NATO Security Workshop 11 Dec 2001
1
Hacking Exposed
May 5, 2004
Jan DecrockKarel Dekyvere
NATO Security Workshop 11 Dec 2001
2
Agenda
• Some reflections
• The attackers process
• Things you must do
NATO Security Workshop 11 Dec 2001
3
What is it about?
P
P
T
eople
rocess
echnology
In this order!
NATO Security Workshop 11 Dec 2001
4
How it usually goes
NATO Security Workshop 11 Dec 2001
5
Attacker Processes
• Footprinting
• Social Engineering
• Scanning
• Enumeration
• Gaining Access
• Privilege Escalation
• Buffer Overflows
• Shovel a Shell• Interactive
Control• Camouflaging• Island Hopping
• Viruses
NATO Security Workshop 11 Dec 2001
6
Footprinting• Footprinting Defined:
– An attacker’s use of tools and information to create a complete profile of an organization’s security posture – “Casing the joint”
• Tools:
http://www.google.com Netcraft – http://www.netcraft.com
USENET http://groups.google.com
EDGAR - http://www.sec.gov
DNS Servers TRACERT
WHOIS – http://www.arin.net & http://www.samspade.org
NATO Security Workshop 11 Dec 2001
7
• Social Engineering Defined:– An attacker’s use of personal interviewing
techniques, research skills and/or trickery to discover sensitive information from a target’s employees, partners or customers
• Tools– Telephone– Voice Mail– Email– USENET– Temporary Employment
Social Engineering
NATO Security Workshop 11 Dec 2001
8
Scanning
• Scanning Defined:– An attacker’s use of tools and information to
determine what systems are alive and reachable from the Internet
• Tools:
fping (ICMP-based) nmap (TCP-port-based)
netcat SuperScan / Scanline
Typhon II LANGuard
Fluxay Many (many) more
NATO Security Workshop 11 Dec 2001
9
Enumeration• Enumeration Defined:
– An attacker’s use of tools and information to determine what services are alive and listening from the Internet
• Tools:– LANGuard, N-Stealth, Fluxay, Nessus
• Countermeasures– Restrictanonymous helps (1 or 2)? – Rename admin helps?– Disable services!– Enable port filtering
NATO Security Workshop 11 Dec 2001
10
Port Redirection
• Port Redirection Defined:– The use of tools to direct network traffic destined for
one port and send it to another host on another port
• Tools:– FPipe.exe, RINETD(8)
• Countermeasures– Port have to get installed on the target system.
Mitigate by staying secure– Use IPSEC or other to allow communications
from/to– Packet content!
NATO Security Workshop 11 Dec 2001
11
Gaining Access
• Gaining Access Defined:– An attacker’s use of tools and information to make an
attempt to access the target system• Tools:
• Countermeasures– Syskey will protect me (offline encryption)?
Keystroke Loggers L0phtcrack
Password Grinders Remote Shells
John the Ripper Getadmin
GetAdmin2 Brutus
Samdump Pwdump
NATO Security Workshop 11 Dec 2001
12
Are you careful with security?
NATO Security Workshop 11 Dec 2001
13
Privilege Escalation• Privilege Escalation Defined:
– An attacker’s efforts to elevate his role from ‘user’ to ‘administrator’ by exploiting an operating system or application-specific flaw. Generally exploited from a console session of a non-privileged user.
• Tools:
• Your users have ‘debug programs’, ‘logon locally’ right?
GetAdmin, GetAdmin2 PipeUpAdmin
DebPloit L0phtcrack (LC3/LC4)
John the Ripper Brutus
Samdump Pwdump1,2,3,3e
LSADump, LSADump2
NATO Security Workshop 11 Dec 2001
14
Buffer Overflows• Buffer Overflows Defined:
– Buffer Overflow tools exploit un-checked buffers in specific OS’s or applications to cause ‘shellcode’ to run (usually in the context of ‘SYSTEM’, ‘IWAM’ or ‘SQLUSER’ if exploiting Windows 2000, IIS or SQL.
• Tools:– Too many to name….
• Patch management: good idea!
• Wanna know how it works?
NATO Security Workshop 11 Dec 2001
15
Public Enemy #1: The Buffer Overrun
• Attempting to copy >n bytes into an n-byte buffer
• If you’re lucky you get an AV• If you’re unlucky you get instability• If you’re really unlucky the attacker injects
code into your application–And executes it!–And everyone’s an admin :-(
NATO Security Workshop 11 Dec 2001
16
How Does It Work?
Buffer in bar()Buffer in bar() ReturnReturnAddress to foo()Address to foo()
bar()bar()argumentsarguments
A Stack (foo() has just called bar())
A Dangerous buffer
Assembly codeAssembly code Address of startAddress of start
Add ‘em together (using a copy function)
Your allocated Your allocated datadata
ReturnReturnaddressaddress
FunctionFunctionargumentsarguments
Gotcha!
Gotcha!
