Hacking Methodology Lab 1
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Hacking Methodology Lab 1 as PDF for free.
More details
- Words: 3,849
- Pages: 63
h4X0R Know Your Enemy Hacking Methodology & Tools: Network Reconnaissance & Building Your Lab Ted Mac Daibhidh, C.D. NETWORK SECURITY & ETHICAL HACK SPECIALIST [email protected]
h4X0R
Know Your Enemy
Hacking Methodology & Tools: Network Reconnaissance & Building Your Lab
Classification
This briefing has no class at all - in fact… The briefing is
UNCLASSIFIED in its entirety.
Briefing Goals The goal of this briefing is five-fold: a.
acquaint the analyst with the hacker’s methodology (“The Anatomy of a Hack”) with respect to network reconnaissance;
b.
introduce the some of the methods and tools used during the network reconnaissance process;
c.
drive home the requirement for continuing professional development;
d.
demonstrate the benefits of a personal lab and the methods used in lab construction; and
e.
introduce some tools that can be utilized in a personal lab environment.
The Anatomy of a Hack Footprinting Scanning
The “Anatomy of a Hack” summarizes the steps a cracker undertakes prior to and during a network attack. This process consists of two distinct phases:
• Reconnaissance and Target Acquisition Footprinting
Enumeration Gaining Access Privilege Escalation Pilfering
Scanning Enumeration
• Assault Gaining access Privilege escalation
Covering Tracks Back Door Creation Denial of Service
Pilfering Covering tracks
Back door creation Denial of Service (DoS)
Footprinting Footprinting refers to the systematic process by which an attacker attempts to compile as much information as possible regarding a targeted network, including: • Domain name • Network blocks • Overall security posture • Specific IP addresses
Types of Footprinting: • Active – The target may be alerted to the activity
(traceroutes, social engineering, zone transfers).
• Passive - The target is unaware of the reconnaissance
activity (Whois searches, other open source information).
Footprinting Techniques & Tools Techniques – DNS zone transfer/interrogation • Online Tools • Open source search • Route tracing • Social Engineering • Whois lookup •
Tools – nslookup • p0f • “Sam Spade” • Search engines • traceroute • Usenet • whois (Internic, ARIN, etc.) • WinNSlookup •
DNS Interrogation
DNS Interrogation
DNS Interrogation DNS Resource Record Type Codes Most DNS RR types are defined in RFCs 1034, 1183, 1876, and 2782. DNS RR Type Codes: • A (Assigned) - Associates an IP with a canonical hostname.
• CNAME (Canonical Name) - Associates an alias with its canonical hostname. • HINFO (Host Information) – Specifics regarding an individual host. • LOC (Location Brief) – The geographical location of a host. • MINFO (Mail Information) – Mail related resource information. • MX (Mail Exchange) – Identifies a mail exchange resource. • NS (Name Server) - Points to a master name server of a subordinate zone. • RP (Responsible Person) – Identifies the individual responsible for a host. • SOA (Start of Authority) - Identifies the start of a zone of authority. • SRV (Server) – Designates any host providing a network service. • WKS (Well Known Service) – Information services offered on a host.
DNS Interrogation DNS Record Examples DOMAIN IMISSTECH.TV.
IAMACUTEC.AT.
DNS RR TYPE
RECORD ENTRY
A 10.1.1.1 imisstech.tv. HINFO HP-UX UNIX SRV DMZ Server WKS 10.1.1.1 tcp ftp telnet smtp pop3 RP ted.macdaibhidh.imisstech.tv. A 192.168.1.1 iamacutec.at MX 10 iamacutec.at HINFO WINDOWS 2003 SERVER WKS 192.168.1.1 udp domain WKS 192.168.1.1 tcp ftp telnet smtp domain RP wallie.the.tabby.cat.admin.iamacutec.at. RP murphy.the.mainecoon.tech.iamacutec.at
Online Tools – Sam Spade
Open Source Search – Search Engine
Open Source Search – Search Engine
UseNet Search
Lookup - ARIN Whois
Lookup - InterNIC Whois
Traceroute c:\>tracert server.target.net OR c:\>tracert 4.3.4.2
• Traceroute is a utility available in both Windows and *nix OSes. • This utility records the the specific gateway computers at each hop between the source host and a specified destination host. • Allows the attacker to determine some basic network topology and determine the location of routers and packet filtering devices. • As a general rule of thumb, the last host before the live target host is performing routing/packet filtering functions. • Use of the “-p” switch to specify a specific destination port may allow tracerouting beyond packet filtering devices.
Traceroute
C:\WINDOWS\Desktop>tracert 1.2.61.100 Tracing route to host bb2-web1.xxx.net [1.2.61.100] 1
3 ms
9 ms
9 ms Ubergeek [xxx.xxx.xxx.xxx]
2
70 ms
49 ms
69 ms gw01.phub.cable.rogers.com [xxx.xxx.82.138]
3 116 ms
99 ms
99 ms bb2.gw4.xxx.xxx.net [1.2.60.1]
4 117 ms 100 ms 100 ms bb2-gw2-60-22.xxx.net [1.2.60.2] 6 198 ms 109 ms 110 ms bb2-fw-2-dmz.xxx.net [1.2.61.1] 7 237 ms 179 ms 220 ms bb2-web1.xxx.net [1.2.61.100] Trace complete. C:\WINDOWS\Desktop>
XXX.net Network Topology • With one simple traceroute to a web server, we have determined the basic topology of the XXX.net network. • Armed with a basic knowledge of network design, we can surmise that: a. another firewall is in place between the internal network cloud and the router; and b. other possibly vulnerable services and applications (e.g. FTP, databases, e-mail)are running in the DMZ cloud. • Now that the basic network topology has been resolved, more intrusive methods can be used to footprint other network resources.
Traceroute
C:\WINDOWS\Desktop>tracert Tracing route to host bb2.fw1.xxx.xxx.net [1.2.60.3] 1
2ms
6 ms
8 ms Ubergeek [xxx.xxx.xxx.xxx]
2
68 ms
47ms
69 ms gw01.phub.cable.rogers.com [xxx.xxx.82.138]
3 111 ms
92 ms
4 123ms
101 ms 103 ms bb2.gw2.xxx.xxx.net [1.2.60.2]
•
We now have an initial map of the network and an insight into the its naming conventions.
