The Fundamentals of Hacking: An Overview

advertisement
The Fundamentals of Hacking:
An 0\/3r\/!3vv
Jen Johnson
Miria Grunick
Five Phases of an Attack
• Phase 1: Reconnaissance
• Phase 2: Scanning
• Phase 3: Gaining Access
• Phase 4: Maintaining Access
• Phase 5: Covering Attacks and Hiding
Phase 1: Reconnaissance
• Takes place before the attack.
• Investigate the target using publicly
available information
• Types: Low-Technology Reconnaissance,
Searching the Web, Whois Databases,
Using the DNS, and General Purpose Tools
Low-Technology Reconnaissance
• Social Engineering: An attacker calls the
target organization and fools an employee
into revealing sensitive information. Often,
the attacker calls and pretends to be a
new employee, customer, system
administrator, or business partner.
Low-Technology Reconnaissance
• Physical Break-In: Physically breaking into
the building to try to gain access to the
network from the inside. This is often
accomplished by walking into the building
with a group of employees or being hired
as an employee or temp.
Low-Technology Reconnaissance
• Dumpster Diving: Going through an
organization’s discarded documents to find
sensitive information. Often, employees
will throw out papers that reveal critical
information (i.e. – old Post-It® notes with
user ID’s and passwords).
Searching the Web
• Organization’s Web Site: Can reveal
important information, such as the
employees’ contact information, clues
about the corporate culture and language,
business partners, recent mergers and
acquisitions, and what technologies the
organization uses.
Searching the Web
• Search Engines: Can reveal information
about the company’s history, current
events, future plans, financial status,
business partners, technologies in use.
• Usenet: Employees may submit questions
to technical newsgroups that reveal
information about the particular products
that the organization uses.
Whois Databases
• Whois databases contain information about the
•
assignment of Internet addresses, domain
names, registrars, and individual contacts.
First, find out who the registrar is. The Internet
Network Information Center (InterNIC) whois
database system lists the registrars of websites
based on the organization’s name or domain
name for sites with the .net, .org or .com
extensions. The InterNIC whois database is
avaliable online at: www.internic.net/whois.html
Whois Databases
• If you are researching an organization without
•
the .com, .net, or .org extensions (i.e. –
international websites), try the Allwhois site at:
www.allwhois.com/home.html
Once you have the registrar’s name, you can go
to the registrar’s site and get more information,
such as names and numbers of administrators,
email and postal addresses, registration dates,
and the addresses of the organization’s DNS
servers.
American Registry for Internet
Numbers (ARIN)
• Contains all IP addresses assigned to a
•
•
•
particular organization. Search by company or
domain names.
For North American, South American, Caribbean,
and sub-Saharan African organizations:
www.arin.net/whois/arinwhois.html
For European organizations: www.ripe.net
For Asian organizations: www.apnic.net
Domain Name System (DNS)
• DNS – a world-wide hierarchical database that
•
stores information about domain names and IP
addresses. This database is searched to get
information about a given domain name, most
commonly the corresponding IP address.
Once an attacker knows one of the DNS servers,
the attacker can begin interrogating the name
servers.
DNS
• To interrogate DNS servers, first invoke a
nslookup program on any UNIX or
Windows NT/2000 environment by typing
nslookup at the command prompt.
• Try to do a zone transfer. In a zone
transfer, the nslookup program asks the
DNS server to transmit all information it
has about a given domain.
DNS
• To do a zone transfer, the nslookup must be instructed
•
•
•
•
to use the target’s DNS server, using the server
[target_DNS_server] command
Next, specify to search for any type of DNS record by
typing set type=any
Initiate the zone transfer by typing ls –d
[target_domain]
Output can give useful information, such as system
names, IP addresses of the systems, and sometimes
even operating system types.
More information about nslookup:
www.zoneedit.com/doc/nslookup.html
General Reconnaissance Tools
• Sam Spade (freeware avaliable at
www.samspade.org/ssw/ )
• Many reconnaissance tools in one: ping,
whois, IP block whois, nslookup, dig, DNS
zone transfer, traceroute, finger, SMTP
VRFY, Web browser.
• Other general-purpose reconnaissance
tools: CyberKit, NetScan Tools, iNetTools
Web-Based Reconnaissance Tools
• Research and Attack portals: sites that allow a
•
user to enter the target site and research or
initiate an attack against the target (via denialof-service attacks or vulnerability scans)
Difference between Web-based tools and
general reconnaissance tools: now the traffic
comes from the Web server, not the attacker
machine. Thus, the attacker can remain more
anonymous.
Web-Based Reconnaissance Tools
• Examples:
www.network-tools.com
privacy.net/analyze
Phase 2: Scanning
The premise of scanning is to probe as
many ports as possible, keeping track of
open and useful ports that would be
receptive to hacking.
Scanners send multiple packets over a
communication medium then listen and
record each response.
The following are techniques for
inspecting ports and protocols.
War Dialing
• War Dialing: Dialing large pools of telephone
•
•
numbers in an effort to find unprotected
modems. Done with an automated tool, such as
THC-Scan 2.0, available at:
www.thc.org/releases.php.
This tool will return a list of all of the modems
discovered in the range of the phone numbers it
was given.
The hacker can then check all of the modems
and see if any have no passwords, allowing
them access to the network.
FIN Probe
• A FIN packet is sent (Or any packet
without an ACK or SYN flag) to an open
port and one waits for a response.
• The correct RFC793 behavior is to not
respond. Many broken implementations
(i.e MS Windows) send a RESET back.
Network Mapping
• A hacker first tries to determine which
addresses have active hosts by pinging all
possible addresses in the network.
• Once a hacker knows which hosts are
alive, he or she will try to determine the
network topology. This is done by a
method called tracerouting.
Network Mapping
• Tracerouting: Send a series of packets with
•
different Time-To-Live (TTL) values in the IP
header and check the source address of the
Time Exceeded message returned.
Example: Send a packet with a TTL of 1. The
Time Exceeded message will have the source
address of the first router. Now send a packet
with a TTL of 2. The Time Exceeded message
returned will have the source address of the
second router, and so on.
Tracerouting
Network Mapping
• Windows 2000/NT and UNIX have tools that do
this for us
Windows 2000/NT: tracert
UNIX: traceroute
•
•
• Another network mapping tool: Cheops
(available at: www.marko.net/cheops ) This tool
does the ping sweep and traceroute and draws a
picture of the topology of the network.
Screenshot of Cheops
How Cheops Works
• Sequentially send ARP
•
messages to every IP
address in the range.
Traceroute to every IP
address that responds
to the ARP message.
Scanning Involves 3 Steps
• Locating Nodes
• Performing Service Discoveries
• Testing Services for Known Security Holes
TCP Port Scanning
• Most basic form of scanning. Attempts to
open a full TCP port connection to
determine if that port is active.
• This method leaves an easier to spot trail
than partial open scanning.
Stealth Port Scanning
• All the operating systems now honor the
tradition of permitting only the super-user
to open the ports numbered 0 to
1023. These standard ports are assigned
to services by the IANA (Internet Assigned
Numbers Authority, www.iana.org).
• Attempts to open a port in the range of
0..1023 by an unprivileged user program
will fail. A user program can open any
unallocated port higher than 1023.