NATO Security Workshop 11 Dec 2001
17
Code injections
• Insert malicious code in program through user interface
• Usually possible due to lack of input parameter checking
• Most commonly used mechanism to take over websites!
NATO Security Workshop 11 Dec 2001
18
SQL code injection• Think of a website that allows you to query information,
think harder.
• How could the code be build to capture your input:
– Select * from creditcards where username = ‘x’– Select * from PC_parts where model = ‘x’
• Imagine what happens if your input would be:– hacker’ or 1=1 (the good)– hacker’ drop table creditcards (the bad)– hacker’ xp_cmdshell(‘fdisk.exe’) (the ugly)
• Try this @home, not @work !
NATO Security Workshop 11 Dec 2001
19
You want to be in such a situation?
• Then start thinking in terms of security
NATO Security Workshop 11 Dec 2001
20
DEMO?
NATO Security Workshop 11 Dec 2001
21
Shovel a Shell
• Shovel a Shell Defined:– An attacker’s use of tools to gain a ‘remote
command shell’ on a target server.
• Tools:– Netcat – The attackers ‘swiss army knife’– PSExec.exe
• Countermeasures– Limit outbound connections!– Software restriction policies.
NATO Security Workshop 11 Dec 2001
22
Island Hopping• Island Hopping Defined:
– Attacker uses compromised platform to stage an attack on another host
– Attacker repeats entire ‘attack methodology’ process to expand influence far and wide
• Tools:
• Did you know: ¼ of all Internet routers contained third party sniffers
netcat Tftp
Fpipe SMB Relay
Hash ‘cramming’
NATO Security Workshop 11 Dec 2001
23
Viruses
• Main Sources: Internet, Mail, Floppy.
• You can protect yourself
• Keep upto date of new virusses (mailing lists, automatic updates, Patch management process...)
NATO Security Workshop 11 Dec 2001
24
Why viruses/worms win• Viruses/worms usually exploit buffer overruns. • 1 change in 1010 to find a buffer overrun
• Or you reverse engineer announced flaws in the system. – Download a patch– Install on a computer– Verify modification to system/memory allocs
• Write virus based on patch information• Hope that nobody installed to patch
• What are my changes to be successful?
NATO Security Workshop 11 Dec 2001
25
Why viruses/worms should not win
• Virus/worm usually ships 10 to 20 days ‘after’ the patch is released.
• Excuse #1: Good Anti-virus software will protect me; somebody is always the first to be infected; what if the worm spreads faster than the pattern file.
• Excuse #2: We have a firewall that blocks all traffic; really, and you have one for all mobile users, one to split your internal network, etc…
• Excuse #3: Only Microsoft writes bogus code, I run on non-MS products; statistics say that each 1000 lines of code has 1bug (no matter what software or vendor).
NATO Security Workshop 11 Dec 2001
26
How much is enough security?
NATO Security Workshop 11 Dec 2001
27
Thank you for attendingand remember,
PPT
NATO Security Workshop 11 Dec 2001
28
Know Your Enemy
• Some Good Books:– Hacking Exposed Windows 2000 by Joel
Scambray and Stuart McClure, ISBN: 0072192623– Windows 2000 Security Handbook by Philip Cox
and Tom Sheldon, ISBN: 0072124334
NATO Security Workshop 11 Dec 2001
29
Know Your Enemy
• Web Sites:– HNC at http://www.hack-net.com – Attrition at http://www.attrition.org– Counterpane Systems (home of Bruce Schneier) at
http://www.counterpane.com– Cult of the Dead Cow at http://www.cultdeadcow.com – Rootshell at http://rootshell.com – 2600 at http://www.2600.com – EEye at http://www.eeye.com– WSD at http://www.w00w00.org– NTSecurity at http://www.ntsecurity.net
NATO Security Workshop 11 Dec 2001
30
Know Your Enemy
• Web Sites:– Slash Dot at http://www.slashdot.org– Razor at http://razor.bindview.com – Rainforest Puppy at http://www.wiretrip.net/rfp– Phrack at http://phrack.infonexus.com – Security Focus at http://www.securityfocus.com . Get
on the NTBugTraq mailing list here.– BlackHat at http://www.blackhat.com/– Nomad Mobile Research Centre at
http://www.nmrc.org/– Secure I Team at http://www.secureiteam.com
NATO Security Workshop 11 Dec 2001
31
Know Your Enemy
• Events– RSA Conference http://www.rsaconference.com – BlackHat http:///www.blackhat.com – DefCon http://www.defcon.org (The Largest
Hacking Convention, bring your own 802.11b wireless network card!)
NATO Security Workshop 11 Dec 2001
32
References
• Hacking Exposed 4th Edition• Hacking Windows 2000 Exposed• Special Ops• Microsoft Solution for Securing Windows
2000 Serverhttp://www.microsoft.com/technet/security/prodtech/windows/secwin2k/default.asp
• NSA Security Guidelineshttp://nsa1.www.conxion.com/