How Hackers Do tricks, tools,& techniques ! By : Eng. Ayman

54 Slides174.50 KB

How Hackers Do tricks, tools,& techniques ! By : Eng. Ayman Amaireh Supervised By :Dr. Lo'ai Tawalbeh New York Institute of Technology (NYIT)-2006 12/30/22 1

Tricks A trick: is a mean crafty procedure or practice.designed to deceive, delude, or defraud Hackers use tricks to find short cuts for gaining unauthorized access to systems. 12/30/22 2

Why the hacker used tricks ! Often the hacker use their access for illegal or destructive purposes, OR they may simply be testing their own skills to see if they can perform a task. 12/30/22 3

How hacker Finding Access Vulnerabilities ! The hacker (script kiddies) run the scanning tool, scanning large numbers of systems and finding many systems that are vulnerable. They typically run the tool against the name-spaces associated with companies they would like to get into. 12/30/22 4

Finding Access Vulnerabilities ! The script kiddies use a list of vulnerable IP addresses to start attacks, based on the vulnerabilities advertised by a machine, to gain access to systems. the attacker uses this initial entry (also referred to as a toe-hold) in the system. 12/30/22 5

Finding Access Vulnerabilities ! Once a toe-hold is established on a system, the attacker can run scanning tools against all the systems connected to the penetrated system. Depending on the system compromised, these scans can run inside an organization’s network. 12/30/22 6

How Finding Operating System Vulnerabilities After the hacker gain initial access he look now for operating system (OS) vulnerabilities and for scanning tools that report on those vulnerabilities. Finding vulnerabilities specific to an OS is as easy as typing in a URL address and clicking on the appropriate link 12/30/22 7

Finding Operating System Vulnerabilities There are many organizations that provide “full disclosure” information. Full disclosure is the practice of providing all information to the public domain so that it isn’t known only to the hacker community. Example: Mitre, a government think tank, supports the Common Vulnerability and Exposures the (CVE) dictionary, (http://cve.mitre.org) provide A list of standardized names for vulnerabilities and other information security 12/30/22 8

Tools hacker use it Most popular tools Port scanners Vulnerability scanners Rootkits Sniffers 12/30/22 9

Port scanners Port scanners are probably the most commonly used scanning tools on the Internet. These tools scan large IP spaces and report on the systems they encounter, the ports available, and other information, such as OS types. The most popular port scanner is Network Mapper (Nmap). 12/30/22 10

Port scanners Nmap (“Network Mapper”) is an open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (ports) they are offering, what operating system (and OS version) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers, and both console and graphical versions are available. Nmap is free software, available with full source code under the terms of the GNU GPL.3 12/30/22 11

Port scanners Nmap is an excellent security tool because it allows you to determine which services are being offered by a system. Because Nmap is optimized to scan large IP ranges, it can be run against all IP addresses used by an organization, or all cable modem IP addresses provided by an organization. After using Nmap to find machines and identify their services, you can run the Nessus vulnerability scanner against the vulnerable machines. 12/30/22 12

Vulnerability Scanners Vulnerability scanners look for a specific vulnerability or scan a system for all potential vulnerabilities. Vulnerability tools are freely available. We focus on the most popular and best-maintained vulnerability scanner available, Nessus. 12/30/22 13

Vulnerability Scanners The “Nessus” Project aims to provide to the Internet community a free,powerful, up-to-date and easy to use remote security scanner. A security scanner is a software which will remotely audit a given network and determine whether bad guys (aka ‘crackers’) may break into it, or misuse it in some way. Unlike many other security scanners, Nessus does not take anything for granted.That is, it will not consider that a given service is running on a fixed port—that is, if you run your web server on port 1234, Nessus will detect it and test its security. It will not make its security tests regarding the version number of the remote services, but will really attempt to exploit the vulnerability. 12/30/22 14

Vulnerability Scanners Nessus is very fast, reliable and has a modular architecture that allows you to fit it to your needs. Nessus provides administrators and hackers alike with a tool to scan systems and evaluate vulnerabilities present in services offered by that system. A security scanner is a software which will remotely audit a given network and determine whether bad guys “crackers” may break into it, or misuse it in some way. 12/30/22 15

Rootkits The term rootkit describe a set of scripts and executables packaged together that allow intruders to hide any evidence that they gained root access to a system. the tasks performed by a rootkit are as follows: 12/30/22 16

Rootkits Modify system log files to remove evidence of an intruder’s activities. Modify system tools to make detection of an intruder’s modifications more difficult. Create hidden back-door access points in the system. Use the system as a start point for attacks against other networked systems. 12/30/22 17

