Hacker 101
advertisement
Hacker 101: Anatomy of an Attack Course: CS3511 Web Security Lecturer: Dr. Simon Foley Dr. William Fitzgerald www.williamfitzgerald.net Security Group, Department of Computer Science, University College Cork, Ireland. September, 2011 William Fitzgerald, CS3511, Sept. 2011. 1 / 53 Disclaimer ⊲ Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary William Fitzgerald or any affliliation associated with him or his research/teaching is NOT responsible in anyway for information in this slide-set used for malicious purposes. This lecture and its contents is soley about education. In no circumstances should any person conduct, carry out and/or try to perform the contained techniques without the approval from Network & Security infrastructure owners. Hacking/Cracking should only be conducted by professional security analysts. William Fitzgerald, CS3511, Sept. 2011. 2 / 53 Overview of this Lecture Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Introduction & insight to hacking techniques. Understand phases of an attack (so they can be countered!). Introduction to some auditing and exploitation technologies. Importance of security. What you will not become after this lecture: Hacker. Security Expert. William Fitzgerald, CS3511, Sept. 2011. 3 / 53 Hacker Classification Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Black Hats: ⊲ Extraordinary skill set. Malicious Activities. aka Cracker. White Hats: Ethical Hacker skill set. Defend Malicious Activities. aka Security Analyst. Grey Hats: Offensive & Defensive William Fitzgerald, CS3511, Sept. 2011. 4 / 53 Hacker Alphabet Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ A D G J M P S V Y = = = = = = = = = 4 or |) 9 or j /\/\ p or 5 \/ % or @ 6 or |\/| |0 ’/ B E H K N Q T W Z = = = = = = = = = |3 or 8 or 6 3 |-| |< /\/ or |\| & 7 \/\/ z C F I L O R U X = = = = = = = = ( |= 1 |_ 0 |2 |_| x you’ve been hacked = ’/0u’v3 833|\| h4(k3d William Fitzgerald, CS3511, Sept. 2011. 5 / 53 Anatomy of an Attack Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ William Fitzgerald, CS3511, Sept. 2011. 6 / 53 Footprinting Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Footprinting ⊲ William Fitzgerald, CS3511, Sept. 2011. 7 / 53 Footprinting Objective Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Preparatory phase where a hacker seeks to gain as much information as possible before attacking the target/victim. Passive Footprinting: googling, job postings, ... Active Footprinting: social engineering (the act of manipulating people into performing actions or divulging confidential information), ... 90% profiling & 10% actually attacking! Rattle the door knobs. ⊲ William Fitzgerald, CS3511, Sept. 2011. 8 / 53 Footprinting Techniques Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Find target external & internal URLs. Extract DNS information. Get archive of website. Perform whois lookup for target details. Search target for news, press releases, whitepapers “People Search” personal information on employees: (d.o.b) Analyse target infrastructure by looking at jobs postings. Mirror site for off-site scanning. William Fitzgerald, CS3511, Sept. 2011. 9 / 53 Footprinting Tool-Box Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ nslookup Sam Spade dnsstuff.com traceroute whois metagoofil burp-suite Google cache WayBackMachine William Fitzgerald, CS3511, Sept. 2011. 10 / 53 Example 1: Footprint by Profiling Web Archive Data Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Gain access to (potentially sensitive) information that is no longer available on a target Website. Example tools: WayBackMachine Google Cache William Fitzgerald, CS3511, Sept. 2011. 11 / 53 Example 1: Footprint by Profiling Web Archive Data Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Example: WikiLeaks Offline. William Fitzgerald, CS3511, Sept. 2011. 11 / 53 Example 1: Footprint by Profiling Web Archive Data Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary WikiLeaks archived by Google Important or sensitive information may have been inadvertently posted and later removed! ⊲ William Fitzgerald, CS3511, Sept. 2011. 