•
An educated guess and another traceroute yields another firewall.
100 ms bb2.gw4.xxx.xxx.net [1.2.60.1]
5 138 ms 107 ms 109 ms bb2.fw1.xxx.xxx.net [1.2.60.3] Trace complete. C:\WINDOWS\Desktop>
Firewalking • Firewalking is a technique that allows an attacker to covertly map the ACLs of packet filtering devices.
• Sends TCP or UDP packets to the packet filter that have a TTL set at one hop greater than the target. • Should the packet make it through the gateway, it is forwarded to the next hop where the TTL equals zero and the packet is discarded. • Using this method, the ACL rules of a packet filter can be determined without actually touching any hosts behind the device.
Firewalking Fire, walk with me… • In this example, firewalk will scan ports 1-1024 using TCP packets directed at the firewall (1.2.61.1) using the previously mapped host at 1.2.61.100 as a metric. • The packet filter is found after three hops and firewalk begins scanning using TCP packets with a TTL of 4. • In this case, the ports shown were allowed by the ACL and passed successfully through the packet filter.
Ubergeek:#firewalk -n -S 1–1024 TCP 1.2.61.1 1.2.61.100 Firewalking through 1.2.61.1 (towards 1.2.60.100) with a maximum of 25 hops. Ramping up hopcounts to binding host... probe: 1 TTL: 1 port 33434: [1.2.60.1] probe: 2 TTL: 2 port 33434: [1.2.60.2] probe: 3 TTL: 3 port 33434: Bound scan: 3 hops [1.2.61.1] Scanning...
• The attacker can therefore surmise in this case that at least one web server, an ssh server and an ftp server are running in the DMZ.
port port port port port
• Armed with this information, the attacker can plan any further actions appropriately.
1027 packets sent, 5 replies received.
20: 21: 22: 53: 80:
open open open open open
VisualRoute
Social Engineering Social engineering is a form of hacking that target’s people (wetware) instead of their networks.
The most successful hackers also successful social engineers
because there is no patch for human stupidity.
Types of social engineering include: ● Tainting Trust ● Dumpster Diving ● Shoulder Surfing ● Proxy Probing
The Anatomy of a Hack Footprinting Scanning
The “Anatomy of a Hack” summarizes the steps a cracker undertakes prior to and during a network attack. This process consists of two distinct phases:
• Reconnaissance and Target Acquisition Footprinting
Enumeration Gaining Access Privilege Escalation Pilfering
Scanning Enumeration
• Assault Gaining access Privilege escalation
Covering Tracks Back Door Creation Denial of Service
Pilfering Covering tracks
Back door creation Denial of Service (DoS)
Scanning Techniques & Tools Techniques – • Ping • •
sweep TCP/UDP port scan Stealth scans
Tools – • •
• • •
Nmap SuperScan Internet Toolkit Hping Grim’s Ping
Scanning Scanning is the process by which the attacker performs bulk target assessment, identifies listening services and locates possible points of ingress. Types of scans include the following: • Ping Sweep – Attempts to determine which hosts on a network are reachable. • Vanilla – Attempts to connect to all 65535 ports. • Stealth – Attempts to connect to ports using various techniques, including half-open connections (FIN/SYN) in order to avoid detection. • Reflex – Attempts to connect using fragmented packets, XMAS (all TCP flags set) or NULL (no TCP flags set) in order provoke a specific response. • Strobe – Attempts to connect to a few known ports.
• UDP – Attempts to locate open UDP ports. • Horizontal Sweep – Scanning the same port across multiple hosts; attacker is planning target a particular service. • Vertical Sweep – Scanning multiple ports on a single host; attacker is attempting to locate a vulnerable service.
NMap (Network Mapper)
NMap is a powerful scanning tool that is available in both *nix and Win32 versions. ● Employs multiple TCP scan facilities (Null, XMAS, FIN, SYN). ● Capable of remote OS fingerprinting. ● Implements specialized stealth scanning techniques (FTP bounce, idle scan, etc.).
Internet Toolkit One of many similar tools available today, these toolkits are capable of performing simple ping, port and service scans.
•
Although quite functional, the scanning techniques utilized by Internet Toolkit and similar scanning tools (e.g. SuperScan) are quite noisy.
•
Tools such as this are popular with skiddies as they are easy to use and readily available.
SuperScan
•
•
SuperScan is a scanning tool available free from Foundstone. In addition to its scanning ability, SuperScan incorporates an automated banner grabbing facility (banner grabbing will be discussed later).
HPing Hping is a very powerful command line based packet crafting tool that allows the user to craft packets of virtually any type desired. • Firewall testing • Advanced port scanning • Network testing, using different protocols, TOS, fragmentation • Manual path MTU discovery • Advanced traceroute, under all the supported protocols • Remote OS fingerprinting • Remote uptime guessing • TCP/IP stacks auditing
HPing # hping2 --scan known 192.168.1.103 Scanning 192.168.1.103 (192.168.1.103), port known 245 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+-----+ |port| serv name |
•
•
The latest stable release of HPing has implemented a scanning function. Even in scanning mode, it is possible to utilize most of the tool’s functionality.
flags
|ttl| id
| win | len |
+----+-----------+---------+---+-----+-----+-----+ 9 discard
: .S..A...
64
0 32767
44
13 daytime
: .S..A...
64
0 32767
44
21 ftp
: .S..A...
64
0 32767
44
22 ssh
: .S..A...
64
0 32767
44
25 smtp
: .S..A...
64
0 32767
44
37 time
: .S..A...
64
0 32767
44
80 www
: .S..A...
64
0 32767
44
111 sunrpc
: .S..A...
64
0 32767
44
113 auth
: .S..A...
64
0 32767
44
631 ipp
: .S..A...
64
0 32767
44
3306 mysql
: .S..A...
64
0 32767
44
6000 x11
: .S..A...
64
0 32767
44
6667 ircd
: .S..A...