• On Unix, the text file named
/etc/ services
(on Windows 2000 the file named
%windir%\ system32\ drivers\ etc\
services)
lists these service names and the
ports they use. Here are a few lines
extracted from this file:
echo
7/tcp
Echo
ftp-data
20/udp
ftp
21/tcp
ssh
22/tcp
telnet
23/tcp
File Transfer
(default)
File Transfer
(control)
SSH Remote
Login Protocol
Telnet
domain
53/udp
www-http
80/tcp
Domain Name
Server
WWW HTTP
Non Standard Ports
wins
1512/tcp
Microsoft Windows
Internet Name
Service
Radius
1812/udp
yahoo
5010
RaDIUS
authentication
protocol
Yahoo!
Messenger
X11
6000-6063/tcp
X Window
System
Stealth Scanning Includes Some/All
of the Following
• Setting individual flags (ACK, FIN, RST, .. )
• NULL flags set
• All flags set
• Bypassing filters, firewalls, routers
• Appearing as casual network traffic
• Varied packet dispersal rates
Fragmented Packets
• The scanner splits the TCP header
into several IP fragments. This
bypasses some packet filter firewalls
because they cannot see a complete
TCP header that can match their filter
rules.
• Some packet filters and firewalls do
queue all IP fragments (e.g., the
CONFIG _IP _ALWAYS _DEFRAG
option in Linux enables it in the
kernel), but many networks cannot
afford the performance loss caused
by the queuing.
TCP Fragmenting
• TCP fragmenting is not a scan
method so to speak, although it
employs a method to obscure
scanning implementations by splitting
the TCP header into smaller
fragments.
• A minimally allowable fragmented
TCP header must contain a
destination and source port for the
first packet (8 octect, 64 bit), typically
the initialized flags in the next,
allowing the remote host to
reassemble the packet upon arrival.
• The actual reassembly is established
through an IPM (internet protocol module)
that identifies the fragmented packets by
the field equivalent values of:
– source
– destination
– protocol
– identification
Using TCP Fragmenting FragRouter
• Program which fragments TCP packets
– 35 different ways to fragment
• Called a router because it is a software
implementation of a router – data from
other programs is sent through the
FragRouter
• FragRouter fragments the packets and
then forwards the packets to their
destination
SYN Scanning
• Also called half-open scanning, as TCP
connection is not completed.
• A SYN packet is sent and the target host
responds with a SYN+ACK, indicating the
port is listening
• RST indicates a non-listener
• The server process is never informed by
the TCP layer because the connection did
not complete.
A demonstration of this technique
is necessary to show a half open
transaction:
client -> SYN
server -> SYN|ACK
client -> RST
• This example has shown the target
port was open, since the server
responded with SYN|ACK flags.
• The RST bit is kernel oriented, that is,
the client need not send another
packet with this bit, since the kernel's
TCP/IP stack code automates this.
Inversely, a closed port will respond
with RST|ACK.
client -> SYN
server -> RST|ACK
This combination of flags is indicative of a
non- listening port.
FIN Scanning
• The typical TCP scan attempts to open
connections (at least part way). Another
technique sends erroneous packets at a
port, expecting that open listening ports
will send back different error messages
than closed ports.
• The scanner sends a FIN packet, which should
•
•
close a connection that is open. Closed ports
reply to a FIN packet with a RST. Open ports, on
the other hand, ignore the packet in question.
If no service is listening at the target port, the
operating system will generate an error
message.
If a service is listening, the operating system will
silently drop the incoming packet. Therefore,
silence indicates the presence of a service at the
port.
This is the negotiation for
open/closed port recognition
client -> FIN
server -> No reply signaled by the server is iconic of
an open port. The server's operating
system silently dropped the incoming FIN
packet to the service running on that port.
RST Reply
• Opposing this is the RST reply by the
server upon a closed port reached.
• Since, no service is bound on that port,
issuing a FIN invokes a reset (RST)
response from the server.
client -> FIN
server -> RST
• Other techniques that have been used
consist of XMAS scans where all flags in
the TCP packet are set, or NULL scans
where none of the bits are set. However,
different operating systems respond
differently to these scans, and it becomes
important to identify the OS and even its
version and patch level.
Reverse Ident Scanning
• This technique involves issuing a response
to the ident/auth daemon, usually port
113 to query the service for the owner of
the running process.
• The main reason behind this is to find
daemons running as root, this result would
entice an intruder to find a vulnerable
overflow and instigate other suspicious
activities involving this port.
• Alternatively, a daemon running as user
nobody (httpd) may not be as attractive to
a user because of limited access
privileges.
• identd could release miscellaneous private
information such as:
– user info
– entities
– objects
– processes
FTP Bounce
Background
• FTP session consists of two connections
•
•
between the client and the server.
The high port server connection is enabled by
the client that allows the FTP server to send
data to the client.
When the client wants to transfer data to or
from the server, it issues a PORT command. The
PORT command instructs the server to open a
data connection which is used to transfer the
data.
Problem
• An outside attacker can use the FTP
server to open connections which appear
to originate from the server. This could be
used to bypass the access control
restrictions.
How To Use FTP Bounce
Attacks
Port Scanning
• An attacker can run the attck from a third-party
•
FTP server acting as a stage for the scan. The
victim site sees the scan as coming from the FTP
server rather than the true source (the FTP
client).
When the victim site is on the same subnet as
the FTP server, or when it does not filter traffic
from the FTP server, the attacker can use the
server machine as the source of the port scan
rather than the client machine
Bypassing Basic Packet Filtering
Devices
• An attacker may bypass a firewall in
certain network configurations.
– Example; a site has its anonymous FTP server
behind a firewall. Using the technique above,
an attacker determines that an internal web
server at that site is available on port 8080, a
port normally blocked by a firewall.
• By connecting to the public FTP server at
the site, the attacker initiates a further
connection between the FTP server and an
arbitrary port on a non-public machine at
that site .
• (for instance the internal web server at port
8080).
• As a result, the attacker establishes a
connection to a machine that would
otherwise be protected by the firewall.
Bypassing Dynamic Packet Filtering
Devices
• Example
– victim site houses all of its systems behind a firewall
that uses dynamic packet filters
– person at victim site browses web pages and
downloads a Java applet constructed by attacker.
– Java applet then opens an outbound FTP connection
to attacker's machine.
– applet then issues an FTP PORT command,
instructing server machine to open a connection to
some otherwise protected system behind the victim
firewall.
• Dynamic packet filtering firewall examines
outbound packets to determine if any
action is required on its part.
• It notes the PORT command and allows an
incoming connection from the remote web
server to the telnet port on the victim
machine.
• This connection was allowed in this case
because the PORT command was issued
by the client.
Scanning Packages Available
Commercially
• CyberCop
• JAKAL
• NetRecon
• NMap
CyberCop
• Intrusion detection system that safeguards
corporate assets by performing real-time
surveillance of network traffic. The
CyberCop system protects networks from
external and internal attacks by providing
a "high tech burglar alarm" capable of
alerting companies when the security of
their networks is breached by
unauthorized intruders.
JAKAL
• Developed on UNIX to test UNIX hosts.
