Embed Size (px)
Citation preview
ROAD TO EXPLOITATION
Dr. Andy Wu
BCIS 4630 Fundamentals of IT Security
2
Overview
• Network Scanning– Host discovery– OS fingerprinting– Service discovery
• Network mapping/Host discovery– DNS zone transfer
• Enumeration– Null session– User account info
3
Hacking Process
4
Early Stages of Hacking• In this lab, we’ll introduce a few tools that are used in
the early stages of hacking.• The aims are to:
– Obtain some ideas about a network’s topology;– Locate potential targets;– Find out what OSes and services are running;– Look up user accounts, lock-out threshold, password policies;– Etc.
• These paves the road for the next stage of attacking targets.
5
Reconnaissance
• Reconnaissance– The act of locating targets and developing the
methods necessary to attack those targets successfully.
– May be extremely flexible and creative.• Reconnaissance is not by definition illegal.
– Many reconnaissance techniques are completely legal.
6
Footprinting• The act of uncovering and collecting as much
information as possible about a target network.– Domain name– IP address blocks– Organization websites– Company directory– Background info– News articles– Press releases– Etc.
7
Information Gathering
• Search for company’s information in major search engines, e.g., Google, GoogleMaps, Bing.
• Using web data extractors, e.g., webextractor.com.
• Website scraping, e.g., binarypool.com.• People search websites, e.g., pipl.com.• Social media sites.• Reports filed with SEC.
8
Website Copier
• Tools are available to copy an entire website for later analysis, e.g.,– httrack.com– surfoffline.com– pagenest.com– keepni.com
• Archive.org provides archived versions of websites.
9
Social Engineering
• Social engineering works, for the most part, because people have the innate tendency to help and to avoid confrontation.
• The success or failure of social engineering depends on the ability of hackers to manipulate human psychology, contacts, and physical workstations.
10
Dumpster Diving• Dumpster diving is often the mother lode of sensitive
information as well as actual hardware and software.• Hackers look specifically for sales receipts and
paperwork that contain personal data or credit card information– Shredded documents can lead to data leaks.– Drafts of letters are routinely left whole in the trash.– Company directory sheets, catalog lists, unused or
misprinted labels, and policy manuals.
11
WHOIS Lookup
• WHOIS databases contain personal information of domain owners.
• They are maintained by regional Internet registries:– AfriNIC (Africa)– ARIN (America)– APNIC (Asia Pacific)– LACNIC (Latin America)– RIPE NCC (Europe)
• tools.whois.net
12
DNS Records
• Domain name service database of a network contains important information about the network hosts, e.g., – A – Host– MX – Mail server– NS – Name server– Cname – Canonical names (aliases)– SOA – Authority of domain
13
DNS–Based Reconnaissance• DNS Lookup
– Tools help Internet users discover the DNS names of target computers.
– There are Web sites that provide DNS lookup tools.• DNS Zone Transfer
– Zone transfer is a DNS feature that lets a DNS server update its database with the list in another DNS server.
– An incorrectly configured DNS server may allow any Internet user to perform a zone transfer.
– nslookup
14
Network Reconnaissance
• Network scanning is a technique that discovers live hosts in the network.
• Port scanning allows you to find:– IP addresses and open ports of live hosts– Operating systems and system architecture– Services running on hosts
15
Host Discovery
• ping– Helps to verify whether a host is active.– Command is available for all platforms.– Part of ICMP and uses echo request and echo
reply messages.• ping sweep
– Is used to determine the live hosts from a range of IP addresses but sending ICMP echo requests to multiple hosts.
16
Host Discovery
• traceroute (tracert on Windows)– A packet from a host makes numerous “hops”
before it reaches the destination.– Command can track all of the intermediate nodes.– Uses the TTL field in the header to work.
• Nmap (Zenmap)– Zenmap is the GUI front of nmap.– Use nmap host discovery switch to perform
scanning for live hosts.
17
Nmap
• www.insecure.org• A versatile tool whose functionalities
include:– Host discovery– OS fingerprinting– Service discovery
18
Fyodor
19
Nmap Switches
• Basic syntaxnmap [port range] [switch(es)] <target IP address>
• Nmap switches are case-sensitive!• By default, if no other switches are given,
Nmap performs host discovery and then performs a SYN port scan.
20
Nmap Host Discovery
• To obtain a quick list of live hosts on the network without scanning for open ports on each, use the –sP (ping scan) switch.
• The syntax is:nmap –sP <network ID>/mask– Replace <network ID> with the real network
ID. It may be in the FQDN or resolved IP format.– Use the CIDR notation for the mask.
21
Banner Grabbing• Banner grabbing uses Telnet to connect to a port on
the remote target and observes the response coming back from it.
• Different protocols (services) have distinctive responses that can be used to verify the existence of those services on the target.– Attacker may be fooled by a honeypot or port emulator.
• Response may contain OS or service information that may be used to determine the OS running on the target.
22
“Self-Scanner”
• netstat– Allows all the transmission Control Protocol
(TCP), User Datagram Protocol (UDP), and IP connections on a computer to be viewed.
– Also helps to locate• IP address of computers• IP addresses of the hosts connected to the
computers• Port of the host to which a computer is connected
23
OS Fingerprinting
• OS fingerprinting is the method to determine the operating system running on a remote target system.
• Passive OS fingerprinting use sniffers to capture packets and analyze them for OS information.– For example, Windows and Linux systems pad the
ping packets differently. By looking in the data portion for the padding characters, the attacker can guess the type of OS.
24
OS Fingerprinting
• Active OS fingerprinting sends specially crafted packets to the remote target and analyze the response.
• The response are then compared with a fingerprint database to determine the OS running on the remote machine.
