Scribd
Upload
93 views

Hacking Primer: BY Intramantra Global Solution PVT LTD, Indore

This document provides an overview of hacking techniques for different systems. It discusses internet footprinting to gather publicly available information. It then covers hacking Windows systems by scanning, enumerating accounts and services, penetrating defenses, escalating privileges, accessing systems, and expanding influence. It also outlines hacking Unix/Linux systems by discovering available hosts and services, enumerating details, attacking remotely through exploits or getting users to execute code, and gaining beyond root privileges. The document concludes by covering network vulnerabilities and techniques for dealing with firewalls.

Uploaded by

Deepak Rathore
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
93 views

Hacking Primer: BY Intramantra Global Solution PVT LTD, Indore

This document provides an overview of hacking techniques for different systems. It discusses internet footprinting to gather publicly available information. It then covers hacking Windows systems by scanning, enumerating accounts and services, penetrating defenses, escalating privileges, accessing systems, and expanding influence. It also outlines hacking Unix/Linux systems by discovering available hosts and services, enumerating details, attacking remotely through exploits or getting users to execute code, and gaining beyond root privileges. The document concludes by covering network vulnerabilities and techniques for dealing with firewalls.

Uploaded by

Deepak Rathore
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 34

Hacking Primer

BY

INTRAMANTRA GLOBAL SOLUTION PVT LTD, INDORE

HTTP://INTRAMANTRA.COM

Nimble Security Group, New Delhi 12/07/21


Outline

Internet footprinting
Hacking Windows
Hacking Unix/Linux
Hacking the network

Nimble Security Group, New Delhi 12/07/21


Internet Footprinting

3
Internet Footprinting Outline

Review publicly available information


Perform network reconnaissance
Discover landscape
Determine vulnerable services
Review publicly available information

 News: Look for recent news


 news.google.com
 SEC filings
 Search for phone numbers, contacts
 Technical info: Look for stupid postings
 Router configs
 Admin pages
 Nessus scans
 Netcraft
 Whois/DNS info
 SamSpade
 dig

Nimble Security Group, New Delhi 12/07/21


Network reconnaissance

Use traceroute to find vulnerable servers


 Trout
Can also query BGP tools
 http://nitrous.digex.net/mae/equinix.html
 Look up ASNs
Landscape discovery

 Ping sweep: Find out which hosts are alive


 nmap, fping, gping, SuperScan, etc.
 Port scans: Find out which ports are listening
 Don’t setup a full connection – just SYN
 Netcat
 can be run in encrypted mode – cryptcat
 nmap advanced options
 XMAS scan sends all TCP options
 Source port scanning sets source port (e.g., port 88 to scan Windows systems)
 Time delays
 Banner grab & O/S guess
 telnet
 ftp
 netcat
 nmap
Hacking Windows

8
Hacking Windows outline

1. Scan
2. Enumerate
3. Penetrate
4. Escalate
5. Pillage
6. Get interactive
7. Expand influence
Scanning Windows

Port scan, looking for what’s indicative of


Windows
 88 – Kerberos
 139 – NetBIOS
 445 – SMB/CIFS
 1433 – SQL Server
 3268, 3269 – Active Directory
 3389 – Terminal Services
Trick: Scan from source port = 88 to find IPSec
secured systems
Enumerating Windows
 Accounts
 USER account used by most code, but escalates to SYSTEM to perform kernel-
level operations
 System accounts tracked by their SIDs
 RID at end of SID identifies account type
 RID = 500 is admin account
 Need to escalate to Administrator to have any real power
 Tools
 userdump – enumerates users on a host
 sid2user & user2sid translates account names on a host
 SAM
 Contains usernames, SIDs, RIDs, hashed passwords
 Local account stored in local SAM
 Domain accounts stored in Active Directory (AD)
 Trusts
 Can exist between AD domains
 Allows accounts from one domain to be used in ACLs on another domain
Enumerating Windows (cont.)

 Need access to ports 135, 139, 445


 Enumerate hosts in a domain
 net view /domain:<domain name>
 Find domain controller(s)
 nltest /dsgetdc:<domain name> /pdc
 nltest /bdc_query:<domain name>
 nbtstcan – fast NetBIOS scanner
 null sessions are an important way to get info
 Runs over 445
 Not logged by most IDS
 net use \\<target>\ipc$ “” /u:””
 “local” (from ResKit) or Dumpsec can then enumerate accounts
 Countermeasures
 Block UDP/137
 Set RestictAnonymous registry value
Enumerating Windows (cont.)