11 / 53 Example 1: Footprint by Profiling Web Archive Data Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary WikiLeaks archived by WayBackMachine Important or sensitive information may have been inadvertently posted and later removed! ⊲ William Fitzgerald, CS3511, Sept. 2011. 11 / 53 Example 2: Footprint by Profiling Infrastructure via Job Posts Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ACC Bank IT job post - Oracle 9i and RAC ⊲ William Fitzgerald, CS3511, Sept. 2011. - Mircosoft platforms. 12 / 53 Example 2: Footprint by Profiling Infrastructure via Job Posts Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary TSB Bank IT job post Java ⊲ William Fitzgerald, CS3511, Sept. 2011. .net framework 12 / 53 Example 2: Footprint by Profiling Infrastructure via Job Posts Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Development Environment: Visual Basic, C++, Java, Lotus Notes/Domino, WAP, HTML, ASP, Cobol, DB/2, SQL, CICS,IMS,DL/1, Oracle, Sybase. Hardware Environment: - IBM mainframes: OS/390, MVS, CICS, IMS, DB/2. - NT, Cisco Routers, OS/2, X25. William Fitzgerald, CS3511, Sept. 2011. 12 / 53 Example 3: Footprint by Profiling Infrastructure via Crime Search Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Examine court proceedings. Usually reveals what an individual did. Thus, provides an indication of network infrastructure. Example court proceeding repositories www.cybercrime.gov www.courts.ie William Fitzgerald, CS3511, Sept. 2011. 13 / 53 Example 5: Footprint by Whois and DNS Lookups Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ IP addresses, net-blocks. Name and MX servers. IT personnel. domain: descr: admin-c: tech-c: renewal: status: nserver: nserver: nserver: nserver: nserver: nserver: source: person: nic-hdl: source: person: nic-hdl: source: William Fitzgerald, CS3511, Sept. 2011. ucc.ie University College Cork JFM1-IEDR HGO1-IEDR 14-September-2010 Active ns.ucc.ie 143.239.1.1 nsext2.ucc.ie 143.239.1.25 ns1.tcd.ie auth-ns1.ucd.ie ns.isi.edu ns1.surfnet.nl IEDR John F. Murphy JFM1-IEDR IEDR Henry G. O’Keeffe HGO1-IEDR IEDR 14 / 53 Example 5: Footprint by Whois and DNS Lookups Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ IP addresses, net-blocks. Name and MX servers. IT personnel. Registrant: Browse the World, Ltd Nassau House, Nassau Street Dublin 2 Dublin, Leinster Dublin 2 Domain Name: BROWSEIRELAND.COM Created on: 11-Feb-97 Expires on: 02-Jun-10 Last Updated on: 01-Jun-10 Administrative Contact: Galligan, Roger roger@iol.ie Browse the World, Ltd Nassau House, Nassau Street Dublin 2 Dublin, Leinster Dublin 2 Tel: 16711111 Fax -Technical Contact: Galligan, Roger roger@iol.ie William Fitzgerald, CS3511, Sept. 2011. 14 / 53 Example 5: Footprint by Whois and DNS Lookups Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ IP addresses, net-blocks. Name and MX servers. IT personnel. DNS query results for a 4c.ucc.ie Name Type TTL 4c.ucc.ie A 86400 Value 143.239.201.140 DNS query results for mx 4c.ucc.ie Name Type TTL Value 4c.ucc.ie MX 86400 4c.ucc.ie MX 86400 20 mail9.ucc.ie. 20 mail8.ucc.ie. DNS query results for a mail9.ucc.ie Name Type TTL Value mail9.ucc.ie A 86192 143.239.1.39 William Fitzgerald, CS3511, Sept. 2011. 14 / 53 Example 6: Footprint by Employee Search Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Learn information such as Date of Birth (passwords). Social engineering. Blackmail. William Fitzgerald, CS3511, Sept. 2011. 15 / 53 Example 6: Footprint by Employee Search Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Learn information such as Date of Birth (passwords). Social engineering. Blackmail. Name Age John Murphy 45 William Fitzgerald, CS3511, Sept. 2011. Previous Cities Wheeling IL Indianapola IA Pittsburg PA DOB Y Phone Y Address Y Avg. Income Y Avg. Home Value Y Relatives Cameran Thomas Marybeth 15 / 53 Example 6: Footprint by Employee Search Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Learn information such as Date of Birth (passwords). Social engineering. Blackmail. William Fitzgerald, CS3511, Sept. 2011. 