Embed Size (px)
Citation preview
Ted Mac Daibhidh, C.D.
NETWORK SECURITY ÐICAL HACK SPECIALIST
h4X0RKnow Your Enemy
Hacking Methodology & Tools:
Network Reconnaissance &
Building Your Lab
h4X0RKnow Your Enemy
Hacking Methodology & Tools:
Network Reconnaissance &
Building Your Lab
Classification
This briefing has no class at all - in fact…
The briefing is
UNCLASSIFIEDin its entirety.
Briefing Goals
The goal of this briefing is five-fold:
a. acquaint the analyst with the hacker’s methodology (“The Anatomy of a Hack”) with respect to network reconnaissance;
b. introduce the some of the methods and tools used during the network reconnaissance process;
c. drive home the requirement for continuing professional development;
d. demonstrate the benefits of a personal lab and the methods used in lab construction; and
e. introduce some tools that can be utilized in a personal lab environment.
Footprinting
Scanning
Enumeration
Gaining Access
Privilege Escalation
Pilfering
Covering Tracks
Back DoorCreation
Denial ofService
The Anatomy of a HackThe “Anatomy of a Hack” summarizes the steps a cracker undertakes prior to and during a network attack. This process consists of two distinct phases:
• Reconnaissance and Target Acquisition
Footprinting
Scanning
Enumeration
• Assault
Gaining access
Privilege escalation
Pilfering
Covering tracks
Back door creation
Denial of Service (DoS)
Footprinting
Footprinting refers to the systematic process by which an attacker attempts to compile as much information as possible regarding a targeted network, including:
• Domain name
• Network blocks
• Overall security posture
• Specific IP addresses
Types of Footprinting:
• Active – The target may be alerted to the activity (traceroutes, social engineering, zone transfers).
• Passive - The target is unaware of the reconnaissance activity (Whois searches, other open source information).
Footprinting Techniques & Tools
Techniques –
• DNS zone transfer/interrogation• Online Tools• Open source search• Route tracing• Social Engineering• Whois lookup
Tools –
• nslookup• p0f• “Sam Spade”• Search engines• traceroute• Usenet• whois (Internic, ARIN, etc.)• WinNSlookup
DNS Interrogation
DNS Interrogation
DNS InterrogationDNS Resource Record Type Codes
DNS RR Type Codes:
• A (Assigned) - Associates an IP with a canonical hostname.
• CNAME (Canonical Name) - Associates an alias with its canonical hostname.
• HINFO (Host Information) – Specifics regarding an individual host.
• LOC (Location Brief) – The geographical location of a host.
• MINFO (Mail Information) – Mail related resource information.
• MX (Mail Exchange) – Identifies a mail exchange resource.
• NS (Name Server) - Points to a master name server of a subordinate zone.
• RP (Responsible Person) – Identifies the individual responsible for a host.
• SOA (Start of Authority) - Identifies the start of a zone of authority.
• SRV (Server) – Designates any host providing a network service.
• WKS (Well Known Service) – Information services offered on a host.
Most DNS RR types are defined in RFCs 1034, 1183, 1876, and 2782.
DNS InterrogationDNS Record Examples
IMISSTECH.TV. A 10.1.1.1 imisstech.tv.
HINFO HP-UX UNIX
SRV DMZ Server
WKS 10.1.1.1 tcp ftp telnet smtp pop3
RP ted.macdaibhidh.imisstech.tv.
IAMACUTEC.AT. A 192.168.1.1 iamacutec.at
MX 10 iamacutec.at
HINFO WINDOWS 2003 SERVER
WKS 192.168.1.1 udp domain
WKS 192.168.1.1 tcp ftp telnet smtp domain
RP wallie.the.tabby.cat.admin.iamacutec.at.
RP murphy.the.mainecoon.tech.iamacutec.at
DOMAIN DNS RR TYPE RECORD ENTRY
Online Tools – Sam Spade
Open Source Search – Search Engine
Open Source Search – Search Engine
UseNet Search
Lookup - ARIN Whois
Lookup - InterNIC Whois
Traceroute
c:\>tracert server.target.net
OR
c:\>tracert 4.3.4.2
• Traceroute is a utility available in both Windows and *nix OSes.