Jakal is interesting because of its
possibilities: it is designed for stealth and
to go through most firewalls. Usually it
doesn't leave any trace of its activity,
except for some messages (SYN|ACK).
NetRecon
• Scans multiple operating systems,
including UNIX, Linux, Windows 2000,
Windows NT, Windows 95/98 and
NetWare.
• Scans using many Windows NT/2000
network protocols such as TCP/IP,
IPX/SPX, and NetBEUI.
Nmap
• Most popular scanner to date
• Free utility for network exploration or security auditing.
Designed to rapidly scan large networks. Uses raw IP
packets to determine what hosts are available on the
network, what services (application name and version)
those hosts are offering, what operating systems (and
OS versions) they are running, what type of packet
filters/firewalls are in use.
• http://www.insecure.org/nmap/idlescan.html
Scan Types Supported by Nmap
Type of Scan
Command-Line
Option
Summary of
Characteristics
TCP Connect
-sT
Completes the 3way handshake
with each scanned
port.
TCP SYN
-sS
Only sends the
initial SYN and
awaits the SYN-ACK
response.
TCP FIN
-sF
Sends a TCP FIN to
each port. Reset
indicates port is
closed.
TCP Xmas Tree
-sX
Null
-sN
TCP ACK
-sA
Sends packet with
the ACK code bit
set to each target
port.
Window
-sW
Similar to ACK, but
focuses on TCP
Window size to
determine if ports are
Sends packet with
the FIN, URG and
PUSH code bits set.
Reset indicates
port is closed.
Sends packets with
no code bits set.
Reset indicates
port is closed.
FTP Bounce
-b
Bounces a TCP scan
off of an FTP server,
obscuring the
originator of the scan.
UDP Scanning
-sU
Sends a UDP packet
to target ports to
determine if a UDP
service is listening.
Ping
-sP
Sends ICMP echo
request packets to
every machine on
target network.
RPC Scanning
-sR
Scans RPC services
using all discovered to
open TCP/UDP ports on
the target to send RPC
Null commands.
Determining Firewall Filter Rules
• One disadvantage of Nmap – it cannot differentiate what
•
•
•
is open on an end machine and what is being firewalled.
It is also important to determine what ports are available
through the firewall or router. One tool that can do this
is Firewalk (avaliable:
www.packetfactory.net/projects/firewalk/firewalk-5.0.tgz
Firewalk can determine which types of packets are
permitted through and which ports are accessible
through the firewall.
Note: Firewalk is only useful for packet-filtering devices,
not proxy-based firewalls.
How Firewalk Works
• Determines the number of hops between the
•
tool and the firewall
Sends UDP and TCP packets with TTL one
greater than the hop count to the filtering
device.
– If ICMP Time Exceeded message is returned, the port
is available through the firewall
– If ICMP Port Unreachable message or nothing is
returned, the port is most likely being filtered by the
firewall.
• Unlike Nmap, Firewalk can determine what kind
of packets are allowed through the firewall for
each specific port and which ports allow new
connections.
Vulnerability Scanning
• Use an automated tool that checks for
common configuation errors, default
configuration errors, and well-known
system vulnerabilities.
• Generally made up of multiple parts:
vulnerability database, user configuration
tool, scanning engine, knowledge base of
current active scan, and results repository
and report generation tool.
Vulnerability Scanner
Nessus
• The most popular of the vulnerability
scanners. (Available: www.nessus.com)
• Also allows the user to write their own
vulernability checks and include them in
the tool.
• Has a variety of plug-ins, such as checking
for vulnerabilities that allow a shell to be
gained remotely and checking to see if the
target system already has backdoor tools
installed.
Port, Socket & Service Vulnerability
Penetrations
Once a breach has been uncovered during
the discovery phase, different vulnerability
penetrations are used to take advantage
and possibly gain control of computers,
servers and internetworking equipment.
More on exploiting these vulnerabilities in
Phase 3……
Operating System Fingerprinting
with Nmap
TCP ISN Sampling
• The idea here is to find patterns in the
initial sequence numbers chosen by TCP
implementations when responding to a
connection request.
• Categorized into groups such as traditional
64K, random increments and true random,
(Linux 2.0)
Don’t Fragment Bit
• Trend of operating systems to set the IP
“Don’t Fragment” bit on some of the
packets they send.
• By paying attention to this bit, one can
glean information on the target OS.
TCP Initial Window
• Simply involves checking the window size
on returned packets.
• Gives quite a lot of information since some
operating systems can be uniquely
identified by the window alone.
TCP Option
• Excellent means of gaining access to
leaked information.
• Can discover if a host is implementing
them by sending a query with an option
set: target shows support of the option by
setting it on the reply.
• Can stuff many options on one packet to
test everything at once.
SYN Flood Resistance
• If too many forged SYN packets are sent to
•
•
•
some operating systems, they will stop
accepting new connections.
Many operating systems can only handle 8
packets.
By sending 8 forged packets to an open port and
then trying to establish a connection, you can
learn about the operating system used.
This is easier to detect on the target side than
other methods, however.
Name
Whois database
IP Address
Lookup
DNS Lookup
Sam Spade
Web-Based Tools
THC-Scan 2.0
Cheops
Purpose
Gives the registrar’s
name when given a
company’s name or
domain name
Gives all IP addresses
assigned to an
organization or domain
name
Platform
Gives DNS information
about a corresponding
IP address
Ping, Whois, IP block
Windows
lookup, DNS lookup,
dig, zone transfer,
traceroute, finger, STMP
verify, web browser
Traceroute, lookup,
ping, dns lookup, DNS
records, email validation
War dialer
Windows
Where to get it
(For .com, .net, .org)
www.internic.net/whois.html
(For other domains)
www.allwhois.com/home.html
(North and South America,
Caribbean, sub-Saharan African)
www.arin.net/whois/arinwhois.html
(Europe) www.ripe.net
(Asia) www.apnic.net
Built into Windows and Linux
(nslookup)
www.samspade.org/ssw/
Comments
Web-based database
Web-based database
More information:
www.zoneedit.com/doc/
nslookup.html
Note that all of the operations can be traced back to
the system running the program
www.network-tools.com/
privacy.net/analyze
Web based, so it can’t be traced back to you
www.thc.org/releases.php
Lots of other useful tools on this site
Pingsweep, traceroute,
draws a visual
representation of the
network
Linux
www.marko.net/cheops
First need to download glib10-1.0.6-6.i386.rpm and
gtk+10-1.0.6-6.i386.rpm (available at
rpmfind.net/linux/RPM/redhat/6.2
/i386
Determine network
topology
Windows
Linux
Built into Windows and Linux
Windows command:
tracert [IP addr.]
Linux Command:
traceroute [IP addr.]