15 / 53 Example 6: Footprint by Employee Search Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Knowing a home address may be used to Tiger-kidnap. Stalk. Force remote administration login (access private data)! William Fitzgerald, CS3511, Sept. 2011. 15 / 53 Example 7: Footprint by Satellite Search Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Area Layout. Open Doors. Smokers Area. William Fitzgerald, CS3511, Sept. 2011. 16 / 53 Example 8: Footprint by Monitoring Targets by IP Cam’s Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Why would one want to control access to security camera? Most IP-based camera’s have little or no security. Gain knowledge of what the target has or has not! Google URL spidering and indexing. For example: - “Live view - / - AXIS”, - “indexFrame.html axis”, - “/home/homeJ.html”. IMPORTANT: I nor UCC advocates searching for and/or exploiting IP-based camera’s. These examples are for educational purposes only. William Fitzgerald, CS3511, Sept. 2011. 17 / 53 Example 8: Footprint by Monitoring Targets by IP Cam’s Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Example of “indexFrame.html” unsecured camera search. ⊲ William Fitzgerald, CS3511, Sept. 2011. 17 / 53 Example 8: Footprint by Monitoring Targets by IP Cam’s Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Texaco may have secured its IP cameras but the business across the road has not! ⊲ William Fitzgerald, CS3511, Sept. 2011. - could use to remotely profile ATM cash drop-offs! 17 / 53 Example 8: Footprint by Monitoring Targets by IP Cam’s Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Malware uses motion sensors in exploited IP camera to notify when the owner of the house is away. ⊲ William Fitzgerald, CS3511, Sept. 2011. 17 / 53 Example 9:Footprint with a Criminal and Debt Search Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Blackmail. Bribe. William Fitzgerald, CS3511, Sept. 2011. 18 / 53 Example 10: Footprinting with Document Metadata Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Metagoofil Extract metadata of public documents (pdf,doc,xls,ppt,odp,ods) from target website. Potential usernames useful for preparing bruteforce attacks on ftp, pop3, vpn, . . . . Extract disclosed PATHs in the metadata - Guess OS. - Network names. - Shared resources. Extracts MAC address from Microsoft Office documents. - Guess hardware used. William Fitzgerald, CS3511, Sept. 2011. 19 / 53 Example 10: Footprinting with Document Metadata Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Software application used and possible system user names. python metagoofil.py -d 4c.ucc.ie -l 70 -f all -o 4c.html -t ucc ⊲ mimetype - application/vnd.ms-powerpoint paragraph count - 89 title - Ongoing Supply Chain Optimization Research word count - 453 creator - Christopher date - 2004-02-10T18:42:06Z generator - Microsoft PowerPoint creation date - 2004-01-22T12:46:41Z mimetype - application/vnd.ms-powerpoint paragraph count - 41 title - Hybrid Search Techniques for Multiple Sequence Alignment (MSA) word count - 297 creator - Prestwich date - 2004-06-10T12:04:40Z generator - Microsoft PowerPoint creation date - 2004-06-05T18:55:32Z William Fitzgerald, CS3511, Sept. 2011. 19 / 53 Example 10: Footprinting with Document Metadata Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Disclosed path (could have been to a network share to exams). python metagoofil.py -d SANITISED.ucc.ie -l 70 -f all -o SANITISED.html -t ucc mimetype - application/msword revision history - Revision #9: Author ’SANITISED’ worked on ’C:\Documents and Settings\SANITISED\ My Documents\Lectures\cs607\exams\examCS607summer2003.doc’ revision history - Revision #8: Author ’SANITISED’ worked on ’C:\Documents and Settings\SANITISED\ My Documents\Lectures\cs607\exams\examCS607summer2003.doc’ revision history - Revision #7: Author ’SANITISED’ worked on ’C:\Documents and Settings\SANITISED\ Application Data\Microsoft\Word\AutoRecovery save of examPlusAnswerscs607summer2003.asd’ revision history - Revision #6: Author ’SANITISED’ worked on ’C:\Documents and Settings\SANITISED\ My Documents\Lectures\cs607\exams\examPlusAnswerscs607summer2003.doc’ revision history - Revision #5: Author ’SANITISED’ worked on ’C:\Documents and Settings\SANITISED\ My Documents\Lectures\cs607\exams\examPlusAnswerscs607summer2003.doc’ revision history - Revision #4: Author ’SANITISED’ worked on ’C:\Documents and Settings\SANITISED\ My Documents\Lectures\cs607\exams\examPlusAnswerscs607summer2003.doc’ language - U.S. English paragraph count - 6 line count - 25 title - Coliste na hOllscoile, Corcaigh word count - 533 page count - 1 creator - SANITISED date - 2003-10-07T12:48:00Z character count - 3039 generator - Microsoft Word 9.0 last saved by - SANITISED creation date - 2003-10-07T12:40:00Z template - Normal.dot William Fitzgerald, CS3511, Sept. 2011. 19 / 53 Example 10: Footprinting with Document Metadata Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Garda information leakage. python metagoofil.py -d garda.ie -l 100 -f pdf -o g2010.html -t g2010 ⊲ Total results for pdf: 97 Total authors found (potential users): Author(Don)Don Author()Don Author(Don) Author() QuarkXPress\252: AdobePS 8.5.1 Paul Author(Alan Morgan) Author(Gary Wade) Author(G5) Gary Wade Author(s0755559) Author()David Barry Author(prepress) Author(garda) QuarkXPress(R) 7.3 Who is Alan Morgan? William Fitzgerald, CS3511, Sept. 2011. 19 / 53 Example 10: Footprinting with Document Metadata Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Garda Review, Volume 31 No. 10, Yearbook 2003. ⊲ William Fitzgerald, CS3511, Sept. 2011. 19 / 53 Example 10: Footprinting with Document Metadata Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Garda Review, Volume 31 No. 10, Yearbook 2003. ⊲ William Fitzgerald, CS3511, Sept. 2011. 19 / 53 Scanning Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Scanning ⊲ William Fitzgerald, CS3511, Sept. 2011. 20 / 53 Scanning Objective Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Detection live systems (specific IP addresses). Operating systems. Service discovery. ... ⊲ William Fitzgerald, CS3511, Sept. 2011. 21 / 53 Scanning Techniques Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Ping Sweep. TCP/UDP Port Scan. Fingerprint OS Detection. Banner Grab. ... ⊲ William Fitzgerald, CS3511, Sept. 2011. 22 / 53 Scanning Tool-Box Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary nmap: Network and Service Mapper. Banner Grab via telnet or netcat. Nessus: Network Vulnerability Scanner seeks bugs in software. fping, hping. GFI LANGuard. ... ⊲ William Fitzgerald, CS3511, Sept. 2011. 23 / 53 Example 1: Scan with Nmap Port Scanner Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ nmap 4c.ucc.ie lists possible unsecure services. 2010-09-21 14:51 IST Interesting ports on 4c.ucc.ie (143.239.201.140): Not shown: 987 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 139/tcp open netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp open microsoft-ds 901/tcp open samba-swat 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 8080/tcp open http-proxy William Fitzgerald, CS3511, Sept. 2011. 24 / 53 Example 2: Scan with Banner Grabing Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Discovery of Web server type (inc version) and hosting OS. telnet www.cs.ucc.ie 80 Trying 143.239.211.230... Connected to csweb.ucc.ie. Escape character is ’^]’. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 22 Sep 2010 08:43:03 GMT Server: Apache X-Powered-By: PHP/5.2.8 Connection: close Content-Type: text/html telnet 4c.ucc.ie 80 Trying 143.239.201.140... Connected to 4c.ucc.ie. Escape character is ’^]’. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 22 Sep 2010 08:41:56 GMT Server: Apache/2.2.11 (Fedora) Last-Modified: Mon, 09 Aug 2010 18:29:18 GMT ETag: "354822-7a-48d6831c5bb80" Accept-Ranges: bytes Content-Length: 122 Connection: close Content-Type: text/html; charset=UTF-8 William Fitzgerald, CS3511, Sept. 2011. 