• This utility records the the specific gateway computers at each hop between the source host and a specified destination host.
• Allows the attacker to determine some basic network topology and determine the location of routers and packet filtering devices.
• As a general rule of thumb, the last host before the live target host is performing routing/packet filtering functions.
• Use of the “-p” switch to specify a specific destination port may allow tracerouting beyond packet filtering devices.
Traceroute
C:\WINDOWS\Desktop>tracert 1.2.61.100
Tracing route to host bb2-web1.xxx.net [1.2.61.100]
1 3 ms 9 ms 9 ms Ubergeek [xxx.xxx.xxx.xxx]
2 70 ms 49 ms 69 ms gw01.phub.cable.rogers.com [xxx.xxx.82.138]
3 116 ms 99 ms 99 ms bb2.gw4.xxx.xxx.net [1.2.60.1]
4 117 ms 100 ms 100 ms bb2-gw2-60-22.xxx.net [1.2.60.2]
6 198 ms 109 ms 110 ms bb2-fw-2-dmz.xxx.net [1.2.61.1]
7 237 ms 179 ms 220 ms bb2-web1.xxx.net [1.2.61.100]
Trace complete.
C:\WINDOWS\Desktop>
XXX.net Network Topology
• With one simple traceroute to a web server, we have determined the basic topology of the XXX.net network.
• Armed with a basic knowledge of network design, we can surmise that:
a. another firewall is in place between the internalnetwork cloud and the router; and
b. other possibly vulnerable services and applications (e.g. FTP, databases, e-mail)are running in the DMZ cloud.
• Now that the basic network topology has been resolved, more intrusive methods can be used to footprint other
network resources.
C:\WINDOWS\Desktop>tracert
Tracing route to host bb2.fw1.xxx.xxx.net [1.2.60.3]
1 2ms 6 ms 8 ms Ubergeek [xxx.xxx.xxx.xxx]
2 68 ms 47ms 69 ms gw01.phub.cable.rogers.com [xxx.xxx.82.138]
3 111 ms 92 ms 100 ms bb2.gw4.xxx.xxx.net [1.2.60.1]
4 123ms 101 ms 103 ms bb2.gw2.xxx.xxx.net [1.2.60.2]
5 138 ms 107 ms 109 ms bb2.fw1.xxx.xxx.net [1.2.60.3]
Trace complete.
C:\WINDOWS\Desktop>
Traceroute
• We now have an initial map of the network and an insight into the its naming conventions.
• An educated guess and another traceroute yields another firewall.
Firewalking
• Firewalking is a technique that allows an attacker to covertly map the ACLs of packet filtering devices.
• Sends TCP or UDP packets to the packet filter that have a TTL set at one hop greater than the target.
• Should the packet make it through the gateway, it is forwarded to the next hop where the TTL equals zeroand the packet is discarded.
• Using this method, the ACL rules of a packet filter can be determined without actually touching any hosts behind the device.
Ubergeek:#firewalk -n -S 1–1024 TCP 1.2.61.1 1.2.61.100
Firewalking through 1.2.61.1 (towards 1.2.60.100) with a
maximum of 25 hops.
Ramping up hopcounts to binding host...
probe: 1 TTL: 1 port 33434: <response from> [1.2.60.1]
probe: 2 TTL: 2 port 33434: <response from> [1.2.60.2]
probe: 3 TTL: 3 port 33434: Bound scan: 3 hops <Found gateway
at 3 hops> [1.2.61.1]
Scanning...
port 20: open
port 21: open
port 22: open
port 53: open
port 80: open
1027 packets sent, 5 replies received.
FirewalkingFire, walk with me…
• In this example, firewalk will scan ports 1-1024 using TCP packets directed at the firewall (1.2.61.1) using the previously mapped host at 1.2.61.100 as a metric.
• The packet filter is found after three hops and firewalk begins scanning using TCP packets with a TTL of 4.
• In this case, the ports shown were allowed by the ACL and passed successfully through the packet filter.
• The attacker can therefore surmise in this case that at least one web server, an ssh server and an ftp server are running in the DMZ.
• Armed with this information, the attacker can plan any further actions appropriately.
VisualRoute
The most successful hackers also successful social engineers
because there is no patch for human stupidity.