• Use OS fingerprinting switch in Nmap to perform OS fingerprinting.
25
Nmap OS Fingerprinting
• Nmap may be used to fingerprint the OS running on the target.
• The switch is –O.
26
Service Discovery• Each network service is allocated a well-known port
number.• If the service is running on the server, the port must be
open.• The reverse is true too – if a port is found open on the
server, the attacker can deduce that the server is running the service.
• The same goes for many registered ports that are related to common applications, e.g., Port 3306 for MySQL.
27
Service Discovery
• The attacker then will look up whether there are known vulnerabilities in the service. Chances are, some vulnerabilities have been found and reported, and often times, tools have been created to take advantage of those vulnerabilities.
• If the attacker runs those tools, he/she has a good chance of compromising the target.
• Service discovery is a critical step in the hacking process.
28
Nmap Switches
• -sS SYN scan (default)• -sT Connect scan• -sN Null scan• -sX Xmas scan• -O OS fingerprinting• -sP Host discovery
• -p Port range
29
In Summary
• Port scanning allows you to find:– IP addresses and open ports of live hosts– Operating systems and system architecture– Services running on hosts
30
DNS
• DNS Lookup– Tools help Internet users discover the DNS names of
target computers.– There are Web sites that provide DNS lookup tools.
• DNS Zone Transfer– Zone transfer is a DNS feature that lets a DNS server
update its database with the list in another DNS server.– An incorrectly configured DNS server may allow any
Internet user to perform a zone transfer.
31
NSLookup
• If a DNS server is mis-configured, it’s easy to extract important host information stored in the DNS database.
• You don’t even need a separate tool.• NSLookup (name server lookup) is a Windows
native tool for resolving FQDNs to IP addresses.• To perform a zone transfer from a DNS server,
just run nslookup interactively and issue the ls command.
32
Regular Name Resolution• To lookup the IP address of a FQDN, the command is nslookup <fqdn>
33
DNS Zone Transfer with NSLookup• To perform a zone transfer, first enter just the command nslookup (without the
FQDN argument).• Then enter the server command followed by the IP address of the DNS server.• Finally, enter the listing command: ls –d <domain_name>
34
DNS Records
• Domain name service database of a network contains important information about the network hosts, e.g., – A: Host– MX: Mail server– NS: Name server– Cname: Canonical names (aliases)– SOA: Start of Authority of domain
35
Enumeration
• The process of finding user and group accounts, machine names, network shares, services, audit settings, etc. on a system.
• Scanning tells us what hosts are “live” and running what services. With enumeration the attacker tries to find out what accounts or resources may be worth exploiting or may be abused for attacking those hosts.
36
Typical Things to Enumerate
• User accounts• Groups
– Names– Members
• Access settings– Logon hours– Logon workstation restrictions
• Audit settings• Service banners
37
Null Session• Null session allows one to connect to the IPC
(interprocesses communication) shares on a Windows machine without a username and password.
• The IPC share is a “hidden share” – you don’t see the share when you explore shared resources on a computer in Windows Explorer. Hidden shares are denoted by a $ sign at the end of the share name.
• Windows automatically shares each partition as a hidden share – C$, D$, etc.
• There are other hidden shares, including IPC$.
38
Null Session• Establishing a null session is necessary for many enumeration
tools to work.• The syntax is
net use \\<hostname/IP>\IPC$ "" /u:"" or
net use \\<hostname/IP>\IPC$ "" /user:""– Replace the <hostname/IP> part with the real host name or IP
address of the target.– Everything else in the command must be typed exactly as shown
above.– Notice there is no space between the double quotes.– There is no space between the / and the u.– There is no space between the colon and double quote.
39
Null Session• Anonymous access to IPC$ has been made more
and more difficult with every upgrade in Windows versions.
• A domain controller may ironically have less restricted access to IPC$ because it needs to provide services to hosts in the network.
• The access level is set by the registry key:HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous (0 – None; 1 – Does not allow enumeration of SAM account and names; 2 – No access).
40
Establishing a Null Session
41
User Accounts
• To obtain user account information on a remote target, a variety of tools may be used:– SuperScan– Enum– User2Sid– UserInfo– Winfingerprint– Etc.
42
Enum• This tool can retrieve a host of info about user
accounts, groups, policies, etc.• The syntax is:
enum <switch(es)> <host name/IP>– Replace <host name/IP> with the real host name or IP
address of the target machine.• You don’t have to precede it with double back slashes.
– Some useful Enum switches:• -P password policy information• -U user accounts• -G groups and membership
43
Security Identifier (SID)
• Internally, Windows OSes keep track of user and group accounts using their unique SIDs, not names.
• SIDs are never reused. You may delete a user account and later create a new one with the exact same username; but the two accounts will have two different SIDs.
• An administrator account’s SID ends with 500 (the info in the FYI box on p. 167 is wrong!).
44
Security Identifier (SID)
• Some sources recommende that the built-in administrator account be renamed and a boggy administrator account be set up. Also, the guest account should be disabled and/or renamed.
• These measures are only effective against less knowledgeable attackers.
• Tools such as user2sid can easily reveal the true SID of accounts.
45
User2Sid
• This tools can find the SID of a user account on a remote computer.
• The syntax is:user2sid <host name/IP> <username>– Replace <host name/IP> with the real host
name or IP address of the target machine.• You don’t have to precede it with double back slashes.
– Replace <username> with the real target username.
46
UserInfo
• This tool displays some useful information about a user account.
• The syntax is:userInfo <host name/IP> <username>– Replace <host name/IP> with the real host
name or IP address of the target machine.• You don’t have to precede it with double back slashes.
– Replace <username> with the real target username.
47
WinFingerprint
