Information Systems Audit and Control Association

Attack and
Penetratio
Tools and Techniques
n
1
 Introduction

Attack and Penetration Tools

and Techniques

Marty Walters
Senior Consultant
Ernst and Young, LLP

2
 Introduction

• Value proposition of A&P

– “We’ve never been
hacked.”-Good, let’s keep it
that way.
– “We got hacked.”-Sorry, let’s
make sure it doesn’t happen
again.
– “We think we got
hacked”-Hmmmm, an A&P
engagement will help you 3
 Introduction

• A&P as a Control Audit

mechanism
– Identifies firewall and other
perimeter issues (ping,
traceroute)
– Identifies password
weaknesses
– Identifies development issues
such as webdev
4
misconfigurations.
 Attack and Penetration
Topics
• Target Acquisition
• Target Assessment
• Intrusive Techniques
• Countermeasures

5
 Target
Acquisitio
n 6
 Target Acquisition
Goal

• Goal - Create a list of all domain

names, networks, and IP addresses
that may include target systems
within the scope of the
engagement

7
 Target Acquisition
Some Techniques

• ARIN Search
– Zero knowledge approach
– arin.net
• Domain Name Service (DNS)
– Whois queries
– Host drilldown
– Zone transfers
• Ping/TCP connect discovery
8
 Target Acquisition
Zone Transfers

• Mechanisms by which primary and

secondary DNS servers stay
synchronized
• Exploit using:
– nslookup
– dig
– host
– axfrdb
9
 Target Acquisition
Zone Transfers with nslookup

Use the ls -d
command
from the
nslookup
prompt to
obtain zone
transfers.

10
 Target Acquisition
Ping/TCP discovery with NetScan

•Demo NetScan ping

discovery
•NetScan is louder than nmap

11
 Target Acquisition
Ping/TCP discovery with nmap

*Use the nmap -sP

option for ping
“scan”. This will
find which hosts on
specified network(s)
are up but don’t
port scan them.
*The -PT option will
use a “TCP PING” to
check for live hosts.

12
 Target
Assessment
13
 Target Assessment
Goal

Goal - Create a matrix listing each IP address

and all interesting tcp and udp ports (services)
associated with each system.
• Scan limited, “well-known” ranges first
– 1-1024, 2049, and 5990-6039 (tcp/udp)
– Select others based on specific apps, such as certain
firewalls, Oracle/Sybase,… (ports.txt)
• Scan all 65536 ports on specific hosts to
capture high-port constructs

14
 Target Assessment
Port Scanning
• Portscanning software sequentially or
randomly connects to every (specified)
TCP/UDP port on a target system (up to
64K ports)
– Allows you to determine what services are running
on the target system
– If vulnerable or inherently insecure services are
running, you may be able to exploit them and gain
access to the target system
– Most port scanners make a full TCP connection and
can be detected by port scan detector software
– Stealth scanners (e.g., nmap) do not make a full TCP
connection, thus making detection more difficult
15
 Target Assessment
Port Scanning
• Use more than one scanning tool
and or technique to reduce false-
positives
• Available techniques
– TCP Connect; most common, direct and “noisy”
– TCP SYN; less noticeable, less logging by systems
– TCP FIN; stealthy, can pass through some Firewalls
– TCP Xmas; sends all tcp options
– Null scan; sends no data
– IP Fragmentation; more stealthy but buggy
– TCP Reverse Ident; determine owners of processes
16
– FTP Bounce; stealthy, likely unblocked, but SLOW
 Target Assessment
Common Port Scanners
• Some popular • Common
freeware commercial
scanners scanners
– strobe – Cybercop Scanner
– nmap – ISS
– jakal – NetSonar
– netcat – WS_PingProPack
– Asmodeus - Windows – Netscan Tools
NT
– WS_PingProPack

17
 Target Assessment
Port Scanning with nmap

*Use the -sS

nmap option
to run a
stealth port
scan.

18
Target Assessment
Port Scanning with NetScan

19
 Target Assessment
UDP Scanning

• From SATAN, most reliable udp

scanner
• Most important udp ports include
– 69 TFTP
– 161 SNMP
– 135,137,138 Windows
– 256 SNMP Checkpoint
– 1993 SNMP Cisco
• udp_scan <IP address> <ports>
20
Target Assessment
UDP Scanning with NetScan

21
 Target Assessment
Banner Retrieval

• Some popular • Common

freeware tools commercial tools
– strobe – CyberCop Scanner
– netcat – ISS
– SATAN – NetSonar
– Queso

22
 Target Assessment
Banner retrieval using netcat

*Use netcat or
telnet to connect
to port 80.

23
 Intrusive
Techniques
24
 Intrusive Techniques
Goal

• Goal - Use the vulnerability linkage

to gain unauthorized access to the
system.
• Use unauthorized access to gain
further privileges on more
sensitive hosts.

