Security & Ethical
Hacking
Luke Arntson
Central Washington University
Winter 2007
Presentation #1 – “Script-Kiddie” Tools & Tricks
Introduction

Ethical Hacking

Knowledge is Power

To Teach is to Defend

Hacking is frowned upon
About Me



I have been interested in computer
security for around six years.
First encounter in the wild with viruses
was the IRC .vbs auto-scripts.
Went to Defcon 14 during the Summer
2006 to learn and enjoy, came back with
some new knowledge.
Presentation Overview


Presentation #1 will be an introduction to
tools and tricks used by “script-kiddies”, or
those new to the hacker community.
Many people may have seen or used the
following tools and tricks, but most
moderate to advanced users frown upon
them.
Presentation Overview

NetBios Hacking – Connect, view, share

IP Scanning – Angry IP Scanner

Cain – Excellent script-kiddie tool

Sub7/Netbus – Remote Admin Tools

PuTTy/Token2 – Tools of the trade
Windows NetBios Hacking



This is one of the most basic file access
tricks known to Windows.
Not necessarily hacking, but beginners call
it such.
Can be used with a samba brute-force
password guesser.
Connect, View…


First we must acknowledge file sharing has been
enabled. We do so by opening our Command-Prompt,
and running nbtstat.
C:>nbtstat.exe –a 192.168.1.101
NetBIOS Remote Machine Name Table
Name
Type
Status
--------------------------------------------SOMBA
<00> UNIQUE
Registered
CALIMINE
<00> GROUP
Registered
SOMBA
<20> UNIQUE
Registered
CALIMINE
<1E> GROUP
Registered
MAC Address = C0-FF-33-0B-33-50

We find the <20> we’re looking for which indicates file
sharing has indeed been enabled.
Connect, View…


Now let us view what directories are
actually being shared.
C:>net view \\192.168.1.101
Shared resources at \\192.168.1.101
Base Station
Share name Type Used as Comment
------------------------------------------------------------------------------C$
Disk
IPC$
The command completed successfully.

Bingo, C:\ was shared to the world
through the file sharing. We now have our
target.
… Share!




Finally we are going to map a network
drive to our newly found net share.
C:>net use x: \\192.168.1.101\C$
The command completed successfully.
Now check My Computer> and you will
see the newly acquired remote C: Drive.
NetBios Hacking Protection





Disable file sharing!
Use a firewall such as ZoneAlarm when
you are not sharing files.
Password protect your shares.
Use a hardware firewall such as a router
with built-in firewall.
This is an old hack, but it still can
compromise an entire system.
IP Scanning




Finding vulnerable targets in the wild.
Angry IP Scanner –
http://www.angryziber.com/ipscan/
Viruses and bots use IP sweepers, so ISPs
will flag this activity.
IP Scanning is very common among
exploit seeking viruses.
Finding Appropriate IP Range



First we must find a range to search. This
could be any combination of IP ranges
such as 192.168.*.*
Next we must determine what we are
searching for.
Finally, we decide what tools to use. For
now, we will stick to Angry IP Scanner.
Searching for HTTP





Lets find some HTTP servers!
In Angry IP Scanner, set IP range and
change Ports to [x] Scan Port: port 80
Begin scan….
After scan has completed, to only sort out
which IPs have port 80 open, go to
Utils>Delete From List>Closed Ports
Our list is complete.
What We Often Find



Generally we will find routers and
modems. Often if they are default, they
also have default passwords (for another
day)
Sometimes we stumble upon websites,
personal projects, etc.
This is VERY dangerous as you could be
scanning a computer which is illegal to
access…
Prevention from IP scans?



If you’re on the internet, you have an IP.
IP scanners will give an ALIVE message.
Firewalls are VITAL if you are directly
connected to the internet (ZoneAlarm,
etc.)
HTTP access to routers should be turned
off unless absolutely necessary. If
enabled, ensure passwords are hard to
guess/break.
Cain & Abel :-D



Cain is a very, very evil script-kiddie tool.
We can spoof, crack, trace, inject, sniff,
poison, and a few other things.
This program is dangerous in the wrong
hands because it works verywell.
Arp Poisoning

Cain currently only arp poisons through ethernet cards.

Broad overview of how to get it to run.




First, enable the sniffer and retrieve list of potential
victim IPs.
Next, click the IP you want to add and press the + sign.
At this point, you should have two IPs in a network, the
source and the destination IPs. Click the source IP on
the left, and the destination IP on the left, in this case
192.168.0.2 and 192.168.0.1.
Watch the packets come in, and capture EVERYTHING
the IP is sending and receiving via ARP poisoning.
Creative & Powerful Tool



Cain is creative, powerful, and has a huge
damage potential in the wrong hands.
Keep those firewalls up! ARP Poisoning
can be prevented by firewalling your
connection.
Be aware of malicious users on your
network, watching for that little Cain
program to pop up on their screen.
Sub7/NetBus





Remote Admin Tools, or RAT for short are
essentially total control over a computer.
RAT tools are servers designed to take complete
control without the user’s notice.
Sub7 is a well known black-hat RAT used to take
over computers without the need for a “server”
broadcast.
NetBus is also well known, but is a bit noisier
and often leaves more traces.
Many other RATs out there.
Sub7 Configure



First, the hacker configures Sub7 with a
configuration exe. This produces a new
server with the desired options.
Options can include IRC control, broadcast
of infection, methods of install, ways to
stick server, etc.
Sub7 can also be password protected to
prevent other hackers access to the
victim.
Our Sub7 Server




For now we know the victim will be able to
broadcast via port 4000 (radmin port)
We want to ensure server sticks.
We want a password to prevent other
uninvited guests.
Only install the minimum, IRC, ICQ, AIM is
extra so disable it.
Send Our Victim The Exe



This part is difficult to pull off, hackers
have many ways to social engineer victims
to do this part.
User must execute server.exe
Once executed, server is automatically
launched and we are ready to take
control.
Client Side RAT Control




We now have total control of our victim
machine, so lets view their hard drive.
Eject their cd-rom.
Ok, enough of this, lets let them know we
have taken over with a friendly error.
Finally, using Sub7’s fun little Matrix mode,
let us remind them that reality is a mere
fictional state of mind.
Prevention of RATs




Do not execute anything you do not trust!
Always enable show file extensions to be turned
on (Windows defaults them off?!?)
Be aware of strange activity. RATs do not need
to broadcast to take over, they can use other
methods such as AIM messages, IRC bot
commands, and other various client messages.
Advanced RATs will be covered in a later
presentation.
PuTTy/Token 2




Excellent text based ssh/telnet/ftp/raw
TTY clients.
Learn how to use these as they become
vital later in a hackers life.
Token 2 has excellent proxy abilities, so
read up on how to use Socks-5 and SSH.
Begin learning about potential tunneling
via SSH and PuTTy.
Conclusion



Keep safe! Just because I teach this does not
mean it is legit stuff. Play around on test boxes,
use VMWare, give your roomie a scare but not
your college professor!
I would like to continue this as long as I have an
audience. I learn as everyone else learns.
Ideas include advanced scanning and
penetration, wireless hacking, root kit
exploration, shell/exploit writing, web
defacing/hacking, virus exploration/writing,
maybe some old school hardware hacks
(red/blue/beige boxes, credit card readers), and
whatever else people want to hear about.
Questions?
Thank you for your time! If you have any
questions feel free to email me
arntsonl@cwu.edu