25 / 53 Example 3: Scan with Netcraft Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ OS Linux http://uptime.netcraft.com Server Last changed IP address Apache/2.2.11 (Fedora) 21-Sep-2010 143.239.201.140 William Fitzgerald, CS3511, Sept. 2011. Netblock Owner Campus Network 26 / 53 Example 4: Scan with Nikto Web Scanner Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Web scanner. Checks for 6100 potentially dangerous files/CGIs. Checks for outdated versions of over 1000 servers. ... ⊲ William Fitzgerald, CS3511, Sept. 2011. 27 / 53 Example 4: Scan with Nikto Web Scanner Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ --------------------------------------------------------------------------+ Target IP: 143.239.211.230 + Target Hostname: www.cs.ucc.ie + Target Port: 80 + Start Time: 2010-09-22 13:51:28 --------------------------------------------------------------------------+ Server: Apache + Retrieved x-powered-by header: PHP/5.2.8 + robots.txt contains 12 entries which should be manually viewed. + OSVDB-637: Enumeration of users is possible by requesting ~username (responds with ’Forbidden’ for + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + /index.php/\"><script><script>alert(document.cookie)</script><: eZ publish v3 and prior allow Cros + OSVDB-3233: /mailman/listinfo: Mailman was found on the server. + OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitiv + OSVDB-3092: /demo/: This may be interesting... + OSVDB-3092: /downloads/: This might be interesting... + OSVDB-3092: /ideas/: This might be interesting... + OSVDB-3092: /new/: This might be interesting... + OSVDB-3092: /stats/: This might be interesting... + OSVDB-3092: : This might be interesting... possibly a system shell found. + OSVDB-3093: /squirrelmail/src/read_body.php: This might be interesting... has been seen in web log + OSVDB-3233: /cgi-bin/printenv: Apache 2.0 default script is executable and gives server environmen + OSVDB-3233: /cgi-bin/test-cgi: Apache 2.0 default script is executable and reveals system informat + OSVDB-3233: /test.php: PHP is installed, and a test script which runs phpinfo() was found. This gi + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3233: /jsp-examples/: Apache Java Server Pages documentation. + OSVDB-3233: /icons/README: Apache default file found. + 6417 items checked: 1 error(s) and 26 item(s) reported on remote host + End Time: 2010-09-22 13:52:02 (34 seconds) --------------------------------------------------------------------------- William Fitzgerald, CS3511, Sept. 2011. 27 / 53 Example 4: Scan with Nikto Web Scanner Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary System knowledge, for example the existence of a SQUID proxy that can also become a target. http://www.cs.ucc.ie/cgi-bin/printenv ⊲ DOCUMENT_ROOT="/www/docs" GATEWAY_INTERFACE="CGI/1.1" HTTP_ACCEPT="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" HTTP_ACCEPT_CHARSET="ISO-8859-1,utf-8;q=0.7,*;q=0.7" HTTP_ACCEPT_ENCODING="gzip,deflate" HTTP_ACCEPT_LANGUAGE="en-us,en;q=0.5" HTTP_CACHE_CONTROL="max-age=259200" HTTP_CONNECTION="keep-alive" HTTP_HOST="www.cs.ucc.ie" HTTP_VIA="1.1 nemo.ucc.ie:80 (squid/2.7.STABLE7)" PATH="/usr/local/texlive/2010/bin/x86_64-linux:/usr/local/texlive/2010/bin/x86_64-linux:/usr/local/b QUERY_STRING="" REMOTE_ADDR="143.239.75.235" REMOTE_PORT="50242" REQUEST_METHOD="GET" REQUEST_URI="/cgi-bin/printenv" SCRIPT_FILENAME="/usr/local/httpd-2.0.61/cgi-bin/printenv" SCRIPT_NAME="/cgi-bin/printenv" SERVER_ADDR="143.239.211.230" SERVER_ADMIN="webmaster@cs.ucc.ie" SERVER_NAME="www.cs.ucc.ie" SERVER_PORT="80" SERVER_PROTOCOL="HTTP/1.0" SERVER_SIGNATURE="" SERVER_SOFTWARE="Apache" William Fitzgerald, CS3511, Sept. 2011. 