25
 Intrusive Techniques
Using netcat
• Swiss army knife of hacking
• Outbound or inbound connections, TCP or UDP,
to or from any ports
• Full DNS forward/reverse checking, with
appropriate warnings
• Built-in port-scanning capabilities, with
randomizer
• Hex dump of transmitted and received data
• Optimal ability to let another program service
established connections
• Optional telnet-options responder 26
Intrusive Techniques
MDAC Demo

27
 Intrusive Techniques
MDAC Demo

• Use it to hack admin on the web

server.
• Uses port 80 inbound :-)

28
Intrusive Techniques
MDAC Demo

Break

29
 Round 2 - Start Over
Soft, chewy center

• Start the methodology from the

new assumption base
• Defense-in-depth (buzzword)
• As illustrated by MDAC, a hard
perimeter cannot protect from
zero-day exploits

30
 Round 2
Hacking an NT network

• Hints:
– When using Operating System and
resource kit tools, pipe the output to
text files for future reference
– example: d:\net statistics workstation
> d:\outfile.txt or use >> to append
to a new or existing file
– Install Windows NT Resource Kit

31
 Round 2
Hacking an NT network

• key commands
– NET USE

example:
insert spaces here

net use * \\target_server\c$ password

/user:domain_name\username

* see appendix and O’Reilly booklet for more net commands

32
 Round 2
Hacking an NT network

• Naming Conventions
– When performing null session
connections (and other functions
described in this presentation) you
may substitute ip_address for
server_name.

(ip_address is required for targets on remote

networks)

33
 Round 2
Back to Target Identification

• Use nbtscan to identify hosts on

the wire and show good info:
nbtscan -v 192.168.1.0/24

• Identify Microsoft networking

services
– Important MS networking ports
• TCP 135 RPC Service
• TCP 137 NetBIOS Name Service
• UDP 138 NetBIOS Datagram Service
• TCP 139 NetBIOS Session Service 34
 Round 2
Back to Target Identification

• Microsoft Networking Services

– Only TCP 139 is required to establish
a connection to a remote NT machine

35
 Round 2
Popping an NT host

1) Make a null connection to port 139:

net use \\hostname_or_ip_address\ipc$ “” /user:””
2) Enumerate the usernames on the system using the
Dumpacl tool. You may also enumerate the names of
the local administrator accounts with the following
command:
local administrators \\hostname_or_ip_address
3) Enumerate local non-hidden shares:
net view \\hostname_or_ip_address
4) Guess a password using a brute-force tool called
SMBGrind:
smbgrind -v -i <ip_address>
36
This is a very LOUD technique for guessing passwords.
 Round 2
Popping an NT host

5) Escalate privileges. We’ll use the old “sechole”

vulnerability to gain administrative privileges.
6) Once you have admin privileges, use pwdump to get the
password hashes.
7) Use L0phtCrack to decipher the LANMAN hashes into
cleartext passwords.
8) Add the passwords to your password dictionary and
begin Round 3.

37
Countermeasur
es
38
 Countermeasures

• Mitigating DNS problems:

– Restrict DNS information to public servers
only (public and private DNS servers)
– Prohibit zone transfers
– Do not use HINFO Records
– Do not use descriptive hostnames like
• solaris_firewall.somedomain.edu
• cisco. somedomain.edu
• gauntlet. somedomain.edu

39
 Countermeasures

• Mitigating routing problems:

– Block traceroutes at the border router
• Both UDP and ICMP
– Restrict dangerous ICMP traffic at the border
router
• ICMP netmask requests
• ICMP timestamp requests
• ICMP redirects
– Block Pings
• Allow ICMP echo and echo reply traffic from only
trusted sources to necessary systems
40
 Countermeasures
• Mitigating the portscan problem:
– Employ filtering rules at the border router
and / or firewall
• Allow only those services that conform to your
service access policy
• Silent drop all packets - do not respond to
portscans
– Disable all unnecessary services from all
devices
• Enticement services
– finger, rwho, snmp

41
 Countermeasures
• Mitigating the enticement info.
problem:
– Remove banners from
• Sendmail or other MTA
• HTTPD
• FTPD
• FTPD
• TELNETD
• POP
• Any other service that provides descriptive
banner information
– Modify source if available and necessary 42
 Countermeasures
• Disable dangerous services
– RPC
• UNIX - Port 111 and 327xx
• Windows NT - TCP / UDP port 135
– TFTP, NFS
– Rservices (rsh, rlogin, rexec)
– Unbind unnecessary services from Windows
NT systems
– Use “wrapper” type services when needed

43
 Countermeasures
• Maintain Adequate Logging
– Consider IDS solutions
• NFR, Netranger, RealSecure, Sessionwall, etc.
• Log ping sweeps and stealth scans
– Log ALL failed active at the router and
firewall
• Consider syslogging failed access attempts from
the router to a secure loghost

• Ensure adequate host based

logging is employed
44