64
0
44
All replies received. Done. No responding ports:
3072
Grim’s Ping A Weapon of Mass Distribution
• Scans en masse for live hosts, FTP and web proxy servers. • Capable of TCP SYN port scanning. • Scans for FTP public shares (pubs). • Plug-ins (Ping Companion, etc.) add even more functionality.
The Anatomy of a Hack Footprinting Scanning
The “Anatomy of a Hack” summarizes the steps a cracker undertakes prior to and during a network attack. This process consists of two distinct phases:
• Reconnaissance and Target Acquisition Footprinting
Enumeration Gaining Access Privilege Escalation Pilfering
Scanning Enumeration
• Assault Gaining access Privilege escalation
Covering Tracks Back Door Creation Denial of Service
Pilfering Covering tracks
Back door creation Denial of Service (DoS)
Enumeration Definition of Enumeration: A mathematical set with a total ordering and no infinite descending chains. A total ordering "<=" satisfies x <= x; x <= y <= z => x <= z; x <= y <= x => x=y; and for all x, y, x <= y or y <= x. In addition, if a set W is wellordered then all non-empty subsets A of W have a least element, i.e. there exists x in A such that for all y in A, x <= y.
Fortunately, man invented computers and quickly discovered that mathematics was no longer necessary. Definition of Enumeration Enumeration refers to the process by which the attacker makes use of more intrusive probing in order to identify resource shares, user accounts, operating systems and applications associated with the targeted network.
Enumeration Techniques & Tools Techniques – • List user accounts • List file shares • Application/OS identification
Tools – • • • • • • •
Telnet Netcat SuperScan NAT NMap p0f VisualRoute
Banner Grabbing
Banner Grabbing – Telnet • Telnet may be utilized as a rudimentary tool to grab server banners. • This is accomplished by opening a telnet session to the service you wish to enumerate. • A successful telnet session should yield the server’s banner.
In the example above, telnetting into a web server on port 80 reveals that the server is running Microsoft IIS v5.0.
Banner Grabbing - Netcat
• The much vaunted TCP/IP “Swiss Army Knife”; every network security professional should have Netcat in their toolbox. • Useful for creating custom stimuli using “nudge files” to capture more information in a banner reply than would normally be provided. • Armed with RFCs and a working knowledge of TCP based protocols, “nudge file” creation is easily accomplished using a standard text editor.
Banner Grabbing - Netcat Ubergeek:#nc -vv 10.1.1.1 80 < /home/usr/bin/nudge.txt
A nudge file consists of a couple of hard carriage returns at a minimum; the nudge file is redirected to the netcat command's stdin using a hoinkie as demonstrated above. Netcat is a powerful tool with many uses – this demonstrates just one of them; you are highly encouraged to experiment with netcat further in your lab enviroment.
Banner Grabbing - VisualRoute • VisualRoute is capable of performing banner grab enumeration of targeted hosts.
• By directing traces at a
specific port useful information may be obtained about the target.
• In this case, the trace was directed at port 80 on the target host.
• VisualRoute has determined that the target is an Apache 1.3.27 http server with mod_throttle 3.1.2 and mod_perl 1.26 installed running on Unix.
Banner Grabbing - SuperScan
•
•
•
In addition to its scanning ability, is able to grab banners from a targeted network. This feature allows the attacker to perform banner grab enumeration en masse. In this case, the scanner has captured the banner of the target’s SMTP server.
p0f - Passive OS Fingerprinting
•
•
•
P0f is a passive OS fingerprinting tool. Runs in the background and sniffs traffic on the wire. The packet’s parameters are compared against fingerprint tables and the program makes a “best guess” regarding the OS type in real time.
OS Fingerprinting OS
Version
Platform
TTL
Window
DF
TOS
Free BSD
3.x
Intel
64
17520
Y
16
Open BSD
2.x
Intel
64
17520
N
16
Linux
2.2
Intel
64
32120
Y
0
Solaris
8
Intel/SPARC
64
24820
Y
0
Windows
9x/NT
Intel
32/128
5000-9000
Y
0
Windows
2000
Intel
128
17000-18000
Y
0
• TTL (Time To Live)
Time to live is a value in an IP packet that communicates to a network router whether or not the packet has been on the network too long and should be discarded.
• Window
Window size is the amount of outstanding (unacknowledged by the recipient) data a host can transmit on a single network connection before it receives an acknowledgement from the destination host.
• DF (Don’t Fragment Bit)
Located in bit two of an IP header’s sixth octet; the DF bit, if set, indicates that the packet is not to be fragmented.
• TOS (Type of Service Byte)
The TOS byte is used for for internet service quality selection. Various fields within the byte specify parameters for precedence, delay, throughput, and reliability.
NMap – Active OS Fingerprinting • NMap has the capability to fingerprint a remote host’s operating system, allowing the attacker to enumerate the target’s OS. • Unlike p0f, NMap performs active OS fingerprinting by sending unusual and invalid TCP packets to the target host, then monitors the wire for the target host’s responses. • In this case, NMap correctly enumerated the target’s OS as a Linux 2.4 x86 distro.
Building Your Lab Because there’s no place like /home
•
•
•
Why build a personal lab? Continuing professional development is a necessary evil. This process can be greatly enhanced if one has access to a personal computer lab.
Maintaining a personal lab also provides excellent bullets for performance reviews and résumés. Besides, building a lab is easy and fun – and the ladies dig guys with computer labs!
Building Your Lab
Constructing a lab is a fairly easy process and can be accomplished utilizing two methods:
a. hard network: one or more actual hosts connected through a crossover cable or switch/routing device; or b. soft network: a single host running virtual machines (this is the preferred configuration). In either case, it is highly recommended that the lab network be contained as a standalone implementation vice being connected to a live network.
My Lab Configuration – “Arda” • PALANTIR is connected to the wire via a hub and a receiveonly CAT5 cable. • PALANTIR is isolated from the lab network by MORANNON; the firewall is only opened when necessary to transfer files from PALANTIR. • MELKOR serves as the primary analysis station and attack platform; this host is directly connected to SAURON with a CAT5 crossover cable. • In addition to its native environment, SAURON is capable of running multiple VMWare virtual machines to simulate larger networks. • GOLLUM is a standalone host utilized for malware analysis running a VMWare Player virtual machine.
Yes, the naming convention theme was inspired by the Tolkien legendarium and yes, I am a Geek…
Building Your Lab KVM Switch •
•
Should you choose a hard or hard/soft combo configuration for your lab network, multiple input/display devices are not necessary. KVM switches allow you to use a single keyboard, mouse and video display with multiple hosts.
Building Your Lab VMWare Player •
Run any single virtual machine.
•
Real to virtual machine copy/paste and drag/drop.
•
Multiple networking options.
•
32 and 64 bit OS support.
•
User adjustable memory management.
•
Easily and safely evaluate applications distributed in virtual machines without any installation or configuration.
VMware Player is a free download from the VMWare website. Although this version supports only one virtual machine and lacks the facility to generate virtual machine images, this distro is adequate for most purposes where only a single target is required. http://www.vmware.com/products/player/
Building Your Lab Linux LiveCD Distros •
A LiveCD is an OS distro stored on a bootable CD-ROM that can run without installation on a hard drive.
•
Loads necessary system files into a RAM disk.
•
The system returns to its previous OS/state when the LiveCD is ejected and the computer is rebooted.
•
Knoppix based distros can set up a “Persistent Home Directory” on a Thumb Drive for storage and retrieval of files.
P S K
Building Your Lab Linux LiveCD Distros General Toolkits: Knoppix STD (Security Tools Distribution) http://www.knoppix-std.org/
P.H.L.A.K. (Professional Hacker’s Linux Assault Kit) http://www.phlak.org/modules/news/
Forensic Toolkits: Helix
http://www.e-fense.com/helix/
PSK (Penguin Sleuth Kit)
http://www.linux-forensics.com/
Pen-Testing Toolkits: KCPentrix
http://kcpentrix.net/
WHAX
ftp://ftp.belnet.be/packages/whoppix/whax-3.0-200705.iso
Building Your Lab Malware Analysis Tools •
All malware analysis should take place on a standalone host, preferably one running a virtual machine.
•
Once analysis is complete, the VM image can simply be reloaded.
•
Several free analysis tools are available from various sources on the internet.
Building Your Lab Malware Analysis Tools Autoruns – Displays programs configured to run during system bootup or login. http://www.sysinternals.com/Utilities/Autoruns.html
Ethereal – Packet capture & protocol analysis. http://www.ethereal.com
Filemon – Displays file system activity on a system in real-time. http://www.sysinternals.com/Utilities/Filemon.html
ListDLLs – Displays which DLLs are loaded.
http://www.sysinternals.com/Utilities/ListDlls.html
Ollydbg - Assembler level analysing debugger. http://www.ollydbg.de/
RegMon – Displays in Registry activity in real time. http://www.sysinternals.com/Utilities/Regmon.html
Rootkit Revealer – Detects registry and API anomalies. http://www.sysinternals.com/Utilities/RootkitRevealer.html
VICE WinDump/TCPDump – Pcap (sniffer) tools. http://www.winpcap.org/windump http://www.tcpdump.org/
Building Your Lab Compilers, Debuggers & Decompilers Most exploits are made available as source code will have to be compiled in order to be made executable; executable exploits can be decompiled and the recovered code analyzed. #include <stdio.h> #include <winsock2.h> #pragma comment(lib, "ws2_32") // Use for find the ASM code #define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90 #define PROC_END PROC_BEGIN #define SEARCH_STR "\x90\x90\x90\x90\x90\x90\x90\x90\x90" #define SEARCH_LEN 8 #define MAX_SC_LEN 2048 #define HASH_KEY 13 // Define Decode Parameter #define DECODE_LEN 21 #define SC_LEN_OFFSET 7 #define ENC_KEY_OFFSET 11 #define ENC_KEY 0xff // Define Function Addr #define ADDR_LoadLibraryA [esi] #define ADDR_GetSystemDirectoryA [esi+4]
Building Your Lab Compilers Bloodshed
C/C++ IDE (Integrated Development Enviroment)
Digital Mars
C+/C++ compiler
MinGW32
C/C++/ObjC compiler
Open Watcom
C/C++ compiler
http://bloodshed.net http://digitalmars.com http://mingw.org
http://openwatcom.org
Decompilers REC
Multi format binary decompiler
CHM Encoder
MS compiled HTML Help Format (CHM) decompiler
DJ Java Decompiler
Java demcompiler
http://www.backerstreet.com/rec/rec.htm http://www.gridinsoft.com/chm.php http://mingw.org
Building Your Lab Metasploit Framework
The Metasploit Framework is an open source computer security tool for developing and executing exploit code against a remote target machine. The Framework is easily implemented on a Windows host and incorporates a web interface for ease of use; this makes it an ideal tool for the neophyte to utilize in a lab enviroment. http://www.metasploit.com
Building Your Lab Metasploit Framework
“The Metasploit Framework. Point. Click. Pwn.”
Building Your Lab Reference Material “The more you read, the more you learn and the less your adversary will know." Sun Tzu, Chinese General, “The Art of War”, c. 500 B.C.E.
Reference material can be a valuable asset to the InfoSec professional, both in the lab and in the workplace. • Many InfoSec related titles are available from both the public and CIRT libraries. • Deeply discounted computer books can be purchased at any “Computer Books for Less” outlet in the Ottawa area.
Words of Wisdom “Know the enemy and know yourself and you need not fear the result of a hundred battles… Sun Tzu, Chinese General, “The Art of War”, c. 500 B.C.E.
Fight the Networks, Neo!
Questions For sooth, thus endeth the brief…
Questions?
Acknowledgments Mr. John Ronald Reuel Tolkien
For the damned good reads and the inspiration for my lab’s naming convention. Yessss – my lab – my preciousssss. http://www.tolkien.co.uk/frame_nf.htm
Mr. J.D. “Iliad” Frazer
For his kind permission to use “User Friendly” cartoons in my briefs. http://www.userfriendly.org
Hacking Exposed, McGraw-Hill Publishing http://www.foundstone.com
Inside Network Perimeter Security, Sams Publishing http://www.samspublishing.com
Infosec Career Hacking, Syngress Press http://www.syngress.com
Intrusion Signatures and Analysis, Sams Publishing http://www.samspublishing.com
My Friends
For continuing to support my delusions of grandeur – as long as the cheques continue to clear.
Network Intrusion Detection, Sams Publishing http://www.samspublishing.com
h4X0R
Know Your Enemy
Hacking Methodology & Tools: Network Reconnaissance & Building Your Lab
Classification
This briefing has no class at all - in fact… The briefing is
UNCLASSIFIED in its entirety.
Briefing Goals The goal of this briefing is five-fold: a.
acquaint the analyst with the hacker’s methodology (“The Anatomy of a Hack”) with respect to network reconnaissance;
b.
introduce the some of the methods and tools used during the network reconnaissance process;
c.
drive home the requirement for continuing professional development;
d.
demonstrate the benefits of a personal lab and the methods used in lab construction; and
e.
introduce some tools that can be utilized in a personal lab environment.
The Anatomy of a Hack Footprinting Scanning
The “Anatomy of a Hack” summarizes the steps a cracker undertakes prior to and during a network attack. This process consists of two distinct phases:
• Reconnaissance and Target Acquisition Footprinting
Enumeration Gaining Access Privilege Escalation Pilfering
Scanning Enumeration
• Assault Gaining access Privilege escalation
Covering Tracks Back Door Creation Denial of Service
Pilfering Covering tracks
Back door creation Denial of Service (DoS)
Footprinting Footprinting refers to the systematic process by which an attacker attempts to compile as much information as possible regarding a targeted network, including: • Domain name • Network blocks • Overall security posture • Specific IP addresses
Types of Footprinting: • Active – The target may be alerted to the activity
(traceroutes, social engineering, zone transfers).
• Passive - The target is unaware of the reconnaissance
activity (Whois searches, other open source information).
Footprinting Techniques & Tools Techniques – DNS zone transfer/interrogation • Online Tools • Open source search • Route tracing • Social Engineering • Whois lookup •
Tools – nslookup • p0f • “Sam Spade” • Search engines • traceroute • Usenet • whois (Internic, ARIN, etc.) • WinNSlookup •
DNS Interrogation
DNS Interrogation
DNS Interrogation DNS Resource Record Type Codes Most DNS RR types are defined in RFCs 1034, 1183, 1876, and 2782. DNS RR Type Codes: • A (Assigned) - Associates an IP with a canonical hostname.
• CNAME (Canonical Name) - Associates an alias with its canonical hostname. • HINFO (Host Information) – Specifics regarding an individual host. • LOC (Location Brief) – The geographical location of a host. • MINFO (Mail Information) – Mail related resource information. • MX (Mail Exchange) – Identifies a mail exchange resource. • NS (Name Server) - Points to a master name server of a subordinate zone. • RP (Responsible Person) – Identifies the individual responsible for a host. • SOA (Start of Authority) - Identifies the start of a zone of authority. • SRV (Server) – Designates any host providing a network service. • WKS (Well Known Service) – Information services offered on a host.
DNS Interrogation DNS Record Examples DOMAIN IMISSTECH.TV.
IAMACUTEC.AT.
DNS RR TYPE
RECORD ENTRY
A 10.1.1.1 imisstech.tv. HINFO HP-UX UNIX SRV DMZ Server WKS 10.1.1.1 tcp ftp telnet smtp pop3 RP ted.macdaibhidh.imisstech.tv. A 192.168.1.1 iamacutec.at MX 10 iamacutec.at HINFO WINDOWS 2003 SERVER WKS 192.168.1.1 udp domain WKS 192.168.1.1 tcp ftp telnet smtp domain RP wallie.the.tabby.cat.admin.iamacutec.at. RP murphy.the.mainecoon.tech.iamacutec.at
Online Tools – Sam Spade
Open Source Search – Search Engine
Open Source Search – Search Engine
UseNet Search
Lookup - ARIN Whois
Lookup - InterNIC Whois
Traceroute c:\>tracert server.target.net OR c:\>tracert 4.3.4.2
• Traceroute is a utility available in both Windows and *nix OSes. • This utility records the the specific gateway computers at each hop between the source host and a specified destination host. • Allows the attacker to determine some basic network topology and determine the location of routers and packet filtering devices. • As a general rule of thumb, the last host before the live target host is performing routing/packet filtering functions. • Use of the “-p” switch to specify a specific destination port may allow tracerouting beyond packet filtering devices.
Traceroute
C:\WINDOWS\Desktop>tracert 1.2.61.100 Tracing route to host bb2-web1.xxx.net [1.2.61.100] 1
3 ms
9 ms
9 ms Ubergeek [xxx.xxx.xxx.xxx]
2
70 ms
49 ms
69 ms gw01.phub.cable.rogers.com [xxx.xxx.82.138]
3 116 ms
99 ms
99 ms bb2.gw4.xxx.xxx.net [1.2.60.1]
4 117 ms 100 ms 100 ms bb2-gw2-60-22.xxx.net [1.2.60.2] 6 198 ms 109 ms 110 ms bb2-fw-2-dmz.xxx.net [1.2.61.1] 7 237 ms 179 ms 220 ms bb2-web1.xxx.net [1.2.61.100] Trace complete. C:\WINDOWS\Desktop>
XXX.net Network Topology • With one simple traceroute to a web server, we have determined the basic topology of the XXX.net network. • Armed with a basic knowledge of network design, we can surmise that: a. another firewall is in place between the internal network cloud and the router; and b. other possibly vulnerable services and applications (e.g. FTP, databases, e-mail)are running in the DMZ cloud. • Now that the basic network topology has been resolved, more intrusive methods can be used to footprint other network resources.
Traceroute
C:\WINDOWS\Desktop>tracert Tracing route to host bb2.fw1.xxx.xxx.net [1.2.60.3] 1
2ms
6 ms
8 ms Ubergeek [xxx.xxx.xxx.xxx]
2
68 ms
47ms
69 ms gw01.phub.cable.rogers.com [xxx.xxx.82.138]
3 111 ms
92 ms
4 123ms
101 ms 103 ms bb2.gw2.xxx.xxx.net [1.2.60.2]
•
We now have an initial map of the network and an insight into the its naming conventions.
•
An educated guess and another traceroute yields another firewall.
100 ms bb2.gw4.xxx.xxx.net [1.2.60.1]
5 138 ms 107 ms 109 ms bb2.fw1.xxx.xxx.net [1.2.60.3] Trace complete. C:\WINDOWS\Desktop>
Firewalking • Firewalking is a technique that allows an attacker to covertly map the ACLs of packet filtering devices.
• Sends TCP or UDP packets to the packet filter that have a TTL set at one hop greater than the target. • Should the packet make it through the gateway, it is forwarded to the next hop where the TTL equals zero and the packet is discarded. • Using this method, the ACL rules of a packet filter can be determined without actually touching any hosts behind the device.
Firewalking Fire, walk with me… • In this example, firewalk will scan ports 1-1024 using TCP packets directed at the firewall (1.2.61.1) using the previously mapped host at 1.2.61.100 as a metric. • The packet filter is found after three hops and firewalk begins scanning using TCP packets with a TTL of 4. • In this case, the ports shown were allowed by the ACL and passed successfully through the packet filter.
Ubergeek:#firewalk -n -S 1–1024 TCP 1.2.61.1 1.2.61.100 Firewalking through 1.2.61.1 (towards 1.2.60.100) with a maximum of 25 hops. Ramping up hopcounts to binding host... probe: 1 TTL: 1 port 33434:
• The attacker can therefore surmise in this case that at least one web server, an ssh server and an ftp server are running in the DMZ.
port port port port port
• Armed with this information, the attacker can plan any further actions appropriately.
1027 packets sent, 5 replies received.
20: 21: 22: 53: 80:
open open open open open
VisualRoute
Social Engineering Social engineering is a form of hacking that target’s people (wetware) instead of their networks.
The most successful hackers also successful social engineers
because there is no patch for human stupidity.
Types of social engineering include: ● Tainting Trust ● Dumpster Diving ● Shoulder Surfing ● Proxy Probing
The Anatomy of a Hack Footprinting Scanning
The “Anatomy of a Hack” summarizes the steps a cracker undertakes prior to and during a network attack. This process consists of two distinct phases:
• Reconnaissance and Target Acquisition Footprinting
Enumeration Gaining Access Privilege Escalation Pilfering
Scanning Enumeration
• Assault Gaining access Privilege escalation
Covering Tracks Back Door Creation Denial of Service
Pilfering Covering tracks
Back door creation Denial of Service (DoS)
Scanning Techniques & Tools Techniques – • Ping • •
sweep TCP/UDP port scan Stealth scans
Tools – • •
• • •
Nmap SuperScan Internet Toolkit Hping Grim’s Ping
Scanning Scanning is the process by which the attacker performs bulk target assessment, identifies listening services and locates possible points of ingress. Types of scans include the following: • Ping Sweep – Attempts to determine which hosts on a network are reachable. • Vanilla – Attempts to connect to all 65535 ports. • Stealth – Attempts to connect to ports using various techniques, including half-open connections (FIN/SYN) in order to avoid detection. • Reflex – Attempts to connect using fragmented packets, XMAS (all TCP flags set) or NULL (no TCP flags set) in order provoke a specific response. • Strobe – Attempts to connect to a few known ports.
• UDP – Attempts to locate open UDP ports. • Horizontal Sweep – Scanning the same port across multiple hosts; attacker is planning target a particular service. • Vertical Sweep – Scanning multiple ports on a single host; attacker is attempting to locate a vulnerable service.
NMap (Network Mapper)
NMap is a powerful scanning tool that is available in both *nix and Win32 versions. ● Employs multiple TCP scan facilities (Null, XMAS, FIN, SYN). ● Capable of remote OS fingerprinting. ● Implements specialized stealth scanning techniques (FTP bounce, idle scan, etc.).
Internet Toolkit One of many similar tools available today, these toolkits are capable of performing simple ping, port and service scans.
•
Although quite functional, the scanning techniques utilized by Internet Toolkit and similar scanning tools (e.g. SuperScan) are quite noisy.
•
Tools such as this are popular with skiddies as they are easy to use and readily available.
SuperScan
•
•
SuperScan is a scanning tool available free from Foundstone. In addition to its scanning ability, SuperScan incorporates an automated banner grabbing facility (banner grabbing will be discussed later).
HPing Hping is a very powerful command line based packet crafting tool that allows the user to craft packets of virtually any type desired. • Firewall testing • Advanced port scanning • Network testing, using different protocols, TOS, fragmentation • Manual path MTU discovery • Advanced traceroute, under all the supported protocols • Remote OS fingerprinting • Remote uptime guessing • TCP/IP stacks auditing
HPing # hping2 --scan known 192.168.1.103 Scanning 192.168.1.103 (192.168.1.103), port known 245 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+-----+ |port| serv name |
•
•
The latest stable release of HPing has implemented a scanning function. Even in scanning mode, it is possible to utilize most of the tool’s functionality.
flags
|ttl| id
| win | len |
+----+-----------+---------+---+-----+-----+-----+ 9 discard
: .S..A...
64
0 32767
44
13 daytime
: .S..A...
64
0 32767
44
21 ftp
: .S..A...
64
0 32767
44
22 ssh
: .S..A...
64
0 32767
44
25 smtp
: .S..A...
64
0 32767
44
37 time
: .S..A...
64
0 32767
44
80 www
: .S..A...
64
0 32767
44
111 sunrpc
: .S..A...
64
0 32767
44
113 auth
: .S..A...
64
0 32767
44
631 ipp
: .S..A...
64
0 32767
44
3306 mysql
: .S..A...
64
0 32767
44
6000 x11
: .S..A...
64
0 32767
44
6667 ircd
: .S..A...
64
0
44
All replies received. Done. No responding ports:
3072
Grim’s Ping A Weapon of Mass Distribution
• Scans en masse for live hosts, FTP and web proxy servers. • Capable of TCP SYN port scanning. • Scans for FTP public shares (pubs). • Plug-ins (Ping Companion, etc.) add even more functionality.