27 / 53 Example 4: Scan with Nikto Web Scanner Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ --------------------------------------------------------------------------+ Target IP: 143.239.201.140 + Target Hostname: 4c.ucc.ie + Target Port: 80 + Start Time: 2010-09-22 13:36:25 --------------------------------------------------------------------------+ Server: Apache/2.2.11 (Fedora) + robots.txt retrieved but it does not contain any ’disallow’ entries (which is odd). + ETag header found on server, inode: 3491874, size: 122, mtime: 0x48d6831c5bb80 + Apache/2.2.11 appears to be outdated (current is at least Apache/2.2.16). Apache 1.3.42 and 2.0.63 + OSVDB-637: Enumeration of users is possible by requesting ~username (responds with ’Forbidden’ for + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST + Retrieved x-powered-by header: PHP/5.2.9 + /examples/servlets/index.html: Apache Tomcat default JSP pages present. + /cgi-bin/Count.cgi: This may allow attackers to execute arbitrary commands on the server + OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including oth + OSVDB-3268: /downloads/: Directory indexing found. + OSVDB-3092: /downloads/: This might be interesting... + OSVDB-3092: /info/: This might be interesting... + OSVDB-3268: /software/: Directory indexing found. + OSVDB-3092: /web/: This might be interesting... + OSVDB-3092: /manual/: Web server manual found. + OSVDB-3093: /webmail/src/read_body.php: This might be interesting... has been seen in web logs fro + OSVDB-3268: /icons/: Directory indexing found. + OSVDB-3268: /manual/images/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-3092: /bb/: This might be interesting... potential country code (Barbados) + /webmail/src/configtest.php: Squirrelmail configuration test may reveal version and system info. + 6417 items checked: 1 error(s) and 23 item(s) reported on remote host + End Time: 2010-09-22 13:36:53 (28 seconds) --------------------------------------------------------------------------- William Fitzgerald, CS3511, Sept. 2011. 27 / 53 Example 4: Scan with Nikto Web Scanner Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary http://4c.ucc.ie/info provided access to a (non-public) file containing the 4C staff phone and office directory. ⊲ This information could have been more sensitive! William Fitzgerald, CS3511, Sept. 2011. 27 / 53 Example 4: Scan with Nikto Web Scanner Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ 4C Web server recording client IP and client browser type. http://4c.ucc.ie/examples/jsp/snp/snoop.jsp Request Information JSP Request Method: GET Request URI: /examples/jsp/snp/snoop.jsp Request Protocol: HTTP/1.0 Servlet path: /jsp/snp/snoop.jsp Path info: null Query string: null Content length: 0 Content type: null Server name: 4c.ucc.ie Server port: 80 Remote user: null Remote address: 143.239.75.235 Remote host: 143.239.75.235 Authorization scheme: null Locale: en_US The browser you are using is Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.22) Gecko/20110905 Ubuntu/10.10 (maverick) Firefox/3.6.22 Note, can spoof your browser type. For example Mozilla addon: http://chrispederick.com/work/user-agent-switcher/ William Fitzgerald, CS3511, Sept. 2011. 27 / 53 Example 5: Scan with Nessus Scanner Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Vulnerability scanner . ⊲ William Fitzgerald, CS3511, Sept. 2011. Configuration auditing. Asset profiling. Sensitive data discovery. Vulnerability analysis of your security posture. 28 / 53 Example 5: Scan with Nessus Scanner Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Discovered Web server vulnerabilities, one may now try exploit. ⊲ William Fitzgerald, CS3511, Sept. 2011. 28 / 53 Example 5: Scan with Nessus Scanner Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Discovered Web camera Web server vulnerabilities. ⊲ William Fitzgerald, CS3511, Sept. 2011. 28 / 53 Example 6: Nessus Logs Found Online! Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Sometimes you don’t have to perform the scan yourself! Vulnerability found on port ftp (21/tcp) It was possible to disable the remote FTP server by connecting to it about 3000 times, with one connection at a time. ⊲ William Fitzgerald, CS3511, Sept. 2011. 29 / 53 Exploit The System Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Gain Access ⊲ William Fitzgerald, CS3511, Sept. 2011. 