Social Engineering
Social engineering is a form of hacking that target’s people
(wetware) instead of their networks.
Types of social engineering include:
● Tainting Trust
● Dumpster Diving
● Shoulder Surfing
● Proxy Probing
Footprinting
Scanning
Enumeration
Gaining Access
Privilege Escalation
Pilfering
Covering Tracks
Back DoorCreation
Denial ofService
The Anatomy of a HackThe “Anatomy of a Hack” summarizes the steps a cracker undertakes prior to and during a network attack. This process consists of two distinct phases:
• Reconnaissance and Target Acquisition
Footprinting
Scanning
Enumeration
• Assault
Gaining access
Privilege escalation
Pilfering
Covering tracks
Back door creation
Denial of Service (DoS)
Scanning Techniques & Tools
Techniques –
• Ping sweep• TCP/UDP port scan• Stealth scans
Tools –
• Nmap• SuperScan• Internet Toolkit• Hping• Grim’s Ping
Scanning
Scanning is the process by which the attacker performs bulk target assessment, identifies listening services and locates possible points of ingress.
Types of scans include the following:
• Ping Sweep – Attempts to determine which hosts on a network are reachable.
• Vanilla – Attempts to connect to all 65535 ports.
• Stealth – Attempts to connect to ports using various techniques, including half-open connections (FIN/SYN) in order to avoid detection.
• Reflex – Attempts to connect using fragmented packets, XMAS (all TCP flags set) or NULL (no TCP flags set) in order provoke a specific response.
• Strobe – Attempts to connect to a few known ports.
• UDP – Attempts to locate open UDP ports.
• Horizontal Sweep – Scanning the same port across multiple hosts; attacker is planning target a particular service.
• Vertical Sweep – Scanning multiple ports on a single host; attacker is attemptingto locate a vulnerable service.
NMap (Network Mapper)
NMap is a powerful scanning tool that is available in both *nix and Win32 versions.
● Employs multiple TCP scan facilities
(Null, XMAS, FIN, SYN).
● Capable of remote OS fingerprinting.
● Implements specialized stealth
scanning techniques (FTP bounce, idle scan, etc.).
Internet Toolkit
One of many similar tools available today, these toolkits are capable of performing simple ping, port and service scans.
• Although quite functional,
the scanning techniques utilized by Internet Toolkit and similar scanning tools (e.g. SuperScan) are quite noisy.
• Tools such as this are
popular with skiddies as they are easy to use and readily available.
SuperScan
• SuperScan is a scanning
tool available free from Foundstone.
• In addition to its scanning
ability, SuperScan incorporates an automated banner grabbing facility (banner grabbing will be discussed later).
• Firewall testing
• Advanced port scanning
• Network testing, using different protocols, TOS, fragmentation
• Manual path MTU discovery
• Advanced traceroute, under all the supported protocols
• Remote OS fingerprinting
• Remote uptime guessing
• TCP/IP stacks auditing
HPing
Hping is a very powerful command line based packet crafting tool that allows the user to craft packets of virtually any type desired.
HPing
• The latest stable release of HPing has implemented a scanning function.
• Even in scanning mode, it is possible to utilize most of the tool’s functionality.
# hping2 --scan known 192.168.1.103
Scanning 192.168.1.103 (192.168.1.103), port known
245 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
9 discard : .S..A... 64 0 32767 44
13 daytime : .S..A... 64 0 32767 44
21 ftp : .S..A... 64 0 32767 44
22 ssh : .S..A... 64 0 32767 44
25 smtp : .S..A... 64 0 32767 44
37 time : .S..A... 64 0 32767 44
80 www : .S..A... 64 0 32767 44
111 sunrpc : .S..A... 64 0 32767 44
113 auth : .S..A... 64 0 32767 44
631 ipp : .S..A... 64 0 32767 44
3306 mysql : .S..A... 64 0 32767 44
6000 x11 : .S..A... 64 0 32767 44
6667 ircd : .S..A... 64 0 3072 44
All replies received. Done.
No responding ports:
Grim’s Ping
• Scans en masse for live hosts, FTP and web proxy servers.
• Capable of TCP SYN port scanning.
• Scans for FTP public shares (pubs).
• Plug-ins (Ping Companion,etc.) add even more functionality.
A Weapon of Mass Distribution
Footprinting
Scanning
Enumeration
Gaining Access
Privilege Escalation
Pilfering
Covering Tracks
Back DoorCreation
Denial ofService
The Anatomy of a Hack
The “Anatomy of a Hack” summarizes the steps a cracker undertakes prior to and during a network attack. This process consists of two distinct phases:
• Reconnaissance and Target Acquisition
Footprinting
Scanning
Enumeration
• Assault
Gaining access
Privilege escalation
Pilfering
Covering tracks
Back door creation
Denial of Service (DoS)
Enumeration
Definition of Enumeration:
A mathematical set with a total ordering and no infinite descending chains. A total ordering "<=" satisfies x <= x; x <= y <= z => x <= z; x <= y <= x => x=y; and for all x, y, x <= y or y <= x. In addition, if a set W is well-ordered then all non-empty subsets A of W have a least element, i.e. there exists x in A such that for all y in A, x <= y.
Definition of Enumeration
Enumeration refers to the process by which the attacker makes use of more intrusive probing in order to identify resource shares, user accounts, operating systems and applications associated with the targeted network.
Fortunately, man invented computers and quickly discovered that mathematics
was no longer necessary.
Enumeration Techniques & Tools
Techniques –
• List user accounts• List file shares• Application/OS identification
Tools –
• Telnet• Netcat • SuperScan• NAT• NMap• p0f• VisualRoute
Banner Grabbing
Banner Grabbing – Telnet
• Telnet may be utilized as a rudimentary tool to grab server banners.
• This is accomplished by opening a telnet session to the service you wish to enumerate.
• A successful telnet session should yield the server’s banner.
In the example above, telnetting into a web server on port 80 reveals that the server is running Microsoft IIS v5.0.
Banner Grabbing - Netcat
• The much vaunted TCP/IP “Swiss Army Knife”; every network security professional should have Netcat in their toolbox.
• Useful for creating custom stimuli using “nudge files” to capture more information in a banner reply than would normally be provided.
• Armed with RFCs and a working knowledge of TCP based protocols, “nudge file” creation is easily accomplished using a standard text editor.
Banner Grabbing - Netcat
Ubergeek:#nc -vv 10.1.1.1 80 < /home/usr/bin/nudge.txt
A nudge file consists of a couple of hard carriage returns at a minimum; the nudge file
is redirected to the netcat command's stdin using a hoinkie as demonstrated above.
Netcat is a powerful tool with many uses – this demonstrates just one of them; you are highly
encouraged to experiment with netcat further in your lab enviroment.
Banner Grabbing - VisualRoute
• VisualRoute is capable of
performing banner grab enumeration of targeted hosts.
• By directing traces at a
specific port useful information may be obtained
about the target.
• In this case, the trace was
directed at port 80 on the target host.
• VisualRoute has determined that the target is an Apache 1.3.27 http server with mod_throttle 3.1.2 and mod_perl 1.26 installed running on Unix.
Banner Grabbing - SuperScan
• In addition to its scanning ability, is able to grab banners from a targeted network.
• This feature allows the attacker to perform banner grab enumeration en masse.
• In this case, the scanner has captured the banner of the target’s SMTP server.
p0f - Passive OS Fingerprinting
• P0f is a passive OS fingerprinting tool.
• Runs in the background and sniffs traffic on the wire.
• The packet’s parameters are compared against fingerprint tables and the program makes a “best guess” regarding the OS type in real time.
OS Fingerprinting
0Y17000-18000128Intel2000Windows
0Y5000-9000 32/128Intel9x/NTWindows
0Y2482064Intel/SPARC8Solaris
0Y3212064Intel2.2Linux
16N1752064Intel2.xOpen BSD
16Y1752064Intel3.xFree BSD
TOSDFWindowTTLPlatformVersionOS
• TTL (Time To Live)Time to live is a value in an IP packet that communicates to a network router whether or not the packet has been on the network too long and should be discarded.
• WindowWindow size is the amount of outstanding (unacknowledged by the recipient) data a host can transmit on a single network connection before it receives an acknowledgement from the destination host.
• DF (Don’t Fragment Bit)Located in bit two of an IP header’s sixth octet; the DF bit, if set, indicates that the packet is not to be fragmented.
• TOS (Type of Service Byte)The TOS byte is used for for internet service quality selection. Various fields within the byte specify parameters for precedence, delay, throughput, and reliability.
NMap – Active OS Fingerprinting
• NMap has the capability to fingerprint a remote host’s operating system, allowingthe attacker to enumerate the target’s OS.
• Unlike p0f, NMap performs active OS fingerprinting by sending unusual and invalid TCP packets to the target host, then monitors the wire for the target host’s responses.
• In this case, NMap correctly enumerated the target’s OS as a Linux 2.4 x86 distro.
Building Your LabBecause there’s no place like /home
Besides, building a lab is easy and fun – and the ladies dig guys with computer labs!
• Continuing professional development is a necessary evil.
• This process can be greatly enhanced if one has access to a personal computer lab.
• Maintaining a personal lab also provides excellent bullets for performance reviews and résumés.
Why build a personal lab?
Building Your Lab
Constructing a lab is a fairly easy process and can be accomplished utilizing two methods:
a. hard network: one or more actual hosts connected through a crossover cable or switch/routing device; or
b. soft network: a single host running virtual machines (this is the preferred configuration).
In either case, it is highly recommended that the lab network be contained as a standalone implementation vice being connected to a live network.
My Lab Configuration – “Arda”
• PALANTIR is connected to the wire via a hub and a receive-only CAT5 cable.
• PALANTIR is isolated from the lab network by MORANNON; the firewall is only opened when necessary to transfer files from PALANTIR.
• MELKOR serves as the primary analysis station and attack platform; this host is directly connected to SAURON with a CAT5 crossover cable.
• In addition to its native environment, SAURON is capable of running multiple VMWare virtual machines to simulate larger networks.
• GOLLUM is a standalone host utilized for malware analysis running a VMWare Player virtual machine. Yes, the naming convention theme was inspired by
the Tolkien legendarium and yes, I am a Geek…
Building Your Lab
KVM Switch
• Should you choose a hard or hard/soft combo configuration for
your lab network, multiple input/display devices are not necessary.
• KVM switches allow you to use a single keyboard, mouse and video display with multiple hosts.
Building Your Lab
VMware Player is a free download from the VMWare website.
Although this version supports only one virtual machine and lacks the facility to generate virtual machine images, this distro is adequate for most purposes where only a single target is required.
http://www.vmware.com/products/player/
• Run any single virtual machine.
• Real to virtual machine copy/paste and drag/drop.
• Multiple networking options.
• 32 and 64 bit OS support.
• User adjustable memory management.
• Easily and safely evaluate applications distributed in virtual machines without any installation or configuration.
VMWare Player
Building Your LabLinux LiveCD Distros
• A LiveCD is an OS distro stored on a bootable CD-ROM that can
run without installation on a hard drive.
• Loads necessary system files into a RAM disk.
• The system returns to its previous OS/state when the LiveCD is
ejected and the computer is rebooted.
• Knoppix based distros can set up a “Persistent Home Directory”
on a Thumb Drive for storage and retrieval of files.
P S K
Building Your Lab
General Toolkits:
Knoppix STD (Security Tools Distribution)http://www.knoppix-std.org/
P.H.L.A.K. (Professional Hacker’s Linux Assault Kit)http://www.phlak.org/modules/news/
Forensic Toolkits:
Helixhttp://www.e-fense.com/helix/
PSK (Penguin Sleuth Kit)http://www.linux-forensics.com/
Pen-Testing Toolkits:
KCPentrixhttp://kcpentrix.net/
WHAXftp://ftp.belnet.be/packages/whoppix/whax-3.0-200705.iso
Linux LiveCD Distros
Building Your LabMalware Analysis Tools
• Once analysis is complete, the VM image can simply be reloaded.
• All malware analysis should take place on a standalone host, preferably one running a virtual machine.
• Several free analysis tools are available from various sources on the internet.
Building Your LabMalware Analysis Tools
Autoruns – Displays programs configured to run during system bootup or login.http://www.sysinternals.com/Utilities/Autoruns.html
Ethereal – Packet capture & protocol analysis. http://www.ethereal.com
Filemon – Displays file system activity on a system in real-time.http://www.sysinternals.com/Utilities/Filemon.html
ListDLLs – Displays which DLLs are loaded.http://www.sysinternals.com/Utilities/ListDlls.html
Ollydbg - Assembler level analysing debugger.http://www.ollydbg.de/
RegMon – Displays in Registry activity in real time.http://www.sysinternals.com/Utilities/Regmon.html
Rootkit Revealer – Detects registry and API anomalies.http://www.sysinternals.com/Utilities/RootkitRevealer.html
VICE -
WinDump/TCPDump – Pcap (sniffer) tools.http://www.winpcap.org/windump http://www.tcpdump.org/
Building Your LabCompilers, Debuggers & Decompilers
Most exploits are made available as source code will have to be compiled in order to be made executable; executable exploits can be decompiled and the recovered code analyzed.
#include <stdio.h>#include <winsock2.h>
#pragma comment(lib, "ws2_32")
// Use for find the ASM code#define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90\__asm _emit 0x90 __asm _emit 0x90\__asm _emit 0x90 __asm _emit 0x90\__asm _emit 0x90 __asm _emit 0x90#define PROC_END PROC_BEGIN#define SEARCH_STR "\x90\x90\x90\x90\x90\x90\x90\x90\x90"#define SEARCH_LEN 8#define MAX_SC_LEN 2048#define HASH_KEY 13
// Define Decode Parameter#define DECODE_LEN 21#define SC_LEN_OFFSET 7#define ENC_KEY_OFFSET 11#define ENC_KEY 0xff
// Define Function Addr#define ADDR_LoadLibraryA [esi]#define ADDR_GetSystemDirectoryA [esi+4]
Building Your Lab
Decompilers
Compilers
Bloodshed C/C++ IDE (Integrated Development Enviroment)http://bloodshed.net
Digital Mars C+/C++ compilerhttp://digitalmars.com
MinGW32 C/C++/ObjC compilerhttp://mingw.org
Open Watcom C/C++ compiler
http://openwatcom.org
REC Multi format binary decompilerhttp://www.backerstreet.com/rec/rec.htm
CHM Encoder MS compiled HTML Help Format (CHM) decompilerhttp://www.gridinsoft.com/chm.php
DJ Java Decompiler Java demcompilerhttp://mingw.org
Building Your LabMetasploit Framework
The Metasploit Framework is an open source computer security tool for developing and
executing exploit code against a remote target machine.
The Framework is easily implemented on a Windows host and incorporates a web
interface for ease of use; this makes it an ideal tool for the neophyte to utilize in a lab enviroment.
http://www.metasploit.com
Building Your LabMetasploit Framework
“The Metasploit Framework. Point. Click. Pwn.”
Building Your LabReference Material
“The more you read, the more you learn and the less your adversary will know."
Sun Tzu, Chinese General, “The Art of War”, c. 500 B.C.E.
Reference material can be a valuable asset to the InfoSec professional, both in the lab and in the workplace.
• Many InfoSec related titles are available from both the public and CIRT libraries.
• Deeply discounted computer books can be purchased at any “Computer Books for Less” outlet in the Ottawa area.
“Know the enemy and know yourself and you need not fear the result of a hundred battles…Sun Tzu, Chinese General,
“The Art of War”, c. 500 B.C.E.
Fight the Networks, Neo!
Words of Wisdom
Questions?
For sooth, thus endeth the brief…
Questions
Acknowledgments
Mr. John Ronald Reuel Tolkien For the damned good reads and the inspiration for my lab’s naming convention. Yessss –my lab – my preciousssss.http://www.tolkien.co.uk/frame_nf.htm
Mr. J.D. “Iliad” FrazerFor his kind permission to use “User Friendly” cartoons in my briefs.http://www.userfriendly.org
Hacking Exposed, McGraw-Hill Publishinghttp://www.foundstone.com
Inside Network Perimeter Security, Sams Publishinghttp://www.samspublishing.com
Infosec Career Hacking, Syngress Presshttp://www.syngress.com
Intrusion Signatures and Analysis, Sams Publishinghttp://www.samspublishing.com
My FriendsFor continuing to support my delusions of grandeur – as long as the cheques continue to clear.
Network Intrusion Detection, Sams Publishinghttp://www.samspublishing.com