The Anatomy of a Hack Footprinting Scanning
The “Anatomy of a Hack” summarizes the steps a cracker undertakes prior to and during a network attack. This process consists of two distinct phases:
• Reconnaissance and Target Acquisition Footprinting
Enumeration Gaining Access Privilege Escalation Pilfering
Scanning Enumeration
• Assault Gaining access Privilege escalation
Covering Tracks Back Door Creation Denial of Service
Pilfering Covering tracks
Back door creation Denial of Service (DoS)
Enumeration Definition of Enumeration: A mathematical set with a total ordering and no infinite descending chains. A total ordering "<=" satisfies x <= x; x <= y <= z => x <= z; x <= y <= x => x=y; and for all x, y, x <= y or y <= x. In addition, if a set W is wellordered then all non-empty subsets A of W have a least element, i.e. there exists x in A such that for all y in A, x <= y.
Fortunately, man invented computers and quickly discovered that mathematics was no longer necessary. Definition of Enumeration Enumeration refers to the process by which the attacker makes use of more intrusive probing in order to identify resource shares, user accounts, operating systems and applications associated with the targeted network.
Enumeration Techniques & Tools Techniques – • List user accounts • List file shares • Application/OS identification
Tools – • • • • • • •
Telnet Netcat SuperScan NAT NMap p0f VisualRoute
Banner Grabbing
Banner Grabbing – Telnet • Telnet may be utilized as a rudimentary tool to grab server banners. • This is accomplished by opening a telnet session to the service you wish to enumerate. • A successful telnet session should yield the server’s banner.
In the example above, telnetting into a web server on port 80 reveals that the server is running Microsoft IIS v5.0.
Banner Grabbing - Netcat
• The much vaunted TCP/IP “Swiss Army Knife”; every network security professional should have Netcat in their toolbox. • Useful for creating custom stimuli using “nudge files” to capture more information in a banner reply than would normally be provided. • Armed with RFCs and a working knowledge of TCP based protocols, “nudge file” creation is easily accomplished using a standard text editor.
Banner Grabbing - Netcat Ubergeek:#nc -vv 10.1.1.1 80 < /home/usr/bin/nudge.txt
A nudge file consists of a couple of hard carriage returns at a minimum; the nudge file is redirected to the netcat command's stdin using a hoinkie as demonstrated above. Netcat is a powerful tool with many uses – this demonstrates just one of them; you are highly encouraged to experiment with netcat further in your lab enviroment.
Banner Grabbing - VisualRoute • VisualRoute is capable of performing banner grab enumeration of targeted hosts.
• By directing traces at a
specific port useful information may be obtained about the target.
• In this case, the trace was directed at port 80 on the target host.
• VisualRoute has determined that the target is an Apache 1.3.27 http server with mod_throttle 3.1.2 and mod_perl 1.26 installed running on Unix.
Banner Grabbing - SuperScan
•
•
•
In addition to its scanning ability, is able to grab banners from a targeted network. This feature allows the attacker to perform banner grab enumeration en masse. In this case, the scanner has captured the banner of the target’s SMTP server.
p0f - Passive OS Fingerprinting
•
•
•
P0f is a passive OS fingerprinting tool. Runs in the background and sniffs traffic on the wire. The packet’s parameters are compared against fingerprint tables and the program makes a “best guess” regarding the OS type in real time.
OS Fingerprinting OS
Version
Platform
TTL
Window
DF
TOS
Free BSD
3.x
Intel
64
17520
Y
16
Open BSD
2.x
Intel
64
17520
N
16
Linux
2.2
Intel
64
32120
Y
0
Solaris
8
Intel/SPARC
64
24820
Y
0
Windows
9x/NT
Intel
32/128
5000-9000
Y
0
Windows
2000
Intel
128
17000-18000
Y
0
• TTL (Time To Live)
Time to live is a value in an IP packet that communicates to a network router whether or not the packet has been on the network too long and should be discarded.
• Window
Window size is the amount of outstanding (unacknowledged by the recipient) data a host can transmit on a single network connection before it receives an acknowledgement from the destination host.
• DF (Don’t Fragment Bit)
Located in bit two of an IP header’s sixth octet; the DF bit, if set, indicates that the packet is not to be fragmented.
• TOS (Type of Service Byte)
The TOS byte is used for for internet service quality selection. Various fields within the byte specify parameters for precedence, delay, throughput, and reliability.
NMap – Active OS Fingerprinting • NMap has the capability to fingerprint a remote host’s operating system, allowing the attacker to enumerate the target’s OS. • Unlike p0f, NMap performs active OS fingerprinting by sending unusual and invalid TCP packets to the target host, then monitors the wire for the target host’s responses. • In this case, NMap correctly enumerated the target’s OS as a Linux 2.4 x86 distro.
Building Your Lab Because there’s no place like /home
•
•
•
Why build a personal lab? Continuing professional development is a necessary evil. This process can be greatly enhanced if one has access to a personal computer lab.
Maintaining a personal lab also provides excellent bullets for performance reviews and résumés. Besides, building a lab is easy and fun – and the ladies dig guys with computer labs!
Building Your Lab
Constructing a lab is a fairly easy process and can be accomplished utilizing two methods:
a. hard network: one or more actual hosts connected through a crossover cable or switch/routing device; or b. soft network: a single host running virtual machines (this is the preferred configuration). In either case, it is highly recommended that the lab network be contained as a standalone implementation vice being connected to a live network.
My Lab Configuration – “Arda” • PALANTIR is connected to the wire via a hub and a receiveonly CAT5 cable. • PALANTIR is isolated from the lab network by MORANNON; the firewall is only opened when necessary to transfer files from PALANTIR. • MELKOR serves as the primary analysis station and attack platform; this host is directly connected to SAURON with a CAT5 crossover cable. • In addition to its native environment, SAURON is capable of running multiple VMWare virtual machines to simulate larger networks. • GOLLUM is a standalone host utilized for malware analysis running a VMWare Player virtual machine.
Yes, the naming convention theme was inspired by the Tolkien legendarium and yes, I am a Geek…
Building Your Lab KVM Switch •
•
Should you choose a hard or hard/soft combo configuration for your lab network, multiple input/display devices are not necessary. KVM switches allow you to use a single keyboard, mouse and video display with multiple hosts.
Building Your Lab VMWare Player •
Run any single virtual machine.
•
Real to virtual machine copy/paste and drag/drop.
•
Multiple networking options.
•
32 and 64 bit OS support.