30 / 53 Gaining Access Objective Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Penetration phase. Previous steps provide enough information to make an attempt to gain access. Gain access/exploit over LAN, Internet, physical. ... ⊲ William Fitzgerald, CS3511, Sept. 2011. 31 / 53 Gaining Access Techniques Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Direct use of ready made exploits. Malware. Password eavesdropping. File share brute force. Password file grab. Buffer Overflows. ... William Fitzgerald, CS3511, Sept. 2011. 32 / 53 Gaining Access Tool-Box Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Metasploit: platform for developing, testing, and using exploit code. ⊲ Wireshark: Wired & Wireless Sniffer. pwdump2. l0phtcrack. ... William Fitzgerald, CS3511, Sept. 2011. 33 / 53 Example 1: Gain Access with Catalogue of Exploits Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Direct use of pre-made exploits from hacker repositories. ⊲ William Fitzgerald, CS3511, Sept. 2011. 34 / 53 Example 2: Gain Access with Metasploit Framework Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Metasploit is penetration testing framework. Verify patch installations. ⊲ William Fitzgerald, CS3511, Sept. 2011. 35 / 53 Example 2: Gain Access with Metasploit Framework Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary An example: Choose exploit. ⊲ William Fitzgerald, CS3511, Sept. 2011. 35 / 53 Example 2: Gain Access with Metasploit Framework Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Choose exploit target system. ⊲ William Fitzgerald, CS3511, Sept. 2011. 35 / 53 Example 2: Gain Access with Metasploit Framework Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Choose payload. ⊲ William Fitzgerald, CS3511, Sept. 2011. 35 / 53 Example 2: Gain Access with Metasploit Framework Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Execute payload. ⊲ William Fitzgerald, CS3511, Sept. 2011. 35 / 53 Example 2: Gain Access with Metasploit Framework Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary System exploited. ⊲ William Fitzgerald, CS3511, Sept. 2011. 35 / 53 Maintaining Access Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Maintain Access ⊲ William Fitzgerald, CS3511, Sept. 2011. 36 / 53 Maintaining Access Objective Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Back door. Install trapdoors to get back into the sysem. Trojans. RAT’s. Rootkits. William Fitzgerald, CS3511, Sept. 2011. 37 / 53 Maintaining Access Techniques Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Privilege Escalation. Rogue user accounts. Install remote services: rootkits, RATs etc. Install monitoring mechanisms: keyloggers. Replace applications with custom trojans. Spyware. Patch the system William Fitzgerald, CS3511, Sept. 2011. 38 / 53 Maintaining Access Tool-Box Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Psexec. Remoexec. Backorifice. Spytech. Ghostkeylogger. Winzapper. Porgenic Mail Construction Kit (PMT). Reverse HTTP server shell. Loki ICMP tunnelling. Spector. William Fitzgerald, CS3511, Sept. 2011. 39 / 53 Example 1: Maintain Access with Malware Frameworks Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ William Fitzgerald, CS3511, Sept. 2011. 40 / 53 Example 1: Maintain Access with Malware Frameworks Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Terabitvm and VirusJPS ⊲ William Fitzgerald, CS3511, Sept. 2011. 40 / 53 Example 1: Maintain Access with Malware Frameworks Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Necro ⊲ William Fitzgerald, CS3511, Sept. 2011. 40 / 53 Example 2: Maintain Access with Homemade Malware Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary A binder is a program that will take two executable files and combine them together. ⊲ William Fitzgerald, CS3511, Sept. 2011. 41 / 53 Example 3: Maintain Access with Keylogger Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Physical Keylogger. ⊲ William Fitzgerald, CS3511, Sept. 2011. 42 / 53 Example 3: Maintain Access with Keylogger Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ William Fitzgerald, CS3511, Sept. 2011. 