Hacking Techniques
Attackers
Hackers
Spies
Terrorists
Insider
Prof. Crimminaly
Vandals
Objectives
Challange, Status
Political Gain
Financial Gain
Damage
01./02.02.2007 linuxdays.lu 2007 4
Hacking Techniques
Script Kiddies
Hackers
Geek
Stupid Users
Automated Scripts / Viruses / Botnet / Spam
01./02.02.2007 linuxdays.lu 2007 5
Hacking Techniques
- High profile targets:
-- Banks
-- Military
-- Universities
-- Telecom / internet Provide
--Private PC’s / Enduser
-- Botnet
-- Spam
-- Homebanking Data
01./02.02.2007 linuxdays.lu 2007 6
Hacking Techniques
Most often Security problems:
(Source: CSI/FBI Computer Crime and Security Survey)
Virus
Insider
theft Laptop
Deial of Service
Unauthorised
WLAN
Hacking
01./02.02.2007 linuxdays.lu 2007 7
Hacking Techniques
➤Network based System Hacking
➤Web Server Hacking
➤Physically enter the Target Building
➤WLAN (Wireless LAN) Hacking
➤War Dialling
➤Sniffing
➤Social Engineering
➤Viruses
01./02.02.2007 linuxdays.lu 2007 8
Exercise:
-- physical access = root rights --
1. Interupt the bootloader by pressing >> e <<
2. Select the kernel line and press >> e <<
3. add >> init=/bin/bash << to the kernel line
4. kernel /vmlinuz-2.6.8 root=/dev/hda4 ro init=/bin/bash
5. Press >> Enter <<
6. Press >> b << to boot
7. mount –o remount,rw /dev/hda4
8. passwd hamm ( password: test123)
9. passwd (password: test123)
10.sync
11.mount –o remount,ro /dev/hda4
12.shutdown –rn now
13.Login as user hamm & launch vmware; start all VM from top down
01./02.02.2007 linuxdays.lu 2007 9
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 10
Footprinting
-- Information Gathering --
➤ visit targets’ websites
➤ review HTML Code, JavaScript and Comments & robots.txt
➤ search for passwords, hidden directories, contact names
➤ Dumpster Diving
Quotation Bill Gates in: Susan Lammers; Programmers at Work
Tempus Books; Reissue Edition, 1989
„No, the best way to prepare is to write programs, and to study
great programs that other people have written. In my case, I went
to the garbage cans at the Computer Science Centre and I fished
out listings of their operating system.“
01./02.02.2007 linuxdays.lu 2007 11
Footprinting
-- Information Gathering --
➤ whois request at the Network Information Centre
-- receive information about IP address ranges
-- Names and EMail addresses of responsibles
whois -h whois.dns.lu linuxdays.lu
domainname: linuxdays.lu
nserver: arthur.tudor.lu
nserver: dorado.tudor.lu
org-name: Centre de Recherche Public Henri Tudor
adm-email: pierre.plumer@crpht.lu
tec-name: Xavier Detro
tec-email: xavier.detro@tudor.lu
Important whois domains:
- RIPE (Europe & N-Africa) - APNIC (Asia Pacific)
- ARIN (N-America & S-Africa) - LACNIC (Latin America)
01./02.02.2007 linuxdays.lu 2007 12
Footprinting
-- Exercise Information Gathering --
➤ DNS Lookup
-- use nslookup tools to receive informations about DNS-
& EMAIL Server, looking for names like Oracle, TestLinux, ....
-- try a zone transfer
➤ Footprinting by DNS: nslookup(1); host(1); dig(1);
# nslookup
> server 192.168.22.22
> www.mumm.lu
> set type=mx
> mumm.lu
> set type=any
> mumm.lu
> ls –d mumm.lu # try zone transfer
> exit
# dig @192.168.22.22 mumm.lu axfr # Zonetransfer
01./02.02.2007 linuxdays.lu 2007 13
Footprinting
-- Information Gathering --
➤whois tools:
-- Sam Spade www.samspade.org
-- Smart Whois www.tamos.com
-- Netscan www.netscantools.com
-- GTWhois www.geektools.com
-- http://www.all-nettools.com/toolbox
➤DNS must reads:
-- RFC 1912 Common DNS Errors
-- RFC 2182 Secondary DNS Servers
-- RFC 2219 Use of DNS Aliases
01./02.02.2007 linuxdays.lu 2007 14
Footprinting
-- Information Gathering --
➤ footprinting @ google
➤ news group articles of employees @<targetdomain>
➤ search business partners link:<targetdomain>
➤ site:<targetdomain> intitle:index.of
➤ site:<targetdomain> error | warning
➤ site:<targetdomain> login | logon
➤ site:<targetdomain> username | userid
➤ site:<targetdomain> password
➤ site:<targetdomain> admin | administrator
➤ site:<targetdomain> inurl:backup | inurl:bak
➤ site:<targetdomain> intranet
01./02.02.2007 linuxdays.lu 2007 15
Google Hacking
-- Introduction --
The Beginnings:
www.theregister.co.uk/2001/11/28/the_google_attack_engine/
Link points to a Switch of a .gov Network
Google not 'hackers' best friend‘ -- ww.vnunet.com/News/1127162
Index.of +banques +filetype:xls
Johnny (I hack stuff) Long
‘Google Hacking for Penetration Testers’
Google Hacking Database http://johnny.ihackstuff.com
12.03.2006 Chicago Tribune
http://www.heise.de/newsticker/meldung/70752
2600 CIA Agents discovered via Search Engine
01./02.02.2007 linuxdays.lu 2007 16
Google Hacking
-- Introduction --
What to know:
Advanced Operands:
site:<domainname>
inurl:<path>
filetype:<xls|doc|pdf|mdb|ppt|rtf|…….>
intitle:<keyword>
intext:<keyword>
…… Google as an ‘
Anonymous Proxy’
Google Cache
&strip=1
01./02.02.2007 linuxdays.lu 2007 17
Google Hacking
-- Introduction --
What to know:
The Power of combining Advanced Operands:
site:heise.de –site:www.heise.de
-- shows all websites NOT from the official Webserver
-- maps nre hostnames without contacting target network
-- wap.heise.de, chat.heise.de, www.tb.heise.de, …
Offline Analysis of the search result:
-- www.sensepost.com/research_misc.html
-- SOAP Google API
01./02.02.2007 linuxdays.lu 2007 18
Google Hacking
-- Introduction --
What to find:
The Google Hacking Database (johnny.ihackstuff.com):
-- Directory Listings à Hidden/Private Files
intitle:index.of ‘parent directory’
intitle:index.of.admin
intitle:index.of inurl:admin
intitle:index.of ws_ftp.log
-- Error Messages of Scripts
‘Fatal error: call to undefined function’
–reply –the –next
‘Warning: Failed opening’ include_path
-- Search for vulnerable Scripts
inurl:guestbook/guestbooklist.asp
‘Post Date’ ‘From Country’
-- Search for Backups
filetype:bak inurl:php.bak
filetype:bak inurl:php.bak
-- Search for:
--- Printers; --- Webcams; --- Intranet Sites;
--- Network Tools Ntop, MRTG; --- Databases
01./02.02.2007 linuxdays.lu 2007 19
