hack the net · 14./15.10.2005 hack.lu 2005 4 goals and motivations-- be sure to know what you want...
TRANSCRIPT
14./15.10.2005 Hack.lu 2005 1
hack the net
14./15.10.2005 Hack.lu 2005 2
Hack the Net
Unsafe Network
Safe Network
Packet Filter
Packet Filter
DMZ
Applicaton
Gateway
14./15.10.2005 Hack.lu 2005 3
Hack the Net
14./15.10.2005 Hack.lu 2005 4
goals and motivations-- be sure to know what you want --
ä know about your motivationsä - hack for moneyä - hack for political motivationsä - hack for fame and honorä - hack for technical survey
ä define your goalsä - deface a websiteä - bring down a service, host or network (Denial of Service)ä - own the box - to prepare an advanced attackä - steal information's / documentsä - modify information's for your advantage
14./15.10.2005 Hack.lu 2005 5
information gathering -- know your enemy like yourself --
ä visit targets websitesä review HTML Code, JavaScript and Comments & robots.txtä search for passwords, hidden directories, contact names
ä whois request at the Network Information Centreä receive information about IP address rangesä Names and EMail addresses of responsibles
ä DNS Lookupä use nslookup tools to receive informations about DNS-
& EMAIL Server, looking for names like oracle, TestLinux, ....ä try a zone transfer
14./15.10.2005 Hack.lu 2005 6
information gathering -- know your enemy like yourself --
www.dns.luDomain name: hack.luDomain name holder:
CSRRT-LU ASBL,2 rue de la PaixL - 3541 Dudelange
Administrative Contact:Arbogast FredCSRRT-LU ASBL,2 rue de la PaixL - 3541 [email protected]
Technical Contact:Dulaunoy Alexandre10 rue du FaubourgB - 6811 Les Bulles- [email protected]
Name Servers:ns0.freeblind.netns1.freeblind.net
Nslookup> server ns0.freeblind.netDefault Server: ns0.freeblind.netAddress: 158.64.24.250
> set type=ANY> hack.luServer: ns0.freeblind.netAddress: 158.64.24.250hack.lu nameserver = ns0.freeblind.nethack.lu nameserver = ns1.freeblind.nethack.lu internet address = 213.169.96.28hack.lu MX preference =
10, mail exchanger = mail.hack.luhack.lu nameserver = ns0.freeblind.nethack.lu nameserver = ns1.freeblind.netns0.freeblind.net
internet address = 158.64.24.250ns1.freeblind.net
internet address = 158.64.24.251mail.hack.lu
internet address = 213.169.96.28
14./15.10.2005 Hack.lu 2005 7
information gathering -- know your enemy like yourself --
www.ripe.deinetnum: 213.169.96.0 - 213.169.127.255netname: LU-ASTRANET-20021104descr: SESM S.A. (Astra-Net)country: LUaddress: SESM S.A.
Chateau de Betzdorf,L-6815 BetzdorfG.-D. Luxembourg,
phone: +352 710 725 242phone: +352 710 725 677fax-no: +352 710 725 482e-mail: [email protected]: [email protected]
14./15.10.2005 Hack.lu 2005 8
information gathering -- know your enemy like yourself --
ä footprinting @ google
ä news group articles of employees author:<@targetdomain>
ä search business partners link:<targetdomain>ä site:<targetdomain> intitle:index.ofä site:<targetdomain> error | warningä site:<targetdomain> login | logonä site:<targetdomain> username | useridä site:<targetdomain> passwordä site:<targetdomain> admin | administratorä site:<targetdomain> inurl:backup | inurl:bakä site:<targetdomain> intranet
14./15.10.2005 Hack.lu 2005 9
non - internet attacks-- bypass the firewall --
hack the net
14./15.10.2005 Hack.lu 2005 10
non - internet attacks-- bypass the firewall --
ä try to physically enter the target building
ä attack the WLAN (Wireless LAN)
ä War Dialling
ä Social Engineering
ä Dumpster DivingQuotation Bill Gates in: Susan Lammers; Programmers at Work Tempus Books; Reissue Edition, 1989„No, the best way to prepare is to write programs, and to study great programs that other people have written. In my case, I went to the garbage cans at the Computer Science Centre and I fished out listings of their operating system.“
14./15.10.2005 Hack.lu 2005 11
internet based attacks-- preperation --
ä anonymity don’t existsä break systems in differrent countryies / time zonesä install network multipurpose tools like netcat or backdoorsä hop from host to host to get anonymity
ä mapping of the target networkä use system tools like traceroute & pingä identify network devices like firewalls & routersä identify servers; map network and subnet structure
ä identify active servicesä portscan; nmap; Stealth-, ACK-, Null-, Xmas- Scanä identify operating system & servicesä identify application behind services & patch level
14./15.10.2005 Hack.lu 2005 12
internet based attacks-- be silent --
ä prepare attackä research on internet for known security holesä default passwords; common miss configurationsä setup a test environment to practice the attackä ideal: fire one single attack
ä after a successful initial attackä hide the tracks from logfilesä expand local rights; find vulnerabilities in networkä install rootkits, steal password database, start network snifferä try same password on other systemsä find problems in topology (expl. dual homed hosts)ä try to attack the private network
14./15.10.2005 Hack.lu 2005 13
primary target webserver-- why they are so vulnerable --
ä complex applicationä multiple subsystems:
application server, scripts, sql-serverä self made applications:
programmer don’ t know how to write secure codeä Shell-Command-Injection:
bypass commands trough the shellInput: "Alice; rm - rf"
ä SQL-Injectionbypass SQL Commands by User inputInput: "User=Alice' -&Pass=Idontknow"
14./15.10.2005 Hack.lu 2005 14
advanced techniques-- IDS evasion --
ä bypass IDS by manipulating the patternsä fragrouter supports all known techniques
examples: Unicode in case of ASCIIreplace www.target.com/etc/passwd withwww.target.com/etc/./passwdfragmentation of packets on IP Level
14./15.10.2005 Hack.lu 2005 15
thank you
ä LinuxDays 2006 from 25.01.2006 - 27.01.2006
ä Recommend readings:
- Google Hacking – Syngress - Johnny Long – ISBN 1-931836-36-1- Physical Device Security – Syngress – Drew Miller – ISBN 1-932266-81-X- Buffer Overflow Attacks – Syngress – James C. Foster – ISBN 1-932266-67-4- Staeling the Network – Syngress – Ryan Russel – ISBN 1-931836-87-6- Stealing the Network – Syngress – 131ah - ISBN 1-93183605-1- Zero-Day Exploit – Syngress – Rob Shein – ISBN 1-931836-09-4- Hacking: The Art of Exploitation – APress – Jon Erickson – ISBN 159 327 0070