Sniffers Network sniffing, or just “sniffing,” is using a computer to read all network traffic, of which some may not be destined for that system. To perform sniffing, a network interface must be put into promiscuous mode so that it forwards, to the application layer, all network traffic, not just network traffic destined for it. 12/30/22 18

Sniffers The Solaris OE includes a tool called snoop that can capture and display all network traffic seen by a network interface on the system. While being relatively primitive, this tool can quite effectively gather clear-text user IDs and passwords passing over a network. Many popular protocols in use today such as Telnet, FTP, IMAP, and POP-3 do not encrypt their user authentication and identification information. 12/30/22 19

Techniques Attacks from the Internet Attacks from employees 12/30/22 20

Attacks From the Internet In this scenario, a hacker uses the Nessus vulnerability scanner to locate a system running Solaris 2.6 OE that has not been protected from the sadmind remote procedure call (RPC) service vulnerability. Let’s see how the sadmind exploit works against the victim system. 12/30/22 21

Attacks From the Internet After the hacker gains access, the hacker uses a rootkit to gain and maintain root access. The header of the sadminindex.c program provides the following information on its usage: 12/30/22 22

Attacks From the Internet sadmindex - SPARC Solaris remote root exploit for /usr/sbin/ sadmind Tested and confirmed under Solaris 2.6 and 7.0 (SPARC) Usage: % sadmindex -h hostname -c command -s sp [-o offset] [-a alignment] [-p] where hostname is the hostname of the machine running the vulnerable system administration daemon, command is the command to run as root on the vulnerable machine, sp is the %sp stack pointer value, offset is the number of bytes to add to sp to calculate the desired return address, and alignment is the number of bytes needed to correctly align the contents of the exploit buffer. 12/30/22 23

Attacks From the Internet The hacker runs the exploit from a Solaris 8 OE system against the Solaris 2.6 OEsystem, with the following arguments: 12/30/22 24

Attacks From the Internet The author of the sadmindex program made things even easier by providing example stack pointer values. Some tinkering with the sp value was necessary in this example to get the exploit to work; however, it didn’t take much trial and error because the next offset tried was 0xefff9588. The exploit produces the following output: 12/30/22 25

Attacks From the Internet As an administrator, if we want to try this exploit on our system, or if we want to determine if an attacker has tried this exploit on our system, run the following command to verify that the inetd process is running: 12/30/22 26

Attacks From the Internet Next, run the following command to determine if a service called ingreslock is listening: 12/30/22 27

Attacks From the Internet A hacker establishes a Telnet connection to the port with the following command. Using this command provides the hacker a root shell prompt, which allows the hacker to infiltrate the system further by adding new accounts: # telnet nfs ingreslock Trying 192.168.0.20. Connected to nfs. Escape character is ’ ]’. # hostname nfs 12/30/22 28

Attacks From Employees In this scenario, an employee has user access privileges to the system, however, the employee is not authorized to have root access privileges. This scenario is very common. It usually occurs in systems are insecure, thus providing an intruding employee the to perform unauthorized actions. 12/30/22 29

Attacks From Employees The ability of malicious internal users to gain additional privileges on Solaris OE systems is a very real security issue. Unfortunately, it is frequently overlooked or ignored by administrators and managers who say, “That could never happen here” or “We have to trust all of our employees.” Serious security incidents occur in situations like these. 12/30/22 30

Attacks From Employees Most systems have different types of users. Authorized ‘ individuals are systems administrators, operators, database administrators, hardware technicians, and so forth. Each class of user has permissions and privileges defined by user ID and group IDs on the system. Most of these users do not have a root password or permission to use it. 12/30/22 31

Attacks From Employees malicious users and intruders can use buffer overflow attacks to gain root privileges. For example, on August 10th, 2001, a buffer overflow against xlock was released (The xlock executable is a utility for locking Xwindowsdisplays.) This utility is useful to attack because it is installed with the setuid root command, due to its need to authorize access to the display when it is locked. 12/30/22 32

Attacks From Employees A quick search through a few web sites provides the sample source code, which only has 131 lines of code. For this scenario, after compiling with the freeware GNU gcc compiler, the executable is placed on the test system ganassi. 12/30/22 33

Attacks From Employees Now that the attacker has root privileges on the system. it is easy to use a sniffer, install back doors, maintain and gain additional access privileges using rootkits, and perform tricks and subsequent attacks. 12/30/22 34

How to Use the Tools This section provides samples of how to use each of the tools We will provide sample output and tips on interpreting the results. Use this information with the sample attack scenarios in the “Techniques” 12/30/22 35

Using Port Scanners To demonstrate the capabilities of the Nmap port scanner, we ran the following scan. The output of the scan reveals the services running on the machine. Nmap’s ability to identify the OS running on the system is particularly useful because it can significantly reduce the time required to launch a successful attack against the machine. Based on the Nmap results, this system appears to be a fully loaded Solaris 2.6 or 7 OE system running most of the default services. 12/30/22 36

Using Port Scanners The Nmap output is as follows: # /usr/local/nmap -O ganassi Starting nmap V. 2.53 (www.insecure.org/nmap/) Interesting ports on ganassi (10.8.10.231): (The 1515 ports scanned but not shown below are in state: closed) Port State Service 7/tcp open echo 9/tcp open discard 13/tcp open daytime 19/tcp open chargen 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 37/tcp open time 79/tcp open finger 111/tcp open sunrpc 512/tcp open exec Remote operating system guess: Solaris 2.6 - 2.7 Uptime 0.054 days (since Wed Sep 12 09:41:59 2001) Nmap run completed -- 1 IP address (1 host up) scanned in 37 seconds 12/30/22 37

Using Vulnerability Scanners To demonstrate the capabilities of the Nessus vulnerability scanner, we ran the following scan. The command in our example runs a Nessus scan against the hosts listed in targetfile and stores the output in outfile: 12/30/22 38

Using Vulnerability Scanners # nessus -T text localhost 1241 noorder targetfile outfile The Nessus output begins with a summary of the scan results: Nessus Scan Report -----------------SUMMARY - Number of hosts which were alive during the test : 1 - Number of security holes found : 2 - Number of security warnings found : 15 - Number of security notes found : 1 TESTED HOSTS 12/30/22 192.168.0.90 (Security holes found) 39

Using Vulnerability Scanners The output continues with details for each of the security warnings found. The following is an excerpt from the output: DETAILS 192.168.0.90 : . List of open ports : o unknown (161/udp) (Security hole found) o unknown (32779/udp) (Security warnings found) o unknown (32775/tcp) (Security warnings found) o unknown (32776/udp) (Security warnings found) o unknown (32778/udp) (Security warnings found) o unknown (32774/udp) (Security hole found) o unknown (32777/udp) (Security warnings found) o unknown (32780/udp) (Security warnings found) o unknown (32775/udp) (Security warnings found) o lockd (4045/udp) (Security warnings found) o unknown (32781/udp) (Security hole found) 12/30/22 40

Using Vulnerability Scanners Continue the output (details on specific Vulnerability) Vulnerability found on port unknown (32774/udp) : The sadmin RPC service is running. There is a bug in Solaris versions of this service that allow an intruder to execute arbitrary commands on your system. Solution : disable this service Risk factor : High Using this output, hackers from our example scenarios (“Attack from internet”) gain access to the system. 12/30/22 41

Using Vulnerability Scanners In addition to other vulnerabilities, the following “denial of service” (DoS) vulnerability appears in the output: Vulnerability found on port general/tcp : It was possible to make the remote server crash using the ’teardrop’ attack. A cracker may use this attack to shut down this server, thus preventing your network from working properly. Solution : contact your operating system vendor for a patch. Risk factor : High CVE : CAN-1999-0015 12/30/22 42

Using Rootkits To demonstrate the capabilities of a rootkit, we use one built for Solaris 2.6 OE. The Solaris Fingerprint Database—A Security Tool for Solaris Software and Files. The rootkit has a variety of programs that fit into the following categories: Network sniffers Log file cleanup Internet Relay Chat (IRC) proxy Included in the rootkit is an installation script for automating the installation of rootkit programs, setting program permissions, and erasing evidence from the log files. 12/30/22 43

Using Rootkits After installing the rootkit Now the attacker has root access to a system on which: It is difficult for an administrator to detect the intruder through standard Solaris OE commands, such as ls, find, ps, and netstat, because those binaries are replaced by trojan (hidden inside something that appears safe) versions. It is easy for the attacker to gain access repeatedly because the new and trojaned system binaries for the login and rpcbind allow the attacker to gain access and execute commands on the system remotely. 12/30/22 44

Using Sniffers To demonstrate the capabilities of a sniffer to extract a user ID and password from a Telnet and IMAP session, we use the snoop tool. Collecting the information for the samples only took a few seconds. # snoop -d qfe0 port telnet ganassi ganassi - nomex-lab TELNET R port 32835 \377\373\1\377\375\1login: nomex-lab - ganassi TELNET C port 32835 ganassi - nomex-lab TELNET R port 32835 nomex-lab - ganassi TELNET C port 32835 ganassi - nomex-lab TELNET R port 32835 nomex-lab - ganassi TELNET C port 32835 nomex-lab - ganassi TELNET C port 32835 12/30/22 r r o o o 45

Using Sniffers Using the snoop tool is fairly straightforward. If it runs for very long, it collects a great deal of data, and it might be noticed. The ideal solution for an attacker is an automated tool that only saves the user ID and password information for a specific list of protocols. Several tools are available to perform this task: the relatively simple sniffit and the much more flexible and extensive dsniff. (The dsniff tool provides automated mechanisms for attacking switched networks.) Either of these tools can be left running on a system for weeks, or months, to collect hundreds, maybe thousands, of passwords. 12/30/22 46

Switched Networks No evaluation of network sniffing is complete without covering network switches. Network switches connect multiple systems to the same network segment in much the same manner as a network hub. The major difference is in the switch’s ability to forward packets on a per-port basis. In this manner, only network traffic destined fora port is forwarded to it, instead of the port seeing all network traffic. With this configuration, even if a network interface is in the promiscuous mode, it does not see the traffic destined for another port on the same system 12/30/22 47

Switched Networks Many people, based on this configuration, believe that network sniffing is useless. This belief is not true for two reasons. First, a sniffer running on a system captures all nonencrypted user ID and password strings sent to and from the system to any other system on the network. Secondly, publicly disclosed address resolution protocol (ARP) attacks can be launched against the network switch itself. These attacks can force the switch to relay all packets through one port, on which the sniffer is running. 12/30/22 48

Switched Networks Network switches are a layer of protection against sniffing, however, they are not a complete solution. To protect against network sniffing, encrypt authentication information. For example, instead of using Telnet and FTP, use Secure Shell (SSH). Instead of using plain POP3 for email, encrypt the session over secured sockets layer (SSL) for privacy. These precautions protect against network sniffing. 12/30/22 49

Terminal Servers Many organizations use terminal servers to manage and administer headless systems (systems without a local display, keyboard, or mouse, and are managed remotely via remote consoles). While effective in leveraging datacenter space and “lights-out” datacenter environments, recognize that terminal servers can have many of the same vulnerabilities as systems. For example, the terminal servers shipped with Sun Cluster 3.0 software are normally 8-port Bay Annex servers.These terminal servers are accessed through Telnet. 12/30/22 50

Terminal Servers The following is a snoop trace of a root login into this terminal server: # snoop -d qfe0 nts01 nts01 - nomex TELNET R nomex - nts01 TELNET C nts01 - nomex TELNET R nomex - nts01 TELNET C nomex - nts01 TELNET C nts01 - nomex TELNET R nts01 - nomex TELNET R nomex - nts01 TELNET C nts01 - nomex TELNET R nomex - nts01 TELNET C nomex - nts01 TELNET C nts01 - nomex TELNET R nomex - nts01 TELNET C nts01 - nomex TELNET R nts01 - nomex TELNET R nomex - nts01 TELNET C nomex - nts01 TELNET C nts01 - nomex TELNET R 12/30/22 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 \nRotaries Defined: \n\nEnter Annex p 3 Attached to port 3 ganassi console lo r r o o o o t t 51

Terminal Servers nts01 - nomex nomex - nts01 nomex - nts01 nts01 - nomex nomex - nts01 nts01 - nomex nomex - nts01 nts01 - nomex nomex - nts01 nts01 - nomex nomex - nts01 nts01 - nomex nomex - nts01 nts01 - nomex nomex - nts01 12/30/22 TELNET TELNET TELNET TELNET TELNET TELNET TELNET TELNET TELNET TELNET TELNET TELNET TELNET TELNET TELNET R C C R C R C R C R C R C R C port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 port 34395 Password: t 0 0 l k 1 t 52

Terminal Servers Clearly, these terminal servers need to be protected by the same encryption technology as all the systems on the network. Two alternatives are available to secure terminal servers: The first is to purchase terminal servers that support encryption for privacy through a mechanism such as SSH. The second alternative is to provide a landing pad that functions as a gateway between the terminal servers and the rest of the network. This gateway supports SSH, and the private network on which the terminal services reside isolate the use of Telnet. 12/30/22 53

12/30/22 54

Back to top button