Google Hacking
-- Exercise --
Livecycle of a Google Hack:
1. Security Problem deicovered on online product;
2. Analyse online product
3. Find typical string
4. Create a google request
5. Find vulnerable websites
Examples:
-- inurl:php.bak mysql_connect mysql_select_db
-- ext:pwd inurl:(service | authors | administrators | users)
"# -FrontPage-“
-- "index of/" "ws_ftp.ini" "parent directory“
-- !Host=*.* intext:enc_UserPassword=* ext:pcf
-- "admin account info" filetype:log
-- enable password | secret "current configuration“
-intext:the
01./02.02.2007 linuxdays.lu 2007 20
Preparation
anonymity doesn’t exist
➤ break systems in different countries / time zones
➤ install network multipurpose tools like netcat or backdoors
➤ hop from host to host to get anonymity
01./02.02.2007 linuxdays.lu 2007 21
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 22
Scanning
-- Goals --
➤ mapping of the target network
➤ use system tools like traceroute & ping
➤ Visual Tools: NeoTrace (Visual Trace) & Visual Route
➤ finding the range of IP addresses
➤ discerning the subnet mask
➤ identify network devices like firewalls & routers
➤ identify servers
➤ mapping of the reachable services
➤ detecting `live` hosts on target network
➤ discovering services / listening ports / portscan; nmap;
➤ identifying operating system & services
➤ identify application behind services & patch level
01./02.02.2007 linuxdays.lu 2007 23
Scanning
-- Network Mapping --
Nmap: find living hosts
$ su –
# ns_mumm
# cat /etc/resolve.conf
# nmap –sL www.mumm.lu/27 # List Scan
(only do nslookup for the IP rage)
# nmap –-packet_trace –sP www.mumm.lu/27 # ICMP/TCP
(send ICMP Echo Request and ACK to Port 80
if RST is received à host is alive / unfiltered )
# nmap –n –P0 –sU –g 53 –p 53 –T polite www.mumm.lu/27
( UDP Scans are alomost NOT usefully; -g 53 = sourceport
-P0 = don’t PingScan first; -T polite = scan speed)
-sF, -sX, -sN, –sA, # not usable
FIN-, XMAS-, Null-, ACK- Scan # today
01./02.02.2007 linuxdays.lu 2007 24
Scanning
-- Port Scanning --
Nmap: port scan (connect scan)
# nmap –n –sT –P0 –p 80 192.168.22.21,22,24
# nmap –n –sT –P0 –p 110 192.168.22.21,22,24
SYN
SYN/ACK
ACK
SYN
RST/ACK
RST/ACK
Port open
Port closed
01./02.02.2007 linuxdays.lu 2007 25
Scanning
-- Port Scanning --
Nmap: port scan (stealth scan)
# nmap –n –sS –P0 –p 80 192.168.22.21,22,24
# nmap –n –sS –P0 –p 110 192.168.22.21,22,24
SYN
SYN/ACK
RST
SYN
RST/ACK
Port open
Port closed
01./02.02.2007 linuxdays.lu 2007 26
Scanning
-- Port Scanning --
Nmap: port scan
# nmap –n –sT –P0 –p 20-25,80,443 192.168.22.21,22,24
# nmap –n –sS –P0 –p 20-25,80,443 192.168.22.21,22,24
Techniques to stay anonymous:
silent scan:
# nmap –n –sT –P0 –T sneaky –p 20-25,80 192.168.22.22
fragmentation scan
# nmap –n –P0 –f –p 20-25,80 192.168.22.22
decoy scan
# nmap –n -P0 –D 1.1.1.1,2.2.2.2,ME,3.3.3.3 –p 80 <host>
01./02.02.2007 linuxdays.lu 2007 27
Scanning
-- Exercise --
Scan the MUMM.LU network:
01./02.02.2007 linuxdays.lu 2007 28
Advanced Scanning
-- IP-ID Idle Scan --
Exercise: Who the hell is scanning you?