Look for hosts with 2 NICs


 “getmac” from Win2K resource kit
Enumerate trusts on domain controller
 nltest /server:amer /trusted_domains
Enumerate shares with DumpSec
 Hidden shares have “$” at the end
Enumerate with LDAP
 LDAPminer
Penetrating Windows

3 methods
 Guess password
 Obtain hashes
 Emergency Repair Disk
 Exploit a vulnerable service
Guessing passwords
 Review vulnerable accounts via dumpsec
 Use NetBIOS Auditing Tool to guess passwords
Escalating privileges in Windows

getadmin
 getad
 getad2
 pipeupadmin
Shatter
 Yields system-level privileges
 Works against Windows Server 2003
Pillaging Windows

Clear logs
 Some IDS’s will restart auditing once it’s been
disabled
Grab hashes
 Remotely with pwdump3
 Backup SAM: c:\winnt\repair\sam._
Grab passwords
 Sniff SMB traffic
Crack passwords
 L0phtcrack
 John the Ripper
Getting interactive with Windows
 Copy rootkit over a share
 Hide rootkit on the target server
 Low traffic area such as winnt\system32\OS2\dll\toolz
 Stream tools into files
 Remote shell
 remote.exe (resource kit tool)
 netcat
 How to fire up remote listener?
 trojan
 Leave a CD in the bathroom titled, “pending layoffs” 
 Schedule it for remote execution
 at scheduler
 psexec
Windows – Expand influence

Get passwords
 Keystroke logger with stealth mail
 FakeGINA intercepts Winlogon

Plant stuff in registry to run on reboot


Hide files
 “attrib +h <directory>”
 Stream files
 Tripwire should catch this stuff
Hacking Unix/Linux

19
Hacking Unix/Linux outline

1. Discover landscape
2. Enumerate systems
3. Attack
– Remote
– Local
4. Get beyond root
Discover landscape

 Goals
 Discover available hosts
 Find all running services
 Methodology
 ICMP and TCP ping scans
 Find listening services with nmap and udp_scan
 Discover paths with ICMP, UDP, TCP
 Tools
 nmap
 SuperScan (Windows)
 udp_scan (more reliable than nmap for udp scanning)
Enumerate systems
 Goal: Discover the following…
 Users
 Operating systems
 Running programs
 Specific software versions
 Unprotected files
 Internal information
 Tools
 OS/Application: telnet, ftp, nc, nmap
 Users: finger, rwho,rusers, SMTP
 RPC programs: rpcinfo
 NFS shares: showmount
 File retrieval: TFTP
 SNMP: snmpwalk snmpget
Enumerate services

 Users
 finger
 SMTP vrfy
 DNS info
 dig
 RPC services
 rpcinfo
 NFS shares
 showmount
 Countermeasures
 Turn off un-necessary services
 Block IP addresses with router ACLs or TCP wrappers
Attack remotely
 3 primary methods
 Exploit a listening service
 Route through a system with 2 or more interfaces
 Get user to execute it for you
 Trojans
 Hostile web site
 Brute-force against service
 http://packetstormsecurity.nl/Crackers/
 Countermeasure: strong passwords, hide user names
 Buffer-overflow attack
 Overflow the stack with machine-dependent code (assembler)
 Usually yields a shell – shovel it back with netcat
 Prime targets: programs that run as root or suid
 Countermeasures
 Disable stack execution
 Code reviews
 Limit root and suid programs
Attack remotely (cont.)
Buffer overflow example
 echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25
 Replace this with something like this…
 char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…”

Input validation attacks


 PHF CGI – newline character
 SSI passes user input to O/S
Back channels
 X-Windows
 Send display back to attacker’s IP
 Reverse telnet
Attack remotely (cont.)
 Countermeasures against back channels
Get rid of executables used for this (x-windows, telnet, etc.)
 Commonly attacked services
 Sendmail
 NFS
 RPC
 X-windows (sniffing session data)
 ftpd (wu-ftpd)
 DNS
 Guessable query IDs
 BIND vulnerabilities
 Countermeasures
 Restrict zone transfers
 Block TCP/UDP 53
 Don’t use HINFO records
Attack locally

Buffer overflow
Setuid programs
Password
guessing/cracking
Mis-configured file/dir
permissions
Get beyond root

 Map the network (own more hosts)


 Install rootkit
 crypto checksum is the only way to know if it’s real
 Create backdoors
 Sniff other traffic
 dsniff
 arpredirect
 loki
 Hunt
 Countermeasures
 Encrypt all traffic
 Switched networks (not a panacaea)
 Clean logs
 Session hijacking
Hacking the Network

• Vulnerabilities
• Dealing with firewalls

29
Vulnerabilities

TTY access – 5 to choose from


SNMP V2 community strings
HTTP (Everthing is clear-text)
TFTP
 No auth
 Easy to discern router config files “<router-name>.cfg
Countermeasures
 ACLs
 TCP wrappers
 Encrypt passwords
Vulnerabilities: routing issues

Path integrity
 Source routing reveals path through the network
 Routing updates can be spoofed (RIP, IGRP)
ARP spoofing
 Easy with dsniff
Dealing with firewalls

 Enumerate with nmap or tcpdump


 Can show you which ports are filtered (blocked)
 Some proxies return a banner
 Eagle Raptor
 TCP traffic itself may provide signature
 Ping the un-pingable
 hping
 Look for ICMP type 13 (admin prohibited)
Dealing with firewalls (cont.)

ACLs may allow scanning if source port is


set
 nmap with “-g” option
Port redirection
 fpipe
 netcat
Questions?

Nimble Security Group, New Delhi 12/07/21

You might also like