Kiniti Patrick

Todays Presentation
Internet

Security Hacking
& Penetration Testing

Motivation
Hacking Explored
Why Hack?
Penetration Testing Motives

Hacking Outline

Internet
Footprinting
4

Internet Footprinting
Outline
Review

publicly available
information
Perform network
reconnaissance
Discover landscape
Determine vulnerable
services
5

Landscape discovery

Ping sweep: Find out which hosts are alive

nmap, fping, gping, SuperScan, etc.

Port scans: Find out which ports are listening

Dont setup a full connection just SYN

Netcat

nmap advanced options

can be run in encrypted mode cryptcat

XMAS scan sends all TCP options
Source port scanning sets source port (e.g., port 88 to scan
Windows systems)
Time delays

Banner grab & O/S guess

telnet
ftp
netcat
nmap

Hacking
Windows

Hacking Windows outline

1.
2.
3.
4.
5.
6.
7.

Scan
Enumerate
Penetrate
Escalate
Pillage
Get interactive
Expand influence

Scanning Windows

Port scan, looking for whats indicative of

Windows
88 Kerberos
139 NetBIOS (Broadcast Scans)
445 SMB/CIFS
1433 SQL Server
3268, 3269 Active Directory
3389 Terminal Services
Trick: Scan from source port = 88 to find IPSec secured systems
9

Enumerating
Windows
So, what is enumeration? Enumeration is a fancy term for
listing and identifying the specific services and resources that
are offered by a target.

System accounts tracked by their SIDs

Need to escalate to Administrator to have any real

power
Tools

userdump enumerates users on a host

sid2user & user2sid translates account names on a host

SAM

RID at end of SID identifies account type

RID = 500 is admin account

Contains usernames, SIDs, RIDs, hashed passwords

Local account stored in local SAM
Domain accounts stored in Active Directory (AD)

Trusts

Can exist between AD domains

Allows accounts from one domain to be used10in ACLs on

Escalating privileges in
Windows

getadmin
getad
getad2
pipeupadmin

Shatter
Yields

system-level privileges
Works against Windows Server 2003
11

Pillaging Windows

Clear logs
Some

IDSs will restart auditing once

its been disabled

Grab hashes
Remotely

with pwdump3
Backup SAM: c:\winnt\repair\sam._

Grab passwords
Sniff

SMB traffic

Crack passwords
L0phtcrack
John

the Ripper

12

Getting interactive with

Windows
Copy rootkit over a share

Hide rootkit on the target server

Low traffic area such as winnt\system32\OS2\dll\toolz
Stream tools into files
Remote shell
remote.exe (resource kit tool)
Netcat-backdoor (easy to spawn a remote shell)
How to fire up remote listener?
trojan
Schedule it for remote execution
at scheduler
Psexec

13

Hacking
Unix/Linux

14

14

Discover landscape

Goals
Discover

available hosts
Find all running services

Methodology
ICMP

and TCP ping scans

Find listening services with nmap and
udp_scan
Discover paths with ICMP, UDP, TCP

Tools
nmap
SuperScan

(Windows)
udp_scan (more reliable than nmap for udp
15
scanning)

Enumerate (List) services

Users
finger
SMTP

vrfy

DNS info
dig

RPC services
rpcinfo

NFS shares
showmount

Countermeasures
Turn

off un-necessary services

16 or
Block IP addresses with router ACLs

Attack remotely

3 primary methods

Exploit a listening service

Route through a system with 2 or more interfaces
Get user to execute it for you

Brute-force against service

Trojans
Hostile web site

Countermeasure: strong passwords, hide user names

Buffer-overflow attack

Overflow the stack with machine-dependent code

(assembler)
Usually yields a shell shovel it back with netcat
Prime targets: programs that run as root or suid
Countermeasures

Disable stack execution

Code reviews
Limit root and suid programs

17

Get beyond root

Map the network (own more hosts)

Install rootkit
Creating

backdoors
Sniff other traffic
Countermeasures

Encrypt all traffic

Switched networks (not a panacaea)

Clear

logs
Session hijacking

18

 Penetration

Testing

19

Goals Of This Presentation

An overview of how Vulnerability Assessment (VA) & Penetration

Testing (PT) is done

Defining scope of the assessment

Types of Penetration Testing

A brief understanding ICMP Usage In Foot printing

How vulnerabilities are scanned and exploited

What are the end results

What a Penetration Testing Report should contain

Acronyms:

VA Vulnerability Assessment
PT Penetration Testing
DOS Denial of Service
DDOS Distributed Denial of Service

20

Difference Between Vulnerability Assessment and

Penetration Testing

Vulnerability Assessment (VA)

In this case the security auditor has to only scan for the
vulnerabilities in the server or application and filter out the false
positives from the scan output by mapping them with the actual
vulnerabilities associated with the target host.
VA Scope Includes:

The VA test can be done both internally and externally

No vulnerabilities are exploited
No dangerous attacks like DOS and Buffer Overflow attacks are used
Automated vulnerability scanning tools line Nessus, Retina or ISS are
Penetration Testing (PT)
used
In this case the security auditor or the penetration tester not only has to
scan for the vulnerabilities in the server or application but also has to
exploit them to gain access to the remote server.
PT Scope Includes:

The PT test is done both internally and externally

Vulnerabilities are exploited
Dangerous attacks like DOS and Buffer Overflow attacks are
used depending upon
21
the customers willingness to do so

Types Of Penetration Testing

Black Box Penetration Testing

Pen tester has no previous knowledge of the remote

network
Only the company name or the IP address is known
Simulation of a real world hacking by a hacker who has no
knowledge
(E.g. Operating System running, application running, device
type and
network topology etc..) of the remote network environment
White Box Penetration Testing

Pen tester provided with significant knowledge of the

remote network
Type of network devices (i.e. Cisco gear, TCP/IP),
WebServer details (i.e., Apache/*nix or Apache/Win2k),
Operating System type (i.e., Windows/*nix),
Database platform (i.e., Oracle or MS SQL),
Load balancers (i.e. Alteon),
Firewalls (i.e. Cisco PIX).. etc
22
Simulation of an attack by a hacker who is having a detailed

Scope Of Penetration Testing

Non-Destructive Test

Scans the remote hosts for possible vulnerabilities

Analyze and confirm the findings
Map the vulnerabilities with proper exploits
Exploit the remote system with proper care to avoid disruption
of service
No highly critical Denial of Service (DoS) attack is tried
Destructive Test

Scans the remote hosts for possible vulnerabilities

Analyze and confirm the findings
Map the vulnerabilities with proper exploits
All highly critical Denial of Service (DoS) attacks (e,g like buffer
overflows)
are tried

23

Penetration Testing Attack

Information
Tree
Gathering
Fingