2004_05_05 security summit - hacking exposed final - copy
TRANSCRIPT
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 1/32
NATO Security Workshop 11 Dec2001
1
Hacking Exposed
May 5, 2004
Jan Decrock
Karel Dekyvere
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 2/32
NATO Security Workshop 11 Dec2001
2
Agenda
• Some reflections
• The attackers process
• Things you must do
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 3/32
NATO Security Workshop 11 Dec2001
3
What is it about?
P
P
T
eople
rocess
echnology
In this order!
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 4/32
NATO Security Workshop 11 Dec2001
4
How it usually goes
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 5/32
NATO Security Workshop 11 Dec2001
5
Attacker Processes
• Footprinting
• Social Engineering
• Scanning
• Enumeration
• Gaining Access
• PrivilegeEscalation
• BufferOverflows
• Shovel a Shell
• InteractiveControl
• Camouflaging• Island Hopping
• Viruses
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 6/32
NATO Security Workshop 11 Dec2001
6
Footprinting• Footprinting Defined:
– An attacker‟s use of tools andinformation to create a complete profileof an organization‟s security posture – “Casing the joint”
• Tools:http://www.google.com Netcraft –
http://www.netcraft.com
USENET
http://groups.google.com
EDGAR - http://www.sec.gov
DNS Servers TRACERT
WHOIS – http://www.arin.net & http://www.samspade.org
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 7/32
NATO Security Workshop 11 Dec2001
7
• Social Engineering Defined: – An attacker‟s use of personal interviewing
techniques, research skills and/or trickery todiscover sensitive information from a target‟semployees, partners or customers
• Tools – Telephone
– Voice Mail
– USENET – Temporary Employment
Social Engineering
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 8/32
NATO Security Workshop 11 Dec2001
8
Scanning
• Scanning Defined: – An attacker‟s use of tools and information to
determine what systems are alive and
reachable from the Internet
• Tools:fping (ICMP-based) nmap (TCP-port-based)
netcat SuperScan / Scanline
Typhon II LANGuard
Fluxay Many (many) more
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 9/32
NATO Security Workshop 11 Dec2001
9
Enumeration
• Enumeration Defined: – An attacker‟s use of tools and information to
determine what services are alive and
listening from the Internet
• Tools:
– LANGuard, N-Stealth, Fluxay, Nessus
• Countermeasures
– Restrictanonymous helps (1 or 2)?
– Rename admin helps?
– Disable services!
– Enable port filtering
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 10/32
NATO Security Workshop 11 Dec2001
10
Port Redirection
• Port Redirection Defined: – The use of tools to direct network traffic destined for
one port and send it to another host on another port
• Tools:
– FPipe.exe, RINETD(8)
• Countermeasures
– Port have to get installed on the target system.
Mitigate by staying secure – Use IPSEC or other to allow communications
from/to
– Packet content!
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 11/32
NATO Security Workshop 11 Dec2001
11
Gaining Access
• Gaining Access Defined: – An attacker‟s use of tools and information to make an
attempt to access the target system
• Tools:
• Countermeasures – Syskey will protect me (offline encryption)?
Keystroke Loggers L0phtcrack
Password Grinders Remote ShellsJohn the Ripper Getadmin
GetAdmin2 Brutus
Samdump Pwdump
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 12/32
NATO Security Workshop 11 Dec2001
12
Are you careful with security?
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 13/32
NATO Security Workshop 11 Dec2001
13
Privilege Escalation• Privilege Escalation Defined:
– An attacker‟s efforts to elevate his role from„user‟ to „administrator‟ by exploiting anoperating system or application-specific flaw.Generally exploited from a console session ofa non-privileged user.
• Tools:
• Your users have „debug programs‟, „logon locally‟ right?
GetAdmin, GetAdmin2 PipeUpAdmin
DebPloit L0phtcrack (LC3/LC4)
John the Ripper Brutus
Samdump Pwdump1,2,3,3e
LSADump, LSADump2
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 14/32
NATO Security Workshop 11 Dec2001
14
Buffer Overflows
• Buffer Overflows Defined: – Buffer Overflow tools exploit un-checked
buffers in specific OS‟s or applications tocause „shellcode‟ to run (usually in thecontext of „SYSTEM‟, „IWAM‟ or „SQLUSER‟if exploiting Windows 2000, IIS or SQL.
• Tools: – Too many to name….
• Patch management: good idea!
• Wanna know how it works?
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 15/32
NATO Security Workshop 11 Dec2001
15
Public Enemy #1: The Buffer Overrun
• Attempting to copy >n bytes into ann-byte buffer
• If you‟re lucky you get an AV
• If you‟re unlucky you get instability
• If you‟re really unlucky the attacker injects
code into your application
– And executes it!
–And everyone‟s an admin :-(
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 16/32
NATO Security Workshop 11 Dec2001
16
How Does It Work?
Buffer in bar()Return
Address to foo()
bar()
arguments
A Stack (foo() has just called bar())
A Dangerous buffer
Assembly code Address of start
Add „em together (using a copy function)
Your allocated
data
Return
address
Function
arguments
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 17/32
NATO Security Workshop 11 Dec2001
17
Code injections
• Insert malicious code in program throughuser interface
• Usually possible due to lack of input
parameter checking
• Most commonly used mechanism to takeover websites!