Port scanner and
network mapper
Able to determine if
ports are available
through a firewall or
router
Windows
Linux
Linux
www.insecure.org/nmap/
idlescan.html
www.packetfactory.net/projects
/firewalk/firewalk-5.0.tgz
Nessus
Vulnerability Scanner
www.nessus.com
Stack Based
Buffer Overflow
Attack
Pwdump
Using stack overflow to
get a target machine to
execute code
Extracts hashed
Windows
Linux
Windows
Linux
Windows
packetstormsecurity.org/Crackers/N
Traceroute
Nmap
Firewalk
packetstormsecurity.org/docs/hack/
Smashstack.txt
Only for packet-filtering firewalls. Need to
download the 3 libraries, libnet and libpcap from
the site, and libdnet (for Fedora 2 from rpmfind.net
/linux/rpm2html/
search.php?query=libdnet)
Can test multiple hosts at the same time, Allows the
user to write plug-ins
Text document explaining the process
Random Clipart
Pre-Phase 3
Understanding Filters, Firewalls
and the IDS
Packet Filter
• First line of defense.
• Checks each packet against a policy or
rule before routing it to the destined node
or network destination.
• Most reject SYN/ACK, ICMP, and incoming
UDP packets that initiate inward security.
Example
• Cisco Series Access Router
• If router is configured to pass a particular
protocol, external hosts can use that
protocol to establish a direct connection to
internal hosts.
• The router will produce an audit log with
features to generate alarms when hostile
behavior is detected.
Enhanced Version
Stateful Filter
Stateful Filter
• Provides same functionality as previous version,
•
•
but also keeps track of state information, such
as TCP sequence numbers.
Uses the analysis of data within the lowest levels
of the protocol stack to compare the current
session to previous ones for the purpose of
detecting suspicious activity.
Uses specific rules determined by the user.
Downside
• Does not recognize specific applications,
therefore, is unable to apply dissimilar
rules to different applications.
Proxy Firewall
• Simple server with duel NICs that has
routing or packet forwarding deactivated,
utilizing a proxy server daemon instead.
• Gateway is a term used as a synonym for
proxy server.
• Gathers all internet requests, forwards
them to internet servers, receives
responses and forwards them to the
original requestor within the company.
Enhanced Version
Application Proxy Gateway
Application Proxy Gateway
• Contains integrated modules that check
every request and response.
• Example:
– An FTP stream may only be allowed to
download data.
Application Gateways look at data on the
application layer of the protocol stack and
serve as proxies for outside users.
Thus, outside users never really have a direct
connection to anything beyond the proxy
gateway.
Implementing a Backdoor Method
4 Actions Take Place
• Seizing a virtual connection; this involves
hijacking a remote telnet session, a VPN
tunnel or a secure-ID session.
• Planting an insider; User, engineer or
socially engineered (swindled) person.
– Can also spoof an employee with an e mail
with a remote access Trojan attached.
• Manipulating an internal vulnerability;
attacks on demilitarized zones, such as
E-mail, domain name resolution, telnet or
FTP.
• Manipulating an external vulnerability;
involves penetrating through external mail
server, HTTP server daemon and/or telnet
service on an external boundary gateway.
Intrusion Detection System
Scanning Intrusion Detection
Systems
• Detects statistical anomalies. Measures a
•
"baseline" of such stats as CPU utilization, disk
activity, user logins, file activity, and so forth.
Then, the system can trigger when there is a
deviation from this baseline.
Can detect the anomalies without having to
understand the underlying cause behind them.
Signature Recognition
• The majority of commercial products are based
upon examining the traffic looking for wellknown patterns of attack.
• Classic example is to example every packet on
the wire for the pattern "/cgi-bin/phf?", which
might indicate somebody attempting to access
this vulnerable CGI script on a web-server.
How does a NIDS match signatures
with incoming traffic?
• 1. Protocol stack verification A number of
intrusions, such as "Ping-O-Death" and
"TCP Stealth Scanning" use violations of
the underlying IP, TCP, UDP, and ICMP
protocols in order to attack the machine. A
simple verification system can flag invalid
packets. This can include valid, by
suspicious, behavior such as severally
fragmented IP packets.
• 2. Application protocol verification A
number of intrusions use invalid protocol
behavior, such as "WinNuke", which uses
invalid NetBIOS protocol or DNS cache
poisoning, which has a valid, but unusually
signature. In order to effectively detect
these intrusions, a NIDS must reimplement a wide variety of applicationlayer protocols in order to detect
suspicious or invalid behavior.
3. Creating new loggable events A NIDS can
be used to extend the auditing capabilities
of your network management software.
For example, a NIDS can simply log all the
application layer protocols used on a
machine. Downstream event log systems
(WinNT Event, UNIX syslog, SNMP TRAPS,
etc.) can then correlate these extended
events with other events on the network.
Other countermeasures besides
IDS
• Firewalls: These are to protect from
external attacks; most intrusions are
committed by employees inside the
firewall, and it should therefore be
considered a last line of defense.
Authentication
• Scanners should be run that automate the
finding of open accounts.
• One should enforce automatically strict
policies for passwords (7 character
minimum, including numbers, dual-case,
and punctuation) using crack or built in
policy checkers (WinNT native, add-on for
UNIX).
Virtual Private Networks
• Create secure connections over the Internet for
•
•
remote access.
VPN’s actually decrease corporate security. While
the pipe itself is secure (authenticated,
encrypted), either end of the pipe are wide
open.
A home machine compromised with a backdoor
rootkit allows a hacker to subvert the VPN
connection, allow full, undetectable access to
the other side of the firewall.
IDS
Setup Locations
• Network Hosts: Although network
intrusion detection systems have
traditionally been used as probes, they
can also be placed on hosts.
• Network perimeter: IDS is most effective
on the network perimeter, such as on both
sides of the firewall, near the dial-up
server, and on links to partner networks.
These links tend to be low-bandwidth (T1
speeds) such that an IDS can keep up
with the traffic.
• Servers are often placed on their own network,
connected to switches. The problem these
servers have, though, is that IDS systems
cannot keep up with high-volume traffic.
• Server Farms: For extremely important servers,
you may be able to install dedicated IDS
systems that monitor just the individual server's
link. Also, application servers tend to have lower
traffic than file servers, so they are better
targets for IDS systems.
Phase 3
Penetration
Stack Based Overflow Attack
• Overwrite the return pointer stored in the stack
•
by overflowing the stack. When the return
pointer is copied into the IP, the IP tries to fetch
the data of the new address that was pushed
into the return pointer by overflowing the stack.
Example: Overflow the stack with a series of
‘A’ ‘s. When the value of the return pointer is
copied into the IP, the IP address will fetch the
instruction from the all ‘A’ address (address
41414141h)
• Important to overflow buffer with
meaningful information
– i.e. – machine language code containing
commands we want executed
• Difficult to overwrite return pointer to hit
exactly at beginning of code
– Place a bunch of NOP or NOP equivalents
(called a NOP sled) at beginning of code.
– When overwriting return pointer, have to aim
to overwrite to a range of values rather than a
specific value.
• Once the stack is smashed, there are many
•
things an attacker can do. Most likely, the
attacker will try to create a back door to the
target system.
Creating a backdoor with Inetd: Add a line to
the /etc/inetd.conf file, which will spawn a
command shell each time anyone tries to
connect to a port defined by the attacker. Run
this line in the stack to get a command shell to
open on a given port:
/bin/sh –c “echo [port #] stream
tcp nopwait root /bin/sh sh –I”
>> /etc/inetd.conf; killall –HUP
inetd
• Creating a backdoor with TFTP and
Netcat: Get the target to execute the
TFTP client. Load the Netcat program onto
the target system. Configure Netcat to
push a command shell from the target
machine to the attacker’s machine.