•
User adjustable memory management.
•
Easily and safely evaluate applications distributed in virtual machines without any installation or configuration.
VMware Player is a free download from the VMWare website. Although this version supports only one virtual machine and lacks the facility to generate virtual machine images, this distro is adequate for most purposes where only a single target is required. http://www.vmware.com/products/player/
Building Your Lab Linux LiveCD Distros •
A LiveCD is an OS distro stored on a bootable CD-ROM that can run without installation on a hard drive.
•
Loads necessary system files into a RAM disk.
•
The system returns to its previous OS/state when the LiveCD is ejected and the computer is rebooted.
•
Knoppix based distros can set up a “Persistent Home Directory” on a Thumb Drive for storage and retrieval of files.
P S K
Building Your Lab Linux LiveCD Distros General Toolkits: Knoppix STD (Security Tools Distribution) http://www.knoppix-std.org/
P.H.L.A.K. (Professional Hacker’s Linux Assault Kit) http://www.phlak.org/modules/news/
Forensic Toolkits: Helix
http://www.e-fense.com/helix/
PSK (Penguin Sleuth Kit)
http://www.linux-forensics.com/
Pen-Testing Toolkits: KCPentrix
http://kcpentrix.net/
WHAX
ftp://ftp.belnet.be/packages/whoppix/whax-3.0-200705.iso
Building Your Lab Malware Analysis Tools •
All malware analysis should take place on a standalone host, preferably one running a virtual machine.
•
Once analysis is complete, the VM image can simply be reloaded.
•
Several free analysis tools are available from various sources on the internet.
Building Your Lab Malware Analysis Tools Autoruns – Displays programs configured to run during system bootup or login. http://www.sysinternals.com/Utilities/Autoruns.html
Ethereal – Packet capture & protocol analysis. http://www.ethereal.com
Filemon – Displays file system activity on a system in real-time. http://www.sysinternals.com/Utilities/Filemon.html
ListDLLs – Displays which DLLs are loaded.
http://www.sysinternals.com/Utilities/ListDlls.html
Ollydbg - Assembler level analysing debugger. http://www.ollydbg.de/
RegMon – Displays in Registry activity in real time. http://www.sysinternals.com/Utilities/Regmon.html
Rootkit Revealer – Detects registry and API anomalies. http://www.sysinternals.com/Utilities/RootkitRevealer.html
VICE WinDump/TCPDump – Pcap (sniffer) tools. http://www.winpcap.org/windump http://www.tcpdump.org/
Building Your Lab Compilers, Debuggers & Decompilers Most exploits are made available as source code will have to be compiled in order to be made executable; executable exploits can be decompiled and the recovered code analyzed. #include <stdio.h> #include <winsock2.h> #pragma comment(lib, "ws2_32") // Use for find the ASM code #define PROC_BEGIN __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90\ __asm _emit 0x90 __asm _emit 0x90 #define PROC_END PROC_BEGIN #define SEARCH_STR "\x90\x90\x90\x90\x90\x90\x90\x90\x90" #define SEARCH_LEN 8 #define MAX_SC_LEN 2048 #define HASH_KEY 13 // Define Decode Parameter #define DECODE_LEN 21 #define SC_LEN_OFFSET 7 #define ENC_KEY_OFFSET 11 #define ENC_KEY 0xff // Define Function Addr #define ADDR_LoadLibraryA [esi] #define ADDR_GetSystemDirectoryA [esi+4]
Building Your Lab Compilers Bloodshed
C/C++ IDE (Integrated Development Enviroment)
Digital Mars
C+/C++ compiler
MinGW32
C/C++/ObjC compiler
Open Watcom
C/C++ compiler
http://bloodshed.net http://digitalmars.com http://mingw.org
http://openwatcom.org
Decompilers REC
Multi format binary decompiler
CHM Encoder
MS compiled HTML Help Format (CHM) decompiler
DJ Java Decompiler
Java demcompiler
http://www.backerstreet.com/rec/rec.htm http://www.gridinsoft.com/chm.php http://mingw.org
Building Your Lab Metasploit Framework
The Metasploit Framework is an open source computer security tool for developing and executing exploit code against a remote target machine. The Framework is easily implemented on a Windows host and incorporates a web interface for ease of use; this makes it an ideal tool for the neophyte to utilize in a lab enviroment. http://www.metasploit.com
Building Your Lab Metasploit Framework
“The Metasploit Framework. Point. Click. Pwn.”
Building Your Lab Reference Material “The more you read, the more you learn and the less your adversary will know." Sun Tzu, Chinese General, “The Art of War”, c. 500 B.C.E.
Reference material can be a valuable asset to the InfoSec professional, both in the lab and in the workplace. • Many InfoSec related titles are available from both the public and CIRT libraries. • Deeply discounted computer books can be purchased at any “Computer Books for Less” outlet in the Ottawa area.
Words of Wisdom “Know the enemy and know yourself and you need not fear the result of a hundred battles… Sun Tzu, Chinese General, “The Art of War”, c. 500 B.C.E.
Fight the Networks, Neo!
Questions For sooth, thus endeth the brief…
Questions?
Acknowledgments Mr. John Ronald Reuel Tolkien
For the damned good reads and the inspiration for my lab’s naming convention. Yessss – my lab – my preciousssss. http://www.tolkien.co.uk/frame_nf.htm
Mr. J.D. “Iliad” Frazer
For his kind permission to use “User Friendly” cartoons in my briefs. http://www.userfriendly.org
Hacking Exposed, McGraw-Hill Publishing http://www.foundstone.com
Inside Network Perimeter Security, Sams Publishing http://www.samspublishing.com
Infosec Career Hacking, Syngress Press http://www.syngress.com
Intrusion Signatures and Analysis, Sams Publishing http://www.samspublishing.com
My Friends
For continuing to support my delusions of grandeur – as long as the cheques continue to clear.
Network Intrusion Detection, Sams Publishing http://www.samspublishing.com
Related Documents
Hacking Methodology Lab 1
November 2019 3
Hacking Methodology Lab
November 2019 6
The Methodology Of Web Hacking
November 2019 14
Methodology[1]
November 2019 9
Hacking
November 2019 35