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 18/32
NATO Security Workshop 11 Dec2001
18
SQL code injection
• Think of a website that allows you to query information,think harder.
• How could the code be build to capture your input:
– Select * from creditcards where username =‘x’
– Select * from PC_parts where model = „x‟
• Imagine what happens if your input would be: – hacker ’ or 1=1 (the good)
– hacker ’ drop table creditcards (the bad) – hacker ’ xp_cmdshell(‘fdisk.exe’) (the ugly)
• Try this @home, not @work !
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 19/32
NATO Security Workshop 11 Dec2001
19
You want to be in such a situation?
• Then startthinking in
terms of
security
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 20/32
NATO Security Workshop 11 Dec2001
20
DEMO?
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 21/32
NATO Security Workshop 11 Dec2001
21
Shovel a Shell
• Shovel a Shell Defined: – An attacker‟s use of tools to gain a „remote
command shell‟ on a target server.
• Tools:
– Netcat – The attackers „swiss army knife‟
– PSExec.exe
• Countermeasures
– Limit outbound connections!
– Software restriction policies.
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 22/32
NATO Security Workshop 11 Dec2001
22
Island Hopping
• Island Hopping Defined:
– Attacker uses compromised platform tostage an attack on another host
– Attacker repeats entire „attack
methodology‟ process to expandinfluence far and wide
• Tools:
• Did you know: ¼ of all Internet routerscontained third party sniffers
netcat TftpFpipe SMB Relay
Hash „cramming‟
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 23/32
NATO Security Workshop 11 Dec2001
23
Viruses
• Main Sources: Internet, Mail, Floppy.
• You can protect yourself
• Keep upto date of new virusses (mailing
lists, automatic updates, Patch
management process...)
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 24/32
NATO Security Workshop 11 Dec2001
24
Why viruses/worms win
• Viruses/worms usually exploit buffer overruns.
• 1 change in 1010 to find a buffer overrun
• Or you reverse engineer announced flaws in the
system.
– Download a patch
– Install on a computer
– Verify modification to system/memory allocs
• Write virus based on patch information
• Hope that nobody installed to patch
• What are my changes to be successful?
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 25/32
NATO Security Workshop 11 Dec2001
25
Why viruses/worms should not
win• Virus/worm usually ships 10 to 20 days „after‟
the patch is released.
• Excuse #1: Good Anti-virus software will
protect me; somebody is always the first to beinfected; what if the worm spreads faster thanthe pattern file.
• Excuse #2: We have a firewall that blocks alltraffic; really, and you have one for all mobileusers, one to split your internal network, etc…
• Excuse #3: Only Microsoft writes bogus code,I run on non-MS products; statistics say thateach 1000 lines of code has 1bug (no matter
what software or vendor).
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 26/32
NATO Security Workshop 11 Dec2001
26
How much is enough security?
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 27/32
NATO Security Workshop 11 Dec2001 27
Thank you for attending
and remember,
PPT
K Y E
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 28/32
NATO Security Workshop 11 Dec2001 28
Know Your Enemy
• Some Good Books:
– Hacking Exposed Windows 2000 by Joel
Scambray and Stuart McClure, ISBN:
0072192623 – Windows 2000 Security Handbook by Philip
Cox and Tom Sheldon, ISBN: 0072124334
K Y E
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 29/32
NATO Security Workshop 11 Dec2001 29
Know Your Enemy
• Web Sites: – HNC at http://www.hack-net.com
– Attrition at http://www.attrition.org
– Counterpane Systems (home of Bruce Schneier) athttp://www.counterpane.com
– Cult of the Dead Cow at http://www.cultdeadcow.com
– Rootshell at http://rootshell.com
– 2600 at http://www.2600.com
– EEye at http://www.eeye.com – WSD at http://www.w00w00.org
– NTSecurity at http://www.ntsecurity.net
K Y E
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 30/32
NATO Security Workshop 11 Dec2001 30
Know Your Enemy
• Web Sites: – Slash Dot at http://www.slashdot.org
– Razor at http://razor.bindview.com
– Rainforest Puppy at http://www.wiretrip.net/rfp – Phrack at http://phrack.infonexus.com
– Security Focus at http://www.securityfocus.com . Geton the NTBugTraq mailing list here.
– BlackHat at http://www.blackhat.com/
– Nomad Mobile Research Centre athttp://www.nmrc.org/
– Secure I Team at http://www.secureiteam.com
K Y E
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 31/32
NATO Security Workshop 11 Dec2001 31
Know Your Enemy
• Events
– RSA Conference
http://www.rsaconference.com
– BlackHat http:///www.blackhat.com
– DefCon http://www.defcon.org (The Largest
Hacking Convention, bring your own 802.11b
wireless network card!)
7/22/2019 2004_05_05 Security Summit - Hacking Exposed Final - Copy
http://slidepdf.com/reader/full/20040505-security-summit-hacking-exposed-final-copy 32/32
NATO Security Workshop 11 Dec2001 32
References
• Hacking Exposed 4th Edition• Hacking Windows 2000 Exposed
• Special Ops
• Microsoft Solution for SecuringWindows 2000 Serverhttp://www.microsoft.com/technet/security/prodtech/windows/secwin2k/default.a
sp• NSA Security Guidelines
http://nsa1.www.conxion.com/