• A good document on Stack Based Buffer
Overflow Attacks: “Smashing the Stack for
Fun and Profit” by Aleph One, available at:
packetstormsecurity.org/docs/hack/
smashstack.txt
Password Attacks
• Two kinds: Password Guessing and Password
•
Cracking
Password Guessing: Attempt to guess the
password for a particular user ID. This process is
rarely successful, time consuming, and
generates a lot of network traffic. Also, some
accounts are locked out after a set number of
unsuccessful guesses. Many password-guessing
tools can be found at Packet Storm’s Site:
packetstormsecurity.org
• Password Cracking: Steal the file with the
•
encrypted passwords and use a password
cracking program to recover the original
passwords.
Stealing the file: Win – use a Pwdump program
(packetstormsecurity.nl/Crackers/NT/), or sniff
them from the network (more on sniffing later)
UNIX – gain root-level access and steal the
/etc/shadow or /etc/secure file if shadow
passwords are used, otherwise steal the
/etc/passwd file.
• Password Cracking Software:
• Windows: L0phtCrack (available:
www.atstake.com/products/lc/ ) This tool
includes other options, such as a sniffer
and a pwdump program
• UNIX: John the Ripper (available:
www.openwall.com/john/ )
Web Application Attacks
• Can still be conducted, even if the target site
•
•
uses SSL.
Account Harvesting, Undermining SessionTracking Mechanisms, SQL Piggybacking
Account Harvesting: Works for applications that
have different error messages for an incorrect
user ID and an incorrect password. By looking at
the error messages, the attacker can determine
valid user ID’s, sometimes even passwords.
• Here, although the web pages look identical for each type
of error, notice that the URL has changed, giving any
hackers a hint about incorrect user ID’s vs. incorrect
passwords.
Undermining Web Application
Session Tracking
• Three ways Session ID’s are implemented: URL
•
•
session tracking, hidden form elements, and
cookies.
The attacker will first login to the site multiple
times to see how the session ID’s are generated.
To change a session ID in a URL, simply type a
different user’s session ID (or a generated one)
over the original user’s ID in the URL.
• To change the session ID in a site with
hidden form elements, view the source of
the page, modify the ID number and
reload it into the browser.
• To edit the session ID in a site that uses
cookies, use a program called Achilles
(available:
www.mavensecurity.com/achilles). Achilles
is a web proxy that intercepts the persession cookies and allows the attacker to
modify them.
SQL Piggybacking
• Extending an application’s SQL statement
to extract or update information that the
attacker is not authorized to access.
• Rainforest Puppy has a paper about SQL
Piggybacking: “How I Hacked
Packetstorm” (available:
www.opennet.ru/base/cgi/22.txt.html )
• Begin by exploring how the Web
application interacts with the database.
• The attacker may extend the SQL query
– Example
• Use
SELECT * FROM account WHERE
(userid=‘10001’ and number = ‘11111111111’
or userid=‘10002’)
• instead of
SELECT * FROM account WHERE
(userid=‘10001’ and number = ‘11111111111’)
to get information on 10002
Sniffing
• Sniffer: Gathers packets from the local
network and allows the user to view the
data being transmitted.
• Two ways of sniffing: Passive (network
built with a hub) and Active (network built
with a switch)
Passive Sniffing
• Passively listens and collects packets.
• Snort (available: www.snort.org ) – A good
•
passive sniffer that can be used as an IDS. Can
sift through the network and look for attack
signatures.
Sniffit (avalaible: reptile.rug.ac.be/~coder
/sniffit/sniffit.html) – has an interactive mode
that shows all active sessions and allows the
attacker to see all keystrokes of the victim.
• Dsniff – one of the more versatile sniffing
tools. It is several programs in one, but is
most known as a sniffer. It can interpret a
number of different protocols, like FTP,
HTTP, AIM, ICQ, Napster, Microsoft SQL,
etc. Available:
www.monkey.org/~dugsong/dsniff
Active Sniffing
• Need to fool the switch into sending the packets
•
•
to the system with the sniffer
Different methods: MAC Flooding and Spoofing
ARP Messages
MAC Flooding: Send a flood of traffic with
random MAC addresses until the switch’s
memory is full. Some switches will then forward
packets to all links on the switch (done with the
Dsniff program Macof).
Spoofing ARP Messages:
• Arpspoof, a Dsniff feature, allows attackers to
change the ARP traffic on local networks.
– Attacker configures his or her system to forward any
traffic it receives to the router.
– Arpspoof program is activated, which sends fake ARP
replies
– Fake ARP replies change the target’s ARP table.
– Any traffic from the target machine is sent to the
attacker’s machine before being transferred to the
local network.
Spoofing ARP Messages
Other Methods of Redirecting
Traffic
• Spoofing DNS:
– DNSspoof, a Dsniff feature, allows attackers to send
the target machine false DNS information, making the
victim access the attacker’s machine when they
intend to access a different system.
• The attacker starts the dnsspoof program and waits for the
target to send a DNS query for a specific host.
• Once the query is received, the attacker then sends a false
DNS response.
• When the target tries to access the intended host, the
system is now accessing the attacker’s machine.
Spoofing DNS
• Sniffing HTTPS:
– Attacker runs webmitm feature on Dsniff and doing
DNS spoof
– All HTTP and HTTPS traffic is proxied by webmitm
– Target connects to attacker’s machine and SSL
connection is established.
– Attacker’s system establishes a SSL connection with
the server the target is attempting to access.
– Webmitm acts as proxy with two connections
• From the target’s system to the attacker’s machine
• From the attacker’s machine to the actual server the target
was trying to reach
– Note: the target receives attacker’s certificate, not the
certificate of the server the target is trying to reach.
Sniffing HTTPS
• The user will receive a warning that the
certificate is not signed by a trusted
Certificate Authority. Webmitm will then
display the contents of the SSL session on
the attacker’s screen.
• Sniffing SSH: This is done in a similar
manner as sniffing HTTPS, except the
sshmitm (another Dsniff feature) is used
instead of the webmitm feature. Note:
Sshmitm only allows for sniffing of SSH
protocol version 1.
Is your machine running a sniffer?
• Detecting the process that does the sniffing is difficult,
•
because the name of that process can be disguised as
something innocent.
The only way to detect the sniffer is to check if the
network interface is in promiscuous mode. If the
network interface is in promiscuous mode, this means
that it listens for all packets on the network and not only
for packets destined to that machine.
• Another method is to run: ifconfig -a. This will list the
available network interfaces, and show all the
information about them. The word PROMISC means that
the interface is in promiscuous mode.
How to avoid packet sniffers
altogether
• Active hubs only send packets to the
intended machines. This can disable the
sniffer since it will not receive packets not
intended for that specific machine. Cisco,
HP and 3Com have such active hubs.
Detecting other sniffers on the
network
• Detecting other sniffers on other machines is very
•
•
•
difficult, but detecting whether a Linux machine is doing
the sniffing is possible.
This can be done by exploiting a weakness in the TCP/IP
stack implementation of Linux.