42 / 53 Covering Your Tracks Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Cover Tracks ⊲ William Fitzgerald, CS3511, Sept. 2011. 43 / 53 Covering Tracks Objectives Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Hide from legitimate Administrators. ⊲ William Fitzgerald, CS3511, Sept. 2011. 44 / 53 Covering Tracks Techniques Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Steganography - Hide (encrypt) src code, criminal instructions. - Hidden partition. Clear Logs: history, events, recent docs, etc. Rootkits: hide processes etc. William Fitzgerald, CS3511, Sept. 2011. 45 / 53 Example 1: Cover Tracks with Steganography Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Steganography applications conceal information in other, seemingly innocent media. Steganography works by replacing bits of useless or unused data in regular computer files (such as graphics, sound, text, HTML, network traffic) with bits of different, invisible information. This hidden information can be plain text, cipher text, or images. ⊲ William Fitzgerald, CS3511, Sept. 2011. 46 / 53 Example 1: Cover Tracks with Steganography Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary steghide. Payment was recieved. The source code for the Stuxnet worm can be found at rapidshare.com File name is 5tuxn3t2010.rar Password is Iran ⊲ steghide embed -cf zebras.jpg -ef stego.txt steghide extract -sf zebras.jpg William Fitzgerald, CS3511, Sept. 2011. 47 / 53 Example 1: Cover Tracks with Steganography Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Invisible Secrets. ⊲ William Fitzgerald, CS3511, Sept. 2011. 47 / 53 Example 2: Cover Tracks by Erasing Logs Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Windows OS. ⊲ William Fitzgerald, CS3511, Sept. 2011. 48 / 53 Example 2: Cover Tracks by Erasing Logs Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary Windows OS. ⊲ William Fitzgerald, CS3511, Sept. 2011. 48 / 53 Example 2: Cover Tracks by Erasing Logs Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Linux OS. SRM(1) NAME srm - secure remove (secure_deletion toolkit) SYNOPSIS srm [-d] [-f] [-l] [-l] [-r] [-v] [-z] files DESCRIPTION srm is designed to delete data on mediums in a secure manner which can not be recovered by thiefs, law enforcement or other threats. The wipe algorythm is based on the paper "Secure Deletion of Data from Magnetic and Solid-State Memory" presented at the 6th Usenix Security Symposium by Peter Gutmann, one of the leading civilian cryptographers. William Fitzgerald, CS3511, Sept. 2011. 48 / 53 Example 2: Cover Tracks by Erasing Logs Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Some Erasers leave a log of wiped logs! Disable logging when gaining access and enable it afterwords. Rootkits. # Apply to target system as follows: C:\>auditpol \\192.168.1.7 /disable William Fitzgerald, CS3511, Sept. 2011. 48 / 53 Example 3: Cover Tracks with Hidden Processes Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. ⊲ William Fitzgerald, CS3511, Sept. 2011. 49 / 53 Summary Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary ⊲ Anatomy of an attack. Malware Frameworks. Pentesting Frameworks. Final Note: - This lecture is for educational purposes ONLY. William Fitzgerald, CS3511, Sept. 2011. 50 / 53 A One Stop Shop Pentest Tool Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary William Fitzgerald, CS3511, Sept. 2011. 51 / 53 A One Stop Shop Pentest Tool Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary BackTrack categories its tools, for example: Information Gathering, Vulnerability Assessment, Exploitation Tools, Privilege Escalation, Maintaining Access, Reverse Engineering, RFID Tools, Stress testing, Forensics, Reporting Tools, Services and Miscellaneous William Fitzgerald, CS3511, Sept. 2011. 51 / 53 Words of Wisdom! Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary William Fitzgerald, CS3511, Sept. 2011. 52 / 53 Disclaimer Objectives Background Attack Anatomy Footprinting Scanning Gain Access Maintain Access Cover Your Tracks Summary William Fitzgerald, CS3511, Sept. 2011. 53 / 53
