14./15.10.2005 Hack.lu 2005 1

hack the net

14./15.10.2005 Hack.lu 2005 2

Hack the Net

Unsafe Network

Safe Network

Packet Filter

Packet Filter

DMZ

Applicaton

Gateway

14./15.10.2005 Hack.lu 2005 3

Hack the Net

14./15.10.2005 Hack.lu 2005 4

goals and motivations-- be sure to know what you want --

ä know about your motivationsä - hack for moneyä - hack for political motivationsä - hack for fame and honorä - hack for technical survey

ä define your goalsä - deface a websiteä - bring down a service, host or network (Denial of Service)ä - own the box - to prepare an advanced attackä - steal information's / documentsä - modify information's for your advantage

14./15.10.2005 Hack.lu 2005 5

information gathering -- know your enemy like yourself --

ä visit targets websitesä review HTML Code, JavaScript and Comments & robots.txtä search for passwords, hidden directories, contact names

ä whois request at the Network Information Centreä receive information about IP address rangesä Names and EMail addresses of responsibles

ä DNS Lookupä use nslookup tools to receive informations about DNS-

& EMAIL Server, looking for names like oracle, TestLinux, ....ä try a zone transfer

14./15.10.2005 Hack.lu 2005 6

information gathering -- know your enemy like yourself --

www.dns.luDomain name: hack.luDomain name holder:

CSRRT-LU ASBL,2 rue de la PaixL - 3541 Dudelange

Administrative Contact:Arbogast FredCSRRT-LU ASBL,2 rue de la PaixL - 3541 Dudelangefred@csrrt.org.lu

Technical Contact:Dulaunoy Alexandre10 rue du FaubourgB - 6811 Les Bulles- Chinyadulau@foo.be

Name Servers:ns0.freeblind.netns1.freeblind.net

Nslookup> server ns0.freeblind.netDefault Server: ns0.freeblind.netAddress: 158.64.24.250

> set type=ANY> hack.luServer: ns0.freeblind.netAddress: 158.64.24.250hack.lu nameserver = ns0.freeblind.nethack.lu nameserver = ns1.freeblind.nethack.lu internet address = 213.169.96.28hack.lu MX preference =

10, mail exchanger = mail.hack.luhack.lu nameserver = ns0.freeblind.nethack.lu nameserver = ns1.freeblind.netns0.freeblind.net

internet address = 158.64.24.250ns1.freeblind.net

internet address = 158.64.24.251mail.hack.lu

internet address = 213.169.96.28

14./15.10.2005 Hack.lu 2005 7

information gathering -- know your enemy like yourself --

www.ripe.deinetnum: 213.169.96.0 - 213.169.127.255netname: LU-ASTRANET-20021104descr: SESM S.A. (Astra-Net)country: LUaddress: SESM S.A.

Chateau de Betzdorf,L-6815 BetzdorfG.-D. Luxembourg,

phone: +352 710 725 242phone: +352 710 725 677fax-no: +352 710 725 482e-mail: thomas.graf@ses-astra.come-mail: francois.claire@ses-astra.com

14./15.10.2005 Hack.lu 2005 8

information gathering -- know your enemy like yourself --

ä footprinting @ google

ä news group articles of employees author:<@targetdomain>

ä search business partners link:<targetdomain>ä site:<targetdomain> intitle:index.ofä site:<targetdomain> error | warningä site:<targetdomain> login | logonä site:<targetdomain> username | useridä site:<targetdomain> passwordä site:<targetdomain> admin | administratorä site:<targetdomain> inurl:backup | inurl:bakä site:<targetdomain> intranet

14./15.10.2005 Hack.lu 2005 9

non - internet attacks-- bypass the firewall --

hack the net

14./15.10.2005 Hack.lu 2005 10

non - internet attacks-- bypass the firewall --

ä try to physically enter the target building

ä attack the WLAN (Wireless LAN)

ä War Dialling

ä Social Engineering

ä Dumpster DivingQuotation Bill Gates in: Susan Lammers; Programmers at Work Tempus Books; Reissue Edition, 1989„No, the best way to prepare is to write programs, and to study great programs that other people have written. In my case, I went to the garbage cans at the Computer Science Centre and I fished out listings of their operating system.“

14./15.10.2005 Hack.lu 2005 11

internet based attacks-- preperation --

ä anonymity don’t existsä break systems in differrent countryies / time zonesä install network multipurpose tools like netcat or backdoorsä hop from host to host to get anonymity

ä mapping of the target networkä use system tools like traceroute & pingä identify network devices like firewalls & routersä identify servers; map network and subnet structure

ä identify active servicesä portscan; nmap; Stealth-, ACK-, Null-, Xmas- Scanä identify operating system & servicesä identify application behind services & patch level

14./15.10.2005 Hack.lu 2005 12

internet based attacks-- be silent --

ä prepare attackä research on internet for known security holesä default passwords; common miss configurationsä setup a test environment to practice the attackä ideal: fire one single attack

ä after a successful initial attackä hide the tracks from logfilesä expand local rights; find vulnerabilities in networkä install rootkits, steal password database, start network snifferä try same password on other systemsä find problems in topology (expl. dual homed hosts)ä try to attack the private network

14./15.10.2005 Hack.lu 2005 13

primary target webserver-- why they are so vulnerable --

ä complex applicationä multiple subsystems:

application server, scripts, sql-serverä self made applications:

programmer don’ t know how to write secure codeä Shell-Command-Injection:

bypass commands trough the shellInput: "Alice; rm - rf"

ä SQL-Injectionbypass SQL Commands by User inputInput: "User=Alice' -&Pass=Idontknow"

14./15.10.2005 Hack.lu 2005 14

advanced techniques-- IDS evasion --

ä bypass IDS by manipulating the patternsä fragrouter supports all known techniques

examples: Unicode in case of ASCIIreplace www.target.com/etc/passwd withwww.target.com/etc/./passwdfragmentation of packets on IP Level

14./15.10.2005 Hack.lu 2005 15

thank you

ä LinuxDays 2006 from 25.01.2006 - 27.01.2006

ä Recommend readings:

- Google Hacking – Syngress - Johnny Long – ISBN 1-931836-36-1- Physical Device Security – Syngress – Drew Miller – ISBN 1-932266-81-X- Buffer Overflow Attacks – Syngress – James C. Foster – ISBN 1-932266-67-4- Staeling the Network – Syngress – Ryan Russel – ISBN 1-931836-87-6- Stealing the Network – Syngress – 131ah - ISBN 1-93183605-1- Zero-Day Exploit – Syngress – Rob Shein – ISBN 1-931836-09-4- Hacking: The Art of Exploitation – APress – Jon Erickson – ISBN 159 327 0070