When Linux is in promiscuous mode, it will answer to
TCP/IP packets sent to its IP address even if the MAC
address on that packet is wrong.
Therefore, sending TCP/IP packets to all the IP
addresses on the subnet, where the MAC address
contains wrong information, will tell you which machines
are Linux machines in promiscuous mode .
IP Address Spoofing
• Used to disguise the IP address of a system.
• Three ways an IP address can be spoofed:
•
changing the IP address, undermining UNIX rcommands, and spoofing with source routing
Changing the IP address: The attacker can
either reconfigure the whole system to have a
different IP address or use a tool (Nmap or
Dsniff) to change the source address of
outgoing packets. Limitation: the attacker
cannot receive any responses.
• Undermining UNIX r-Commands:
– Attacker finds two computers with a trust
relationship
• Send a bunch of TCP SYN packets to target and
see how the initial sequence numbers change
• A DoS attack is sent to other system
• Attacker initializes a connection with target
system, using the IP address of the other system
• Target system sends TCP SYN and ACK packets to
other system, which is dead
• Attacker estimates initial sequence number of
other system and sends TCP ACK packet back
– If initial sequence numbers match, attacker has
successfully gained one-way access to the target.
Undermining UNIX r-Commands
• Spoofing with Source Routing: The
attacker creates packets that have system
A’s source address, with the attacker’s
address in the source route. The attacker
sends the packet to system B. Any replies
are sent to the attacker’s machine. Note
that the attacker does not forward them to
system A because the connection would
be reset.
Session Hijacking
• A combination of sniffing and spoofing that
allows an attacker to steal the session from the
user, given that after the initial authentication
the session is not encrypted. The attacker’s
system lies somewhere on the route between
the two communicating machines (A and B). The
attacker observes the traffic, monitoring the TCP
sequence numbers. The attacker can then send
spoofed packets with system A’s IP address as
the source so that system B will obey the
commands.
• Problem: When the
attacker sends
system B packets
with system A’s IP
address, system A
will notice that the
TCP sequence
numbers are out of
order and send ACK
packets to
resynchronize the
numbers. This
continual
retransmission of
ACK packets is
known as an ACK
storm.
• Most hijacking tools
cannot cope with the
ACK storm and the
connection will be
dropped.
• Tool: Hunt (available:
•
•
•
www.packetstormsecurity.org/sniffers/hunt )
Hunt uses ARP spoofing to prevent the
connection from being dropped.
Unlike other tools, Hunt can also resynchronize
the connection. It does this by sending a
message to system A saying: msg from root:
power failure – try to type 88
characters, (where 88 is the number of
chars. that the attacker typed during the
hijacking) which will increment the sequence
number of system A’s TCP stack to where it
should be.
Two new ARP spoof messages are then sent,
restoring the correct MAC addresses.
Netcat – The Networking Swiss
Army Knife
• Used for multiple purposes, Netcat basically
•
moves data over any TCP or UDP port. It can
either act as a client or a listener. Available:
www.atstake.com/research/tools/
network_utilities
For File Transfers: Set up a Netcat client on the
source system and a Netcat listener on the
destination system. The source system initiates
a connection and pushes the file to the
destination system.
• For Port Scanning: Netcat will connect
with every port and display a list of open
ports.
• For Making Connections to Open Ports:
Use Netcat in client mode to connect to
open ports and see what the listening
service sends back. Better to use than
Telnet because it is easier to force Netcat
to drop a connection, Netcat can make
UDP connections, and Netcat only returns
the pure data from the open ports, not
any other data like environment variables.
Denial-of-Service (DoS) Attacks
• Used to prevent access by legitimate
users.
• Two options: Stop services and exhaust
resources. This can be done either
remotely or locally.
Stopping Local Services
• Must have an account on the local system.
• Three methods: Process Killing, System
Reconfiguration, and Process Crashing
• Process Killing: When an attacker has root
privileges, he or she can simply kill the
local processes.
• System Reconfiguration: An attacker with
root privileges can reconfigure the system
so that it does not offer certain services or
filters on the machine.
• Process Crashing: Crashing processes by
exploiting vulnerabilities in the system (i.e.
– use stack based buffer overflow with a
local process, causing the process to
crash).
Locally Exhausting Resources
• Running a program from an account on
the target system that grabs the system
resources.
• Three methods: Filling up the process
table, filling up the file system, and
sending outbound traffic that fills up the
communication link.
• Filling up the process table: Running a recursive
•
•
program that forks processes in an attempt to fill
up the process table so no other users can run
processes.
Filling up the file system: Continuously writing
data to the file system, preventing other users
from writing files.
Sending outbound traffic that fills up the
communication link: Running program that
sends large amounts of bogus network traffic,
consuming the processor and bandwith.
Remotely Stopping Services
• Send a malformed packet. Different
platforms may be susceptible to different
types of malformed packets.
• These packets have structures that the
TCP/IP stacks cannot anticipate, causing
the system to crash.
• Malformed packet suites available at:
www.packetstormsecurity.org/DoS
Remotely Exhausting Resources
• Accomplished by a packet flood
• Three common ways: SYN flood, Smurf
attacks, and Distributed Denial of Service
Attacks (DDoS)
• SYN Flood: Overwhelm the target machine
with SYN packets. This fills the connection
queue so that no new connections can be
made on the target machine.
• Smurf Attacks: Repeatedly sends a ping to a
broadcast IP address of a network that can
receive and respond to directed broadcast
messages (called a smurf amplifier), with the
target machine as the source of the ping. The
target’s bandwidth is filled with these packets.
Tools: Smurf (ICMP), Fraggle (UDP), and
Papasmurf (ICMP and UDP) (available:
www.packetstormsecurity.org/new-exploits/ ).
List of Smurf Amplifiers: www.netscan.org
• DDoS Attacks: Attacker takes over victim
machines (called Zombies) and installs software
that waits for commands from the attacker. The
attacker can then tell the zombies to start a DoS
attack on the target. Tool: TFN2K (available:
www.packetstormsecurity.nl/groups/mixter/
index2.html ) This tool allows the attacker to
choose which type of packet to use in the DDoS
attack. It also allows IP spoofing,
communication via Echo Reply packets, and
running a single command simultaneously on all
zombies.
Phase 4:
Maintaining Access
Backdoor Kits
• Active: Used by an intruder at any time
that they wish.
• Passive: Set to trigger themselves
according to a predetermined time or
system event.
Backdoor Kit Selection
• This is dependant upon the type of
network security in place.
• Two basic architectural categories:
– Packet filter
– Proxy firewall
Trojan Horses
• A destructive program that masquerades as a
•
•
benign application. Unlike viruses, Trojan horses
do not replicate themselves.
Used to integrate a hole or backdoor into a
system’s security countenance.
Trojans spread due to the technological
necessity to use ports; lower ports are used by
Trojans that steal passwords while higher ports
are used by remote-access Trojans that can be
reached over the Internet, network, VPN or dialup access.
Trojan Horse Backdoor Tools
Back Orifice
Back Orifice
Remote Administration
System which allows an
intruder to control a
computer across a TCP/IP
connection using a simple
console or GUI application.
Gives its user more control
of the target computer than
the person at the actual
keyboard has.
