Professional Documents
Culture Documents
Attack and
Penetratio
Tools and Techniques
n
1
Introduction
Marty Walters
Senior Consultant
Ernst and Young, LLP
2
Introduction
5
Target
Acquisitio
n 6
Target Acquisition
Goal
7
Target Acquisition
Some Techniques
• ARIN Search
– Zero knowledge approach
– arin.net
• Domain Name Service (DNS)
– Whois queries
– Host drilldown
– Zone transfers
• Ping/TCP connect discovery
8
Target Acquisition
Zone Transfers
Use the ls -d
command
from the
nslookup
prompt to
obtain zone
transfers.
10
Target Acquisition
Ping/TCP discovery with NetScan
11
Target Acquisition
Ping/TCP discovery with nmap
12
Target
Assessment
13
Target Assessment
Goal
14
Target Assessment
Port Scanning
• Portscanning software sequentially or
randomly connects to every (specified)
TCP/UDP port on a target system (up to
64K ports)
– Allows you to determine what services are running
on the target system
– If vulnerable or inherently insecure services are
running, you may be able to exploit them and gain
access to the target system
– Most port scanners make a full TCP connection and
can be detected by port scan detector software
– Stealth scanners (e.g., nmap) do not make a full TCP
connection, thus making detection more difficult
15
Target Assessment
Port Scanning
• Use more than one scanning tool
and or technique to reduce false-
positives
• Available techniques
– TCP Connect; most common, direct and “noisy”
– TCP SYN; less noticeable, less logging by systems
– TCP FIN; stealthy, can pass through some Firewalls
– TCP Xmas; sends all tcp options
– Null scan; sends no data
– IP Fragmentation; more stealthy but buggy
– TCP Reverse Ident; determine owners of processes
16
– FTP Bounce; stealthy, likely unblocked, but SLOW
Target Assessment
Common Port Scanners
• Some popular • Common
freeware commercial
scanners scanners
– strobe – Cybercop Scanner
– nmap – ISS
– jakal – NetSonar
– netcat – WS_PingProPack
– Asmodeus - Windows – Netscan Tools
NT
– WS_PingProPack
17
Target Assessment
Port Scanning with nmap
18
Target Assessment
Port Scanning with NetScan
19
Target Assessment
UDP Scanning
21
Target Assessment
Banner Retrieval
22
Target Assessment
Banner retrieval using netcat
*Use netcat or
telnet to connect
to port 80.
23
Intrusive
Techniques
24
Intrusive Techniques
Goal
25
Intrusive Techniques
Using netcat
• Swiss army knife of hacking
• Outbound or inbound connections, TCP or UDP,
to or from any ports
• Full DNS forward/reverse checking, with
appropriate warnings
• Built-in port-scanning capabilities, with
randomizer
• Hex dump of transmitted and received data
• Optimal ability to let another program service
established connections
• Optional telnet-options responder 26
Intrusive Techniques
MDAC Demo
27
Intrusive Techniques
MDAC Demo
28
Intrusive Techniques
MDAC Demo
Break
29
Round 2 - Start Over
Soft, chewy center
30
Round 2
Hacking an NT network
• Hints:
– When using Operating System and
resource kit tools, pipe the output to
text files for future reference
– example: d:\net statistics workstation
> d:\outfile.txt or use >> to append
to a new or existing file
– Install Windows NT Resource Kit
31
Round 2
Hacking an NT network
• key commands
– NET USE
example:
insert spaces here
32
Round 2
Hacking an NT network
• Naming Conventions
– When performing null session
connections (and other functions
described in this presentation) you
may substitute ip_address for
server_name.
33
Round 2
Back to Target Identification
35
Round 2
Popping an NT host
37
Countermeasur
es
38
Countermeasures
39
Countermeasures
41
Countermeasures
• Mitigating the enticement info.
problem:
– Remove banners from
• Sendmail or other MTA
• HTTPD
• FTPD
• FTPD
• TELNETD
• POP
• Any other service that provides descriptive
banner information
– Modify source if available and necessary 42
Countermeasures
• Disable dangerous services
– RPC
• UNIX - Port 111 and 327xx
• Windows NT - TCP / UDP port 135
– TFTP, NFS
– Rservices (rsh, rlogin, rexec)
– Unbind unnecessary services from Windows
NT systems
– Use “wrapper” type services when needed
43
Countermeasures
• Maintain Adequate Logging
– Consider IDS solutions
• NFR, Netranger, RealSecure, Sessionwall, etc.
• Log ping sweeps and stealth scans
– Log ALL failed active at the router and
firewall
• Consider syslogging failed access attempts from
the router to a secure loghost