Upload
rajendra-prasad
View
22
Download
0
Embed Size (px)
DESCRIPTION
you can learn hacking methodologies
Citation preview
Hacking MethodologiesHacking Methodologies
An overview of historical hackingAn overview of historical hackingapproachesapproaches
Johnny LongJohnny Longhttp://johnny.ihackstuff.comhttp://johnny.ihackstuff.com
johnnyjohnny@@ihackstuffihackstuff.com.com
Varied ApproachesVaried Approaches
Old SchoolOld School: Slow, careful, precise,: Slow, careful, precise,invasiveinvasive
ProsPros: Fast, careful, precise, sometimes: Fast, careful, precise, sometimesinvasiveinvasive
SkriptSkript Kiddies Kiddies: Slow, reckless,: Slow, reckless,imprecise, invasiveimprecise, invasive
DefacersDefacers: Fast, reckless, precise, mildly: Fast, reckless, precise, mildlyinvasiveinvasive
Old schoolOld school
For years, information security pundits have followed and believed in aFor years, information security pundits have followed and believed in ahacking methodologyhacking methodology which described the steps a hacker classically which described the steps a hacker classicallyfollowed when performing an attack.followed when performing an attack.
That methodology followed the following basic steps:That methodology followed the following basic steps:
Information GatheringInformation Gathering ProbeProbe AttackAttack
AdvancementAdvancement EntrenchmentEntrenchment
Infiltration/ExtractionInfiltration/Extraction
Old School: InformationOld School: InformationGatheringGathering
Decide and discover which targets toDecide and discover which targets toattackattack
Often begin with a specific network or aOften begin with a specific network or aspecific companyspecific company
WhoisWhois, , nslookupnslookup queries queries samspadesamspade.org.org Search engines (Search engines (googlescanninggooglescanning))
Old School: ProbeOld School: Probe
Scan specific targets for vulnerabilitiesScan specific targets for vulnerabilities Search sweeping ranges of ports with a Search sweeping ranges of ports with a portscanportscan
((nmapnmap)) Grab details such as service versions from theGrab details such as service versions from the
discovered ports discovered ports akaaka banner grabbingbanner grabbing ( (netcatnetcat)) NT: Connect to and enumerate information fromNT: Connect to and enumerate information from
NETBiosNETBios ( (enumenum)) Search the Internet for vulnerabilities based onSearch the Internet for vulnerabilities based on
versions of software found on targetsversions of software found on targets
Old School: ProbeOld School: Probe
NMAP ( NMAP ( http://www.insecure.org/nmaphttp://www.insecure.org/nmap)) SuperscanSuperscan
((http://www.http://www.webattackwebattack.com/get/.com/get/superscansuperscan..shtmlshtml)) NessusNessus: (: (http://www.nessus.orghttp://www.nessus.org)) Whisker: (Whisker: (http://sourceforge.net/projects/whisker/http://sourceforge.net/projects/whisker/)) NetcatNetcat: (: (http://www.atstake.com/research/tools/http://www.atstake.com/research/tools/)) EnumEnum ( (http://razor.bindview.com/tools/index.shtmlhttp://razor.bindview.com/tools/index.shtml)) THC-ProbeTHC-Probe
((http://www.thehackerschoice.com/download.php?t=http://www.thehackerschoice.com/download.php?t=r&d=probe-4.1.tar.gzr&d=probe-4.1.tar.gz ) )
Old School: ProbeOld School: Probe
Nmap is used to scan theports of the target system.Using the O option wouldalso report the OperatingSystem of the target.
Old School: ProbeOld School: Probe
Nmaps guess atthe operatingsystem type
Old School: ProbeOld School: Probe
some serviceslisten behind RPC.rpcinfo can give us
this info.
Old School: AttackOld School: Attack
Gather compatible exploitsGather compatible exploits Compile exploits (if required)Compile exploits (if required) Launch exploits against targetsLaunch exploits against targets Modify parameters, re-launch exploits (ifModify parameters, re-launch exploits (if
required)required)
Old School: AttackOld School: Attack
There are many different types of attacks whichThere are many different types of attacks whichcan be broken down into severalcan be broken down into severalclassifications.classifications.
The attacks are performed from one of twoThe attacks are performed from one of twoperspectives:perspectives:
Local: The attacker has access to a commandLocal: The attacker has access to a commandprompt or has gained the ability to executeprompt or has gained the ability to executecommands on the targetcommands on the target
Remote: The attacker exploits the target boxRemote: The attacker exploits the target boxwithout first gaining access to a command shellwithout first gaining access to a command shell
Attacks: Buffer OverflowAttacks: Buffer Overflow
AkaAka the the Boundary Condition ErrorBoundary Condition Error: Stuff more data: Stuff more datainto a buffer than it can handle. The resultinginto a buffer than it can handle. The resultingoverflowed data overflowed data fallsfalls into a precise location and is into a precise location and isexecuted by the systemexecuted by the system Local overflows are executed while logged into the targetLocal overflows are executed while logged into the target
systemsystem Remote overflows are executed by processes running on theRemote overflows are executed by processes running on the
target that the attacker target that the attacker connectsconnects to to Result: Commands are executed at the privilege levelResult: Commands are executed at the privilege level
of the overflowed programof the overflowed program Example: SNMPXDMID overflow (Solaris 6-8)Example: SNMPXDMID overflow (Solaris 6-8)
http://www.http://www.securityfocussecurityfocus.com/bid/2417.com/bid/2417
Attacks: Input ValidationAttacks: Input Validation
An process does not An process does not stripstrip input before input beforeprocessing it, processing it, ieie special shell characters special shell characterssuch as semicolon and pipe symbolssuch as semicolon and pipe symbols
An attacker provides data in unexpectedAn attacker provides data in unexpectedfields, fields, ieie SQL database parameters SQL database parameters
Attacks: Input ValidationAttacks: Input Validation
Example: Example: TrillianTrillian IRC Module Format String IRC Module Format StringVulnerabilityVulnerability((http://online.securityfocus.com/bid/5388http://online.securityfocus.com/bid/5388))
A format string vulnerability has been reportedA format string vulnerability has been reportedin the in the TrillianTrillian IRC module. An attacker can IRC module. An attacker canexploit this vulnerability by enticing a user toexploit this vulnerability by enticing a user tojoin a channel with a malicious channel namejoin a channel with a malicious channel name(e.g. #%n%n%n). An attacker in control of a(e.g. #%n%n%n). An attacker in control of amalicious server may exploit vulnerable clientsmalicious server may exploit vulnerable clientswho have connected.who have connected.
Attacks: Race ConditionsAttacks: Race Conditions
An attacker forces an action during a sensitive timeAn attacker forces an action during a sensitive timewindow between two operationswindow between two operations
A program checks to make sure output fileA program checks to make sure output file//tmptmp/temp_output/temp_output does not exist does not exist
The program wanders off and does other stuffThe program wanders off and does other stuff An attacker quickly creates a An attacker quickly creates a symlinksymlink from from
//tmptmp/temp_output/temp_output to to /etc/shadow/etc/shadow The program writes to the The program writes to the //tmptmp/temp_output/temp_output which which
clobbers clobbers /etc/shadow/etc/shadow Example: Example: RedHatRedHat Linux Linux diskcheckdiskcheck
((http://online.securityfocus.com/bid/2050http://online.securityfocus.com/bid/2050 ) )
Attacks: EnvironmentAttacks: EnvironmentErrorsErrors
An attacker makes a change to a programAn attacker makes a change to a programssenvironment that was not expectedenvironment that was not expected
For example, a program relies on the UNIXFor example, a program relies on the UNIXenvironment variable $USER to determine whoenvironment variable $USER to determine whois running the programis running the program
An attacker changes this value to An attacker changes this value to rootroot before beforeexecuting the programexecuting the program
Attacks: Weak PasswordsAttacks: Weak Passwords
accounts with weak passwords areaccounts with weak passwords areguessed by a remote attackerguessed by a remote attacker
Accounts with weak passwords areAccounts with weak passwords arecracked by attacker with access to acracked by attacker with access to apassword databasepassword database
THC-HYDRA Login HackerTHC-HYDRA Login Hacker(http://www.(http://www.thehackerschoicethehackerschoice.com/releases..com/releases.phpphp))
Attack: Exploit SitesAttack: Exploit Sites
SecurityFocusSecurityFocus: (: (http://www.http://www.securityfocussecurityfocus.com.com)) PacketstormPacketstorm: (: (http://http://packetstormsecuritypacketstormsecurity.org.org)) New Order: (New Order: (http://http://neworderneworder.box..box.sksk//)) Hack in the Box:Hack in the Box:
((http://www.hackinthebox.org/http://www.hackinthebox.org/)) phreakphreak.org.org
((http://www.http://www.phreakphreak.org/archives/exploits/.org/archives/exploits/unixunix/)/)
Old School: Attack phasesOld School: Attack phases
The Attack is most often broken into severalThe Attack is most often broken into severalphases (perhaps running cyclically)phases (perhaps running cyclically)
Locating ExploitsLocating Exploits Getting ExploitsGetting Exploits
Modification of ExploitsModification of Exploits Building ExploitsBuilding Exploits Testing ExploitsTesting Exploits Running ExploitsRunning Exploits
Old School: LocatingOld School: Locatingexploitsexploits
Old School: LocatingOld School: Locatingexploitsexploits
Old School: GettingOld School: GettingExploitsExploits
The wget programdownloads the exploit to theattackers machine
Old School: ModifyingOld School: Modifyingexploitexploit
(-lsocket wont work)
Most exploits will not work across allplatforms, so modifications generallyneed to be made. In this case, -lsocket is removed for running on outRedHat 7.2 attack box.
Old School: BuildingOld School: BuildingExploitExploit
Some exploits come complete with aMakefile, so a simple make commandis all thats required to build the exploit.
Old School: BuildingOld School: BuildingExploitExploit
The make commandsuccessfully produces theexploit, in this caseautomountdexp
Old School: TestingOld School: TestingExploitExploit
The h parameter shows theusage for this exploit.
Old School: AttackOld School: AttackRunning ExploitRunning Exploit
This attack executes commandson the target (a Solaris 2.5.1box) as root. In this case, theattacker drops a line into/etc/inet/inetd.conf and a lineinto /etc/services. When thesystem is restarted (or inet isrestarted) a listening root shellis opened on port 31337.
Old School: AttackOld School: AttackSuccess!Success!
The attacker connects to the31337 port on the target and isgreeted with a root prompt.
Old School: AdvancementOld School: Advancement(optional)(optional)
If needed, gain further access to targetsIf needed, gain further access to targetsby further exploitationby further exploitation TrojansTrojans Local ExploitsLocal Exploits
The advancement phase will somewhatThe advancement phase will somewhatmirror the Attack phases unless themirror the Attack phases unless theattacker has already tested the exploitsattacker has already tested the exploits
Old School: EntrenchmentOld School: Entrenchment
Modify targets to ensure future accessModify targets to ensure future access BackdoorsBackdoors RootkitsRootkits
Entrenchment: BackdoorsEntrenchment: Backdoors
Linux Non-listening backdoor programs = NoLinux Non-listening backdoor programs = Nolistening port!listening port! SAdoorSAdoor ((http://http://cmncmn..listprojectslistprojects..darklabdarklab.org/.org/)) Cd00r Cd00r (http://www.phenoelit.de/stuff/cd00rdescr.html)(http://www.phenoelit.de/stuff/cd00rdescr.html)
NT/2KNT/2K Fake GINA Fake GINA Username and password interceptorUsername and password interceptor
((http://www.rootkit.com/projects/ginatroj/http://www.rootkit.com/projects/ginatroj/ ) )
NTKapNTKap Removes NT ACL protection Removes NT ACL protection((http://www.rootkit.com/projects/ntkap/http://www.rootkit.com/projects/ntkap/ ) )
Entrenchment: Entrenchment: RootkitsRootkits
LinuxLinux LRK5: LRK5: ((http://online.securityfocus.com/data/tools/lrk5.src.tar.gzhttp://online.securityfocus.com/data/tools/lrk5.src.tar.gz)) ADORE: ADORE: ((http://online.securityfocus.com/tools/1490http://online.securityfocus.com/tools/1490 ) ) KNARK KNARK ((http://online.securityfocus.com/tools/1163http://online.securityfocus.com/tools/1163 ) )
NTNT NT NT RootkitRootkit
((http://www.http://www.rootkitrootkit.com/projects/.com/projects/ntrootntroot//)) NULL.SYSNULL.SYS
((http://www.rootkit.com/projects/nullsys/http://www.rootkit.com/projects/nullsys/ ) )
Old School:Old School:Infiltration/ExtractionInfiltration/Extraction
Install Install snifferssniffers to monitor network traffic, to monitor network traffic,gather usernames/passwordsgather usernames/passwords
Extract data from compromised systemsExtract data from compromised systems Compromise neighboring targets basedCompromise neighboring targets based
on captured data or trust relationshipson captured data or trust relationships
ProfessionalsProfessionals
Professional hackers, or ethical hackers, tend to follow the followingProfessional hackers, or ethical hackers, tend to follow the followingmethodologies:methodologies:
Information GatheringInformation Gathering ProbeProbe AttackAttack
AdvancementAdvancement Infiltration/ExtractionInfiltration/Extraction
ProfessionalsProfessionals
Most often, professional ethical hackers rely onMost often, professional ethical hackers rely onVulnerability ScannersVulnerability Scanners to perform their jobs. to perform their jobs. NessusNessus Retina by Retina by eeyeeeye Network Associates Network Associates CyberCopCyberCop H.E.A.T.H.E.A.T. Internet Security Systems Internet ScannerInternet Security Systems Internet Scanner(see http://www.(see http://www.networkcomputingnetworkcomputing.com/1201/1201f1b1.html).com/1201/1201f1b1.html)
ProfessionalsProfessionals
Vulnerability Scanner DemoVulnerability Scanner Demo
SkriptSkript Kiddies Kiddies
SkriptSkript Kiddies Kiddies
SkriptSkript Kiddies, named for their annoying ability Kiddies, named for their annoying abilityto (sometimes) successfully compromise ato (sometimes) successfully compromise asystem using pre-written scripts, generallysystem using pre-written scripts, generallyfollow a very simple follow a very simple non-cyclical non-cyclical methodology.methodology.(See (See http://project.honeynet.org/papers/enemy/http://project.honeynet.org/papers/enemy/for an interesting for an interesting writeupwriteup on the topic) on the topic)
Exploit SelectionExploit SelectionTarget SelectionTarget Selection
AttackAttack
SkriptSkript Kiddies: Exploit Kiddies: ExploitSelectionSelection
Nearly identical to the Nearly identical to the Old SchoolOld School method of method oflocating exploits, locating exploits, skriptskript kiddies generally use kiddies generally useSearch engines to locate exploitsSearch engines to locate exploits
SkriptSkript Kiddies are generally not a technically Kiddies are generally not a technicallysavvy lot, so exploit selection is made basedsavvy lot, so exploit selection is made basedon attack platforms available (generallyon attack platforms available (generallyWindows-based) and ease of use.Windows-based) and ease of use.
SkriptSkript Kiddies: Target Kiddies: TargetSelectionSelection
Most target selection involves noisyMost target selection involves noisyscanners, often launched from Windowsscanners, often launched from Windowsplatformsplatforms
An increasing number of An increasing number of SkriptSkript Kiddies, Kiddies,however, are gaining familiarity withhowever, are gaining familiarity withLinux and use fairly standard tools suchLinux and use fairly standard tools suchas as nmapnmap..
SkriptSkript Kiddies: Attack! Kiddies: Attack!
Unlike old-school attacks, Unlike old-school attacks, SkriptSkript Kiddies tools Kiddies toolsare generally pre-compiled, or written inare generally pre-compiled, or written ininterpretive languages such as PERLinterpretive languages such as PERL
If an exploit needs to be built, most kiddies willIf an exploit needs to be built, most kiddies willnot be able to get them workingnot be able to get them working
If a built exploit fails, a If a built exploit fails, a skriptskript kiddiekiddie usually usuallymoves along to another target instead of fixingmoves along to another target instead of fixingthe exploit. This makes the process non-the exploit. This makes the process non-cyclical.cyclical.
DefacersDefacers
Web DefacersWeb Defacers
While While old schoolold school methods methodsare still in use, web defacersare still in use, web defacersstatistically own the hackingstatistically own the hacking
landscapelandscapehttp://www.http://www.alldasalldas.org.org
Profile of a web defacerProfile of a web defacer
Handle: intrud3rm4nHandle: intrud3rm4n Age: 21Age: 21 Group: Leader of ISOTK (In Search of the Knowledge!)Group: Leader of ISOTK (In Search of the Knowledge!) Defacement count (8/09/02): 960 sites, 785 addresses, 175 massDefacement count (8/09/02): 960 sites, 785 addresses, 175 mass
defacementsdefacements My favorite defacement:My favorite defacement:
http://defaced.alldas.org/mirror/2002/07/21/java.capgemini.nl/http://defaced.alldas.org/mirror/2002/07/21/java.capgemini.nl/ Country of Origin: BrazilCountry of Origin: Brazil Language: PortugueseLanguage: Portuguese Favorite Hacking food: Hamburgers and FriesFavorite Hacking food: Hamburgers and Fries Favorite Hacking Music: Favorite Hacking Music: MetallicaMetallica =) =) Favorite exploit: whacking LINUX Favorite exploit: whacking LINUX boxenboxen Reason for defacing: FUNReason for defacing: FUN
Defaced: Cap GeminiDefaced: Cap Gemini
Following web defacersFollowing web defacers
http://www.alldas.org
Following web defacersFollowing web defacershttp://www.zone-h.com/en/defacements
Following web defacersFollowing web defacershttp://www.delta5.com.br/mirror/
Common Web DefacementCommon Web DefacementMethodologyMethodology
Web Defacers, for the most part, have a slightly differentWeb Defacers, for the most part, have a slightly differentmethodology. Instead of basing the exploit on themethodology. Instead of basing the exploit on thetarget, the target is selected based on ittarget, the target is selected based on its vulnerabilitys vulnerabilityto the exploit!to the exploit!
The web defacement methodology (again, often cyclical)The web defacement methodology (again, often cyclical)is generally as follows:is generally as follows:
Exploit SelectionExploit SelectionTarget SelectionTarget Selection
AttackAttackDefacementDefacement
Web DefacementWeb Defacement
Amateur defacersusually stick withone exploit andone targetplatform,,,
DefacerDefacers Exploits ExploitSelectionSelection An attackerAn attackers level of comfort with an Operatings level of comfort with an Operating
System will often decide the types of exploits usedSystem will often decide the types of exploits used UNIX-based attackers often opt for C-based remote overflowsUNIX-based attackers often opt for C-based remote overflows Windows-based attackers often opt for Windows-based attackers often opt for perlperl-based remote-based remote
overflows, visual basic tools, or command-line overflows, visual basic tools, or command-line netnetcommandscommands
Attackers with only browser-based experience or simplisticAttackers with only browser-based experience or simplisticattackers seeking privacy through proxies will opt for URL-attackers seeking privacy through proxies will opt for URL-based attacks such as UNICODE or DECODE, Front Pagebased attacks such as UNICODE or DECODE, Front Pageexploits, or PHP-Nuke attacksexploits, or PHP-Nuke attacks
DefacerDefacers Search fors Search forExploitsExploits
Often an amateur defacerwill monitor popularsecurity sites (such assecurityfocus) to selectexploits
DefacerDefacers Target Selections Target Selection
Armed with an exploit, most web defacers nowArmed with an exploit, most web defacers nowseek for vulnerable targets using variousseek for vulnerable targets using variousmethodsmethods Web searchingWeb searching
NetcraftNetcraft NetstatNetstat GoogleGoogle
Host scanningHost scanning NmapNmap Custom scannersCustom scanners
DefacerDefacers Target Selection:s Target Selection:Web SearchesWeb Searches
http://www.http://www.netcraftnetcraft.com.com
DefacerDefacers Target Selection:s Target Selection:Web SearchesWeb Searches
Using search engines to locateUsing search engines to locatevulnerable servers is a very interestingvulnerable servers is a very interestingand fruitful technique which hasnand fruitful technique which hasnt beent beenexplored in great detail.explored in great detail.
http://johnny.ihackstuff.com/security/googledorks.shtmlhttp://johnny.ihackstuff.com/security/googledorks.shtml
DefacerDefacers Target Selection:s Target Selection:Web SearchesWeb Searches
Google query: intitle:Index of Apache 1.3.11
Here, Apache 1.3.11servers are locatedthrough creative useof the Google searchengine.
DefacerDefacers Target Selection:s Target Selection:Web SearchesWeb Searches
http://www.netstat.ru
DefacerDefacers Targets TargetSelection: Host ScanningSelection: Host Scanning
Nmaps OSdetection feature(-O) provides adecent guess asto the operatingsystem of thetarget
DefacerDefacers Targets TargetSelection: Host ScanningSelection: Host Scanning
http://packetstormsecurity.comprovides a great resource forcustom vulnerability scanners.
DefacerDefacers Attacks Attack
Once the target and the exploit areOnce the target and the exploit areselected, the attacker launches the attackselected, the attacker launches the attackagainst the server.against the server.
If the attack fails, the attacker will oftenIf the attack fails, the attacker will oftenmodify the attack and try again.modify the attack and try again.
Questions?Questions?