Back Orifice Server
Functionality
•
•
•
•
•
•
•
Get detailed system information, including:
current user
cpu type
windows version
memory usage
mounted disks and information for those drives
screensaver password
passwords cached by the user
Controls and Abilities
• File system control
•
•
Copy, rename, delete, view, and search files and
directories. File compression and decompression.
Process control
List, kill, and spawn processes.
Registry control
List, create, delete and set keys and values in
the registry.
• Multimedia control
Play wav files, capture screen shots, and
capture video or still frames from any
video input device (like a Quickcam).
• Network control
View all accessible network resources, all
incoming and outgoing connections, list,
create and delete network connections,
list all exported resources and their
passwords, create and delete exports.
• Packet redirection
Redirect any incoming TCP or UDP port to any
other address & port. Application redirection
Spawn most console applications (such as
command.com) on any TCP port, allowing control
of applications via a telnet session.
• HTTP server Upload and download files on any
port using a www client such as Netscape.
• Integrated packet sniffer
Monitor network packets, logging any plaintext
passwords that pass.
• Plugin interface
Write your own plugins and execute the native
code of your choice in BO's hidden system
process.
NetCat
• A simple Unix utility which reads and
writes data across network connections,
using TCP or UDP protocol.
• Designed to be a reliable back-end tool
that can be used directly or easily driven
by other programs and scripts.
• Part of the Red Hat Power Tools collection
and comes standard on SuSE Linux,
Debian Linux, NetBSD and OpenBSD
distributions.
It provides access to the following
main features:
• Outbound or inbound connections, TCP or UDP, to or from any ports
• Full DNS forward/reverse checking, with appropriate warnings
• Ability to use any local source port
• Ability to use any locally-configured network source address
• Built-in port-scanning capabilities, with randomizer
• Built-in loose source-routing capability
• Can read command line arguments from standard input
• Slow-send mode, one line every N seconds
• Hex dump of transmitted and received data
• Optional ability to let another program service established connections
• Optional telnet-options responder
Port-Scanning
• Netcat accepts its commands with options first,
•
•
then the target host, and everything thereafter
is interpreted as port names or numbers, or
ranges of ports in M-N syntax.
For each range of ports specified, scanning is
normally done downward within that range.
If the -r switch is used, scanning hops randomly
around within that range and reports open ports
as it finds them.
Traditional Root Kits
Root Kits
• Used by an intruder to prevent his/her detection on the
•
•
•
system he/she has compromised.
Generally contains network sniffers, log-cleaning scripts,
and trojaned replacements of core system utilities such
as ps, netstat, ifconfig, and killall.
Installs a backdoor remote-access daemon, such as a
modified version of telnetd or sshd. These will often run
on a different port than the one that these daemons
listen on by default.
Most rootkits also come with modified system binaries
that replace the existing ones on the target system.
/bin/login Replacement
• When logging onto a UNIX machine, the
/bin/login program runs.
• Used to gather and check user ID and
password
• The Rootkit replaces the /bin/login with a
modified version that includes a backdoor
password.
Detecting Backdoors: Example
• System Administrator runs the /bin/login
routine through strings.
• Strings: a UNIX program that shows all
sequences of consecutive characters in a file.
• If an unfamiliar sequence is found, it may
be a backdoor.
Sniffers
• Are used to gather passwords for other
systems and listen to traffic for sensitive
information.
• Rootkits set the promiscuous mode on the
target machine's network interface card,
enabling the sniffer to listen to a variablesized network.
Hidden Sniffers
• Ifconfig shows information such as IP
addresses, network mask and MAC
addresses.
• By running ifconfig, one can detect a
sniffer by looking for the PROMISC flag.
• This prevents the System Administer from
detecting the RootKit.
Kernel-Level Rootkit
• the most severe threat to system security that
•
•
can be caused by a rootkit comes from those
that deploy LKM (Loadable Kernel Module)
trojans.
LKMs are a mechanism for adding functionality
to an operating-system kernel without requiring
a kernel recompilation.
Kernel rootkits do not replace system binaries,
they subvert them through the kernel.
Subverting the kernel
• There are two ways that a rootkit can subvert
the kernel to perform actions on behalf of an
intruder:
• Loading a kernel module
• The Linux kernel (and many other operating systems) can
load kernel modules at runtime. This allows an intruder to
insert a module that overrides kernel syscalls in order to
return incorrect values
• Writing to /dev/kmem
• By writing to /dev/kmem it is possible to overwrite the kernel
at runtime, and thus perform any arbitrary modification.
Atypical Methods to Subvert the
Kernel
• Adore-ng by Stealth employs the Virtual
FileSystem layer of the kernel. This works
by replacing the existing handler routines
for providing directory listings of the /proc
and the / filesystems, and registering its
own routines instead. Userspace programs
use the /proc filesystem to obtain
information on running processes. In this
way both processes and files can be
hidden.
Detecting Kernel Rootkits
• To get a list of kernel modules, two
standard methods can be used:
• bash$ lsmod
• bash$ cat /proc/modules
• Unfortunately, being a kernel module, an
LKM rootkit can easily defeat such efforts
by a variety of methods.
Programs
• This is a non-exhaustive list of programs that
are useful for the detection of kernel
modifications in a running system.
• kern_check.c (PGP signature: kern_check.c.asc) is a
small command-line utility (for Linux 2.2.x, 2.4.x) that
will compare your System.map against your kernels
syscall table and warn about any inconsistencies.
• In case of compilation failure, you may want to make
sure that your kernel headers are found using:
• bash$ gcc -O2 -Wall -I/usr/src/mykernel/include -o
kern_check kern_check.c
CheckIDT
• CheckIDT is a utility that can be used to
list the Interrupt Descriptor Table and save
the current state to check its integrity later
on. Currently there is no published real
rootkit that uses the IDT, only proof-ofconcept code.
Check-ps
• Utility that can detect hidden processes if
the killscan option is used. It will only
work if there are processes that are
hidden by the rootkit. It will not detect a
rootkit that is lying dormant, waiting for
someone who uses a backdoor provided
by the rootkit.
Phase 5
Covering Tracks and Hiding
Altering Event Logs
• Deleting specific event from the log files to
avoid detection.
• In Windows NT/2000: Could just delete
the log files, but that would look
suspicious. Instead, there are tools that
can be used to change the log files, like
WinZapper (available: ntsecurity.nu/
toolbox/winzapper ).
• In UNIX:
– Check the syslogd file configuration to see where
log files are kept
– Since log file is written in ASCII, attacker can use any
text editor to change contents.
– To alter the accounting files (utmp, wtmp, and
lastlog), attacker must use a tool that can read and
edit the special binary format the files are saved in
(tools available at: www.antiserver.it/Unix/LogWipers/ ).
– UNIX shell history files contain a list of all of
commands entered into the command line (may be
edited with a text editor).
Creating Hidden Files and
Directories
• In UNIX: Begin the file name with a
period. The ls command will not display
files whose name begins with a (“.”)
period. Also, name the file either “. “ or “..
“ so that the user mistakes it for the
current or parent directories.
• In Windows NT/2000: Right click the file,
and view the properties. Check the box
that says hidden. Another method is to
add a stream to a file that already exists
by using the cp program in the Windows
NT Resource Kit: C:\>cp stuff.txt
notepad.exe:data Thus, the stuff.txt
file is tacked on to the end of the
notepad.exe file.
