Microsoft PowerPoint - Hacker Demo2.pr\346sentation.pptx
advertisement
Hacker Demo
And then some
The purpose of this Demo
• Is’s a hacker demo
• Is’s offensive IT security
• It’s Exploit Developement, Techniques and
methology
• Whys and hows
• How to apply hacker techniques to IT security
• How to develope skills needed and move on
Security
•
If you
•
You
Secure your Network stop attacks
to
you
FAIL.
Secure your Network gain enough time
active monitoring and surveillance discover
attacks
take Active actions stop
attacks.
to
for your
to
so that you can
to
these
•
•
cannot remember any reasent actions that you have
taken to stop attacks, This is a sure sign that you have FAILed in it self
If you
analysis of how much time your Security
active actions
active monitoring and
surveillance .
An
gives you and how long it takes to take
tells you how
must be
your
A hacker finds a vulnerability
How ???
•
•
•
•
•
•
•
Methodically picking
Fuzzing
Tiped off
Discovering application/system crashes
Own honeypot
Rumors
Application of other hackers papers/ideas
Where and how do we find exploits
Mailing lists like Bugtraq, Security team
Twitter
Milw0rm is no longer maintained
Securiteam has exploits
Security focus has exploits
http://www.exploit-db.com/ rocks (follow on
twitter) maintained by Offensive Security
• Google, vimoe, youtube, irongeek
•
•
•
•
•
•
Frustrations of Exploits
• Exploits never work
– No serious hacker would upload workable exploits
– The Poc’s are not meant for admins, they are for
other hackers (admins are lame, clueless fuc....
– Most of them are purposefully mangled
– All of them needs specific editing
• Get an exploit to work, it works stupid, useless
• NEVER TRUST SHELL CODE (especially if it works)
Code – ”developement of life”
• First written in a higher level language
– C (to simplify things a little)
– Psudo English/ humanly readable
• Then compiled into a binary
– When the application resides on disks, it’s zeros
and ones
– When loaded into memory its kernel instructions
or Assembely
Normal Buffer overflow explaination
void sample_function()
{
char bufferA(50);
char bufferB(16);
Printf(”Where do you live?\n”);
gets(bufferA);
strcpy(bufferB, bufferA);
return;
}
This hack
• Apple Quicktime SEH overflow
– Windows XP SP 0
– Quicktime Player 7.3.0
– Immunity Debugger (Olly Debug could be used)
– Backtrack 4 r1
•
•
•
•
Metasploit Framework
Netcat
Nano (or other editor)
Tcpdump if you are advanced
Code mangelement
• There are many reasons why code gets mangled during
the developement process
• We have overwritten code – the program behaves
strangely
• There might be leftover inputvalidation from processes
still working
• There might be restraints in place from the intented
workings op the program
–
–
–
–
Alphanumeric data/code constraints
UNICODE mangelments
Null character restraints
Forbitten characters
Exploit script inventory
•
•
•
•
•
Qtpoc0.py – exploit to show how SEH functions
Qtpoc1.py – Original exploit (manglement corrected)
Qtpoc2.py – Buffer altered to show EIP overwrite
Qtpoc3.py – pop, pop, ret address
Qtpoc4.py – short jump + nop sledge in place
• Qtpoc5.py – Alpha numerically encoded shell code
Dictionary
• Exploit elements
– Exploit – The part that exploits the vulnerability
– Payload – The part that gives us functionality also
called shellcode or eggs)
– Nop sledge – A funnel over a dard board
– Padding – Filler to meed space requirements
– Encoding – To bypass AV and counter Code mangeling
– The Code nest – Where the shellcode resides
– Eggs – The shellcode or payload
– Egghunter – Functionality to find your eggs
Links and resources
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Web Cast showing how the exploit is developed
http://www.offensive-security.com/videos/offsec-webcast01-video/apple-quicktime-exploit.html
Metasploit Unleashed. Free Course in Metasploit
http://www.offensive-security.com/metasploit-unleashed/Metasploit_Unleashed_Information_Security_Training
Wireshark Certified Network Analyst. Laura Chappel’s books and courses
http://www.wiresharkbook.com/
Blackhat and DefCon Conferences.
http://www.defcon.org and http://www.blackhat .com
Offensive Security Training. Online and Live Training
http://www.offensive-security.com/
Exploit developement collabation examble
http://www.exploit-db.com/winamp-5-58-from-dos-to-code-execution/
Exploit DB
http://www.exploit-db.com
Security Focus Bugtraq
http://www.securityfocus.com/
Securiteam
http://www.securiteam.com/
Metasploit Framework Download
http://www.metasploit.com/framework/download/
Immunity Debugger Download
http://debugger.immunityinc.com/register.html
NetCat Download
http://webscripts.softpedia.com/script/Networking-Tools/Netcat-27515.html
BackTrack Download
http://www.backtrack-linux.org/downloads/
Quicktime Player 7.3.0 Download
http://download.oldapps.com/Quicktime/quicktimeplayer730.exe
Admin
• Kontaktinfo
– Jeg kan kontaktes på kim@bufferzone.dk der er
privatmailen. Jobmail er under heftige ændringer
– Jeg kan findes på Facebook, Twitter og Linkedin
– Mobilnr. 50777101
• Jobmuligheder
– Min sektion har et par ledige stillinger på vej
– http://job-i-forsvaret.dk/civil/ledigestillinger/Pages/stillinger.aspx
Assembely
code
Memory
addreses
Registres
The stack
The actual
content in
Hex
The actual
content in
ASCII
