– !!!&" &$&"$&"
,"(&;&
<
./!"&!""&&,;1)<$$!"$(;<
'"0&8
+% "$&(
!'(&("&8
– %&&("!.&2"!.!&0
"' $"&(!(%.'( $&2"!$"''"!"
!(&".&& !''( !"& )"555
"."B
+"'( !"& )
A
?
$&!#%!$'
"%$!++
• %$
$''
• – ,$''
– $
– !$'
• $!$$
%$***-
$$$$'%$
$.
(
(
&
(
)
&
:<39;3:=
• !%'%"%'"!&!'$+&%
!"% ."!&+%'&'&&1
– &#"&(,"!!&&
– (#%&"!+'!(
• *!',,%&&"%'#%
#"'%!&!%'%"
• "!'%" &+%1
– "!+(..% – %*"%5,"##(,"6
– " !((% !& !"(
&!&
"+">
*"&' !"% (
?
• %&%'%&+!#""!%&%'#+ ##"&&
&%%+!'&''%"&+!(!%..1
– *#133-2-%&%2"%3 ##'+%&
– *#133---2&2+2+37#%&3"3
34
*4'&'2'%2.
• #!*#133-2-%&%2"%3#'+%'%&&"!"
#%&!(+!& #'%+(.."!%&%
"+">
*"&' !"% (
@
=
02./1.03
(4
%!" #
5
• ( (% #!! (! +!(&)!
" – !" #)
– +
– )"( *..
• !("!( ( %+
% "(%!( )+! !! #!( ++ "
– !! "(% )+
!+)"()( "
(4
%!" #
0/
4
• March 27, 2012. Cyber attacks on IT systems would become a
criminal offence punishable by at least two years in prison
throughout the EU under a draft law backed by the Civil
Liberties Committee on Tuesday. Possessing or distributing
hacking software and tools would also be an offence, and
companies would be liable for cyber attacks committed for
their benefit.
• http://www.europarl.europa.eu/news/en/pressroom/content/
20120326IPR41843/html/Hacking-IT-systems-to-become-acriminal-offence
24-13-25
• &""".!& &#)) ,
– %& !! "
– !" !& ))
• !" /0
• &'!! !&#"!& &! – , &" '!" )
– ,!'" !& • , ( ( (
• ! "' !/
0
&6
%!" #
24
"$
• !!&!! &#))" ! " !
• ) ,
nmap scanme.nmap.org
&6
%!" #
25
7
13-02-14
'5
$
!"
15
• open
– !!$ %
• closed
– ! ') !
• filtered
– ' ! !!! ('!
• open|filtered
– ! • unfiltered closed|filtered
– !!"" '5
$
!"
16
7
8:37938;
• ##$+"#%+ "* "$$#"
# #%+ "#%*"$0
– $"+*"$ *
##"'
– " "-'4#1 "'
*"+",5
– +$" "#%#*"$
– +*"# #%+*$"--%4#1##
$5
– "
*<
'#$"%
8=
• nmap$"##$ "%+--
"# #$2#$ ( "$*$
#$"*%0
–
–
–
–
–
*<
%--"#"+%2"
%-- "%"-2"
$+"- "#!**"
# #$ "%"##
# #$#"+"#* "$ "%"
'#$"%
8>
?
*,&)+&*-
• "–O '–v
!% "(
nmap –O –v scanme.nmap.org
• "
– "" "" – ""--osscan-guess
.
*/
.
+)
*)
68257269
• *$++#*)#
!#" ))!
• #)""!!" )
)!")! )#""#*)!
&
– "#*!$*'")
""
– ""#!$*)#*#""!"##
)$++!+!# )
"!*+'*3Service Info4
):
&
"#!$
76
• '*!#" )#"#!!#
!!"##"#!*
– )!#!#!!")"!*+'*1
• $!!"")!#""!*+'*
)$++$""""!"'*$
• #!$*#!")!")#)&
/
– !!$!"
– ""##!""
– """)"#$.##00
):
&
"#!$
77
66
*"
$%
&&%
$"$#
$$
$'
##"
'%
%%"(
(%#
#$%
()
(*
'%
?A9>@9?B
• TCP SYN Stealth (-sS)
– %$%#&"* "*(:01:$)!;( &( / " ## $ )*(2 %$&% $%$.)")1)""<
– $/ .$.$/%"*( /.*%"8 $( )&%)*"
• TCP Connect (-sT)
– )")1)""%$$*
– +" 22 "'.$%$%$) %%$% &( / " ## $ )*(2 %$
/()%# $/D&("'." "$ $
• UDP (-sU)
– "&%(* .)6"%)*( )&%$%$.$#)) %
%(*$("
– "&%(*"*(**(# *.$(0""&%*(##%((%$#$*
%$".("&%(*) &(*
%."%C
-% )*# $%(#+ @C
• TCP FIN (-sF)
– $/ %.$&-%%$ "?
– & #$*7
• "&%(*&(*6( )&%$%$.$
• "&%(* .)6 "&-%/ $ $%(*%
• ( $+7
– TCP NULL (-sN)
• )).$)-*%
– XMAS Scan (-sX)
• -%$*#&%($#$*?66
%."%C
-% )*# $%(#+ @D
?A
24,13,25
• & %!*
nmap –p0- –v –A –T4 scanme.nmap.org
-p 80-85 -p 20,53 !
-p 0- -F (le prime 100 più usate)
• -v • -A .
!")
&, !")
!/ • -T[0-5] *-1./)-6. /
%6
$
!"
37
nmap –PN --min-hostgroup 512 –n –p 80 –oG port80Scan%D.gnmap 216.163.128.0/20
• -PN !
• -n !& • --min-hostgroup "!% %!"& !
%623
• -oG ! &%!%! %%! !+;&
"!%!% !!$%!
• !! !
%6
$
!"
38
25
68257269
• #$""*" "
)""#("#(",,
'$
• "%" "$$)($"0
– #("'$",,"#$",
")#$
– ($#+ ##"#
#(",, #%##"
(:
'#$"%
7;
• $"*#$" "$"
"')"# "$$"$
• (!("#" "$$"$
")(% "# #$
• ("*3#1 $#4 ####"
("% ")"( $
(:
'#$"%
85
6:
7926827:
• *",'3""$4
$"#!*#$ "+*
$"$ "$
• !*#$ *$ "+"",
#*$#'"* " "$+" "
#*" "$*"003 -–g 4
nmap –sS –v –PN –g 88 172.20.0.14
*;
'#$"%
97
• # $"1
• '% # #!*'*
'$##"!**"$00
– "## • *##"*%--$ "+"##*##$
– "## • $'#
– • #$"'"$"*#"+"(*#*
– $"
• "$$
*;
'#$"%
98
7<
:<59;5:=
• $%%- ! !%"%%!,'//'"$
– ,&!$//$%%!, %"!%'-!$&
7%46%%! &8
– "$& %&$&!$$&"$
-,$$%"! %, $&*'-
• $&$'- &%"
!$$%%, %"!%'-!
,'// !!"/! --spoof-mac %
! !"/! --send-eth
!,!>
)!%& !$'
<<
• ! ! #,%&&!$&,*#,),%!"!
#,! &$$!"$$!/! , %$-/!
– , /! &!, $&
– %%!, %$-$.
• )!- $//&!%!-$$ !%%& !!
&! %,$&,)$%!$%72!$2 8
,%%!%"! – !! )%
– !! )%
• !%3%&$,& !$-
– )!- "!$&&!,'// !!& ! &"!$ &
!,!>
)!%& !$'
<=
:?
)+#(*#),
• $&&%
• $
– $
!
– $
– $
– '$ !$ %
– $ ##
-
+-
!
-
+.
)/
$&!#%!$'
#
*M.
Howard, D. LeBlanc, Writing Secure Code, Microsoft Press
(
&)
#
• – !
– $
– %$&
(
&*
$+
7936837:
• *$,$ -4 *$,$$*5*
,*$&*%&.* &$ %* . $#**"". ,$
• *!%%$"$%&%**#*%%"$ ) % -$1
– %&"$',
– ""' %
– "". &3%$,$3 %&%
* ;
) %& $'
9<
• % $)$%',*$&
" %%$..$),$% '" 2%2
– $,
– ' 4%*. $&$$ 5
• %*. $&$$ %*
%.* *. "+ %*
$" %% "$
– &*) % & #*,&,$* *&%*
– "$ *&& $#*& "+,'
% "$, * ,%*& * ;
) %& $'
:6
86
%'#$&#%(
• #**
– • #**
– strcpy ( char * destination, const char * source )
)
(%
Buffer Sorgente
Buffer Destinazione
Locazione 0
Locazione 0
Locazione 1
Locazione 1
Locazione 2
Locazione 2
Locazione 3
Locazione 3
?
Locazione 4
Locazione 5
?
Locazione 6
?
Locazione 7
?
)
(&
&%
68257269
• ,#!! !"#)
*)!# , )""!
"!)&# !")!)
• ")#)!*!!)
• !#)'&) ""&!)
")")!")!/" !!
"$
):
&"#!$
98
• " ,!# !) !""
")*"8 !$0
– 0$")$"#$
– 0$$,,,$1
)""!"#"
3/+/#14
– 0)"#""# !!,,!$#!
)#$/*!/!"#!!,")
#),
• #!)&)!$$ • "" !$*
• !* !"$!#),
):
&"#!$
99
77
(*%')%(+
Crescita
indirizzi
memoria
,
+,
• !
– #
!
• $ – #
!
• – #
!
• – ,
+-
)*
57.46.58
• #&""#
• !" 0"" 1&"
!"0* **'!!1
– "0 **'1
– "0 **' 1
• !" **" 0!& #(
&&*1
• & !" " ! (
** ( " &9
%!" #
8;
• &&&*&" -
– !("!""&"!" &#
" 0 "& !!1
– !("&*"
– &*"("&*
"
– "" !*
!" &*"
• !! ** &#
&**) !! 076/:8"1
&9
%!" #
8<
68
%'#$&#%(
void function (char* str){
char buffer[16];
strcpy(buffer,str);
}
Top dello
stack
void main(){
char large_string[256];
int i;
for(i=0; i<=255; i++)
large_string[i] = A;
function(large_string);
}
High
memory
addresses
sfp
ret (IP)
Fondo dello
stack
)
buffer
large_string
Low
memory
addresses
(*
• • )
)$
&)
7926827:
• '"#"""#!!'""
"',!!3 '#!!
',#4/"!("'#'
!!(!" '!0
– ""!"'!',"#"'
3"1'"4
– '!(!#
"'
• #"+"*(!"
– ,##!,,
!#!'$!'!
';
&
"#!$
;7
• !("#(#
!
• #!!,,! '"#$&
"#!!"+"/""!#!
#!#&'!""#!$(0
– '"!$',(""$
"#/#!"!"#!
– '"#!!'#!""!!
##(")!/#!"'"+"
– !###!##!
,,")!
';
&
"#!$
;8
8<
:<29;2:=
• ( ++ " !"& !" 4
# ""&?=5
– & ( )'!!.!!1
• ( & ( ) !!" #(
" #&
(! ! ! "!&3!&
– & ( )'!!.!!1
• ! !
• "*!!
– %/22&! !00&0&26 &*2& !!2:A=A@3:92!2""3*!!3( ()0
&>
%!" #
><
• ""&(+&"
• !!"+ ""! ( &!"
• 2BB!/
– strcpy((""1
– strncpy'!& • strncpy(buf, input, sizeof(input)-1) ""((&! !" *1
– char* gets(char* buffer)
&( !"! &( )
& – sprintf(char *buffer, const char* format)
&>
%!" #
>=
;@
!
"
13,02,14
• $*%%$$&
$'%
• % +
• &%!+
– – ''#%$
$5
# !
56
• '$ %# +-*!.
• $$
• #%$ • % '
• !- $%'.
$5
# !
57
28
68057069
• !#!*!"!'&'('!#
• !'##&!(!"!#
• """$!#!
&#$1'"!"")!2
• $.
– !##!1""*2
– $!#!1""*2
– ##!'##!1*2
':
&"#!$
:<
• #!*#""# '
!!(
• !&!(!"!! '""
• ""(#!*
• !!"'
• '"$!#!'!#
$"#""1!#! '"##!3
2/
':
&"#!$
;5
85
9;38:39<
• )( # #+ (
!!(-"""
* (!0+ " 2
• # !!
!!"*" ( ("#-
• " (!"" 5"
!! 6
(=
%
!" #
>9
• 4
1!+ *( !(" "
- #*&*"(""
• * !!" "-1
– – !"- +! – !
– – + 5* #!!( "!
6
• *!! " !(##* (!5
(-"!,+ !! "(!+ 6
• !!!! # +
(=
%
!" #
>:
;9
46.35.47
• ,
• "((,
– . – "!$
• & &
• !!% !
&0&("1
-%+-%!/ '
!
%8
$ !"
96
Win2K Rootkit by the team rootkit.com (Version 0.4 alpha)
command ps help buffertest hidedir hideproc debugint sniffkeys description
show process list
this data
debug output
hide prefixed file or directory
hide prefixed processes
(BSOD)fire int3
toggle keyboard sniffer
*"(BSOD)" means Blue Screen of Death if a kernel debugger is not present!
*"prefixed" means the process or filename starts with the letters '_root_'.
*"sniffer" means listening or monitoring software.
%8
$ !"
97
65
13*02*14
• 2005
'#%
,.&+3-#100 • %"$#
%
• #$$$#
""
%,$#.%-
#5
"
65
#5
"
66
33
!"
!#
"
!
,.'+-',/
0
2,
• %!
– – • (!)%!
"!&
– "
– 0
2-
.1
replicazione autonoma
no replicazione
replicazione
Virus
Worm
Dialer
Rootkit
Spyware
Trojan horse
necessita ospite
Keylogger
nessun ospite
dipendenza da ospite
Fonte Roberto Paleari
roberto@security.dico.unimi.it
" "!
#
!
"
"
!