Covert Channels
• Disguised communication methods that an
attacker uses to connect to a system with
a backdoor across a network. The client
must be on the attacker’s machine and the
server must be on the target machine.
• Methods: Tunneling, Using the TCP and IP
Headers to Carry Data
Tunneling
• Allowing one protocol to be carried over
another
• Tools: Loki (available: www.phrack.com)
and Reverse WWW Shell (available:
www.thc.org/releases )
• Loki: can provide shell access over ICMP,
making the connection difficult to detect.
Client puts commands in ICMP packets
and sends them to servers, which decode
the packets. In the network, this just looks
like a bunch of ICMP packets: Ping, Ping
Response, Ping, Ping Response, etc. Note:
will not show up on a port scan.
• Reverse WWW Shell: provides shell access
over HTTP
– Attacker must get Reverse WWW Shell server
on target machine
• Server goes to the client, pulls commands,
executes them, and pushes the results
• Attacker is able to pull a command shell
– From the network perspective, it appears that
the target is just surfing the Web
– Useless when the user must authenticate to
access the internet.
Using the TCP and IP Headers to
Carry Data
• Store data in unused fields of protocol headers.
•
Tool: Covert_TCP (available: www.firstmonday
.dk/issues/issue2_5/rowland )
Covert_TCP enters data into the IP identification,
TCP sequence number, and the TCP
acknowledgement number. The program can be
either client or server and the attacker can
specify which data field should be used to
transmit the information.
Name
Whois
database
Purpose
Gives the registrar’s name
when given a company’s
name or domain name
IP Address
Lookup
Gives all IP addresses
assigned to an organization
or domain name
DNS Lookup
Gives DNS information
about a corresponding IP
address
Ping, Whois, IP block
lookup, DNS lookup, dig,
zone transfer, traceroute,
finger, STMP verify, web
browser
Traceroute, lookup, ping, dns
lookup, DNS records, email
validation
War dialer
Sam Spade
Web-Based
Tools
THC-Scan
2.0
Cheops
Traceroute
Pingsweep, traceroute, draws
a visual representation of the
network
Determine network topology
Platform
Windows
Where to get it
(For .com, .net, .org)
www.internic.net/whois.html
(For other domains)
www.allwhois.com/home.html
(North and South America,
Caribbean, sub-Saharan African)
www.arin.net/whois/arinwhois.html
(Europe) www.ripe.net
(Asia) www.apnic.net
Built into Windows and Linux
(nslookup)
www.samspade.org/ssw/
Comments
Web-based database
Web-based database
More information:
www.zoneedit.com/doc/
nslookup.html
Note that all of the operations can
be traced back to the system
running the program
www.network-tools.com/
privacy.net/analyze
Web based, so it can’t be traced
back to you
Windows
www.thc.org/releases.php
Linux
www.marko.net/cheops
Lots of other useful tools on this
site
rpmfind.net/linux/RPM/redhat/6.2
/i386
Windows
Linux
Built into Windows and Linux
Windows command:
tracert [IP addr.]
Linux Command:
traceroute [IP addr.]
Name
Firewalk
Purpose
Port scanner and
network mapper
Able to determine if
ports are available
through a firewall or
router
Platform
Windows
Linux
Linux
Where to get it
www.insecure.org/nmap/
idlescan.html
www.packetfactory.net/projects
/firewalk/firewalk-5.0.tgz
Nessus
Vulnerability Scanner
Windows
Linux
www.nessus.com
Stack Based Buffer
Overflow Attack
Using stack overflow
to get a target machine
to execute code
Extracts hashed
passwords from a
remote Windows
system
Password cracker,
sniffer, pwdump
Password cracker
Windows
Linux
packetstormsecurity.org/docs/ha
ck/
Smashstack.txt
packetstormsecurity.org/Cracker
s/NT/
Nmap
Pwdump
@stake LC 5 (formerly
L0phtCrack)
John the Ripper
Achilles
Snort
Acts as a proxy so web
traffic can be modified
Packet sniffer
tcpdump
Packet sniffer
Windows
Windows
Linux
Windows
Linux
Windows
Windows
Linux
Linux
www.atstake.com/products/lc/
Comments
Only for packet-filtering
firewalls. Need to download the
3 libraries, libnet and libpcap
from the site, and libdnet (for
Fedora 2 from rpmfind.net
/linux/rpm2html/
search.php?query=libdnet)
Can test multiple hosts at the
same time, Allows the user to
write plug-ins
Text document explaining the
process
No longer free, but there is a
free trial.
www.openwall.com/john/
www.mavensecurity.com/achille
s
www.snort.org
www.tcpdump.org
Can be used to edit to edit persession cookies
Also a network-based Intrusion
Detection System
Name
Sniffit
Purpose
Packet Sniffer
Platform
Linux
Dsniff
Packet Sniffer
Linux
SQL
Piggybacking
Extending an SQL
statement to extract or
update information
Session Hijacking tool
Hunt
Netcat
Where to get it
reptile.rug.ac.be/~coder/sniffit
/sniffit.html
www.monkey.org/~dugsong/dsniff
www.opennet.ru/base/cgi/22.txt.html
Linux
www.packetstormsecurity.org/sniffers
/hunt/
www.atstake.com/research/tools/
network_utilities/
Allows the attacker to return
the session after use.
Known as the Network Swiss
Army Knife
Windows
Linux
Windows
Linux
Windows
Linux
www.packetstormsecurity.org/DoS/
Malformed packet suites are
specific to the target machine
Smurf Amplifiers at
www.netscan.org
Windows
Linux
Tribe Flood
Network 2000
(TFN2K)
WinZapper
File transfer, port
scanning, making
connections to open
ports, and much more
May make a system
crash.
Floods a target’s
bandwidth
Controls remote
machines for DDoS
Attack
Alters Windows log files
Windows
www.ntsecurity.nu/toolbox/winzapper
Wipe, Zap
Alters Linux log files
Linux
www.antiserver.it/Unix/Log-Wipers/
Loki2
Provides shell access
over ICMP
Linux
www.phrack.org/show.php?p=51&a=
6
Malformed
packet suites
Papasmurf
Comments
Able to monitor network
traffic in real time
Can more protocols than other
systems
Text document explaining the
process
www.packetstormsecurity.org/
new-exploits/
www.packetstormsecurity.nl/groups/
mixter/index2.html
Clears selected events from the
Security Log
Clears specific WTMP and
UTMP log files, as well as
others
Name
Reverse WWW
Shell
Covert_TCP
Purpose
Provides shell access
over HTTP
Transmit data through
TCP headers
Other General Resources: There are a
number of sites that are directories of
hacking tools. Here are just a few:
Platform
Linux
Linux
Where to get it
www.thc.org/releases
Comments
www.firstmonday.dk/issues/issue2_5/ Source Code
rowland/
www.insecure.org/tools.html
fux0r.phathookups.com/tools/
www.packetstormsecurity.com/releases/
www.predator-hunter.com/mvaughan/personal/compsec.htm
www.hackingexposed.com/tools/tools.html
Download