Presentation on theme: "Hacking Techniques and Countermeasures E. Ray Howard, Jr Sprint E|Solutions"— Presentation transcript:
Hacking Techniques and Countermeasures E. Ray Howard, Jr Sprint E|Solutions
Objective: zDiscuss the practice of hacking in general and demonstrate a few of the current common methods and exploits. zMainly a demonstration of some current web hacking methods.
Reasons to hack. zCuriosity. zRevenge. zNotoriety/Fame. zProfit ($$$ or other gain).
Hacker methodologies. zOxymoron? Not really. There is normally some method to this madness. zBased on systematically exploiting weaknesses in your security infrastructures, both physical and IT.
A common methodology is the following: z1. Gather target information. z2. Identify services offered by target to the public (whether intentional or not). z3. Research the discovered services for known vulnerabilities. z4. Attempt to exploit the services. z5. Utilize exploited services to gain additional privileges from the target. Reiterate steps 1-5 until goals are achieved.
Step 1: Gather target information. zDomain names, IP address ranges. zInterNIC contact information. zPhysical addresses. zOrganizational structures. zAlliances and financial information. zNames of officers, managers, technical staff. zNewsgroup posts.
Step 3: Research vulnerabilities. zVendor announcements. zDefault configurations. zPoor configurations. (i.e. passwords, cleartext protocols) zGather available exploits or develop new exploit. zDerived exploits. zSome original work.
Step 4: Exploit vulnerabilities. zAttempt to exploit vulnerabilities to gain access to the target. zContinue until successful.
Step 5: Utilize increased access. zExploit additional vulnerabilities to gain additional access and information to use in penetrating further into an organization. zThe hacker "becomes" a legitimate user (even an administrator).
Demo 1: IIS web exploit. zNote: yOnly requires normal web user access to an IIS webserver (i.e. port 80 or 443). yUsing non-standard ports for your web server only makes this marginally more difficult. You do publish how to access your webserver to someone, right? (also, you would be surprised what search engines contain about you.) yUsing SSL (https protocoll) will not prevent the exploit from succeeding.
Demo 1: Software levels zTarget: Windows NT Server 4.0sp6a, IIS 4.0 zAttacker: Linux mdk kernel, Window NT Worstation 4.0 sp6a
Demo 1: Target info. zTarget IP address is zQuery whois database at ARIN.net to locate owner and domain information. zAlso try reverse DNS mappings for host/domain names.
Demo 1: Services infomation Use nmap to scan target for services of interest. $ nmap -sS -p 21-25,80, , Starting nmap V by ( ) Interesting ports on ( ): (The 7 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
Demo 1: Research services Use netcat or telnet commands to determine web server information. $ nc HEAD / HTTP/1.0 HTTP/ OK Server: Microsoft-IIS/4.0 Content-Location: Date: Mon, 06 Aug :40:10 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Mon, 30 Jul :28:47 GMT ETag: "c0bf6c53c19c11:b50" Content-Length: 4325
Demo 1: Exploit services to gain access zUnicode “dot dot” exploit to traverse filesystem. zDefault configuration of Inetpub\scripts directory is used to upload and execute commands of our choice. zGet target to fetch useful commands. zGet target to initiate a command session. zUse target to obtain additional information.
Demo 1: Prevention zStay current on patch levels for Microsoft's OS and web server. zImplement good firewalling. zUse an IDS system (or two!). zHost security is important (Microsoft's "Securing IIS” and “Securing Windows NT” documents). zPattern matching intercept proxies.
Summary: Prevention. zQ: How to prevent becoming a target? zA: You can't, if your company has an Internet presence (or remote access, or vendor/VAR networks, or employees). zS: The only reliable solution to reduce the risk of a successful intrusion attempt is staying current with your security infrastructure is. This is an ongoing dynamic process.
Useful security related links. zSANS Institute (www.sans.org) zSecurity Focus Archives (www.securityfocus.com) zSnort IDS home (www.snort.org) zSecurity archives (archives.neohapsis.com) z CERT Coordination Center (www.cert.org)