target perform:
# tcpdump –n –i eth0 host 192.168.4.<your IP Address>
attacker perform: (idle_scan)
01./02.02.2007 linuxdays.lu 2007 29
Advanced Scanning
-- IP-ID Idle Scan --
- based on IP-ID prediction
- example with hping2 –SA –p 80 –c 5 <switch ip>
- all packets have Fragment-ID Number
- every new packet increases the IP ID Number
- by most systems IP ID + 1
- this is exploitable
- by monitoring the IP ID value of a host
- you know how many packets he sends
- this could be abused for zombie port scanning
01./02.02.2007 linuxdays.lu 2007 30
Advanced Scanning
-- IP-ID Idle Scan --
Step 1: A) send SYN/ACK to Zombie
B) investigate the answer IPID
C) repeate A) and B) multiple times, verify quality of Zombie
IP-ID Probe -> SYN/ACK
Response -> RST; IPID=3
IP-ID Probe -> SYN/ACK Zombie
Response -> RST; IPID=4
IP-ID Probe -> SYN/ACK
Response -> RST; IPID=5
IP-ID Probe -> SYN/ACK
Response -> RST; IPID=2
01./02.02.2007 linuxdays.lu 2007 31
Advanced Scanning
-- IP-ID Idle Scan --
Step 2: A) Send SYN to target BUT spoof the Source IP Adress,
claim to be the Zombie
B) open port: Target send SYN/ACK to Zombie
C) open port: Zombie send RST and increase IPID to Target
SYN;
Port=80;
SRC IP = <zombie>
SYN/ACK
Zombie
Target
RST; IPID=6
01./02.02.2007 linuxdays.lu 2007 32
Advanced Scanning
-- IP-ID Idle Scan --
Step 2: A) Send SYN to target BUT spoof the Source IP Adress,
claim to be the Zombie
B) close port: Target simply send a RST to the Zombie
SYN;
Port=80;
SRC IP = <zombie>
RST
Zombie
Target
01./02.02.2007 linuxdays.lu 2007 33
Advanced Scanning
-- IP-ID Idle Scan --
Step 3: A) send SYN/ACK to Zombie
B) investigate the answer IPID
If IPID = 6 à port was close
If IPID = 7 à port was open
IP-ID Probe -> SYN/ACK
Response -> RST; IPID=7
Zombie
01./02.02.2007 linuxdays.lu 2007 34
Advanced Scanning
-- IP-ID Idle Scan --
IP ID Idle Scan with nmap
# nmap –n –P0 –p20-25,80,443 –sI <zombie> <target>
# nmap –n –P0 –p20-25,80,443 –sI 10.10.10.10 10.10.11.11
01./02.02.2007 linuxdays.lu 2007 35
Scanning
-- Identifying Services --
Banner Grabbing & Version Mapping:
- What services are bound to the port:
-- identifying service / protocoll;
-- identifying Server-Software;
-- identifying Version Number;
-- identifying additional Modules etc.
automatic approach
# nmap –n –p 20-25,80,443 –sV 192.168.22.22,25
# nmap –n –p 20-25,80,443 –oM scan1 192.168.22.22,25
# amap –B –i scan1
# amap –i scan1
01./02.02.2007 linuxdays.lu 2007 36
Scanning
-- Identifying Services --
Banner Grabbing & Version Mapping:
manual approach with Netcat
# nc 192.168.22.22 22
# nc 192.168.22.22 80
HEAD / HTTP/1.0
# nc 192.168.22.21 21
# nc 192.168.22.21 80
HEAD / HTTP/1.0
OS Detection
# nmap –O 192.168.22.22,25
# xprobe2 192.168.22.22
# xprobe2 –p tcp:443:open 192.168.22.22
01./02.02.2007 linuxdays.lu 2007 37
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 38
Gaining Access
-- Where are we now --
At this point we know (without doing something illegal at all):
-- Targets business (products, partners, emplyees)
-- overview of the network topology
-- overview of live servers and open ports
-- services in use, server-software, version numbers
How to proceed:
-- is there a known vulnerability
-- do we know a vulnerability
-- known configuration problems
-- default passwords
prepare attack
-- research on internet for known security holes
-- default passwords; common misconfigurations
-- setup a test environment to practice the attack
-- ideal: fire one single attack
01./02.02.2007 linuxdays.lu 2007 39
Gaining Access
-- prepare attack --
01./02.02.2007 linuxdays.lu 2007 40
Gaining Access
-- prepare attack --
01./02.02.2007 linuxdays.lu 2007 41
Gaining Access
-- prepare attack --
01./02.02.2007 linuxdays.lu 2007 42
Gaining Access
-- prepare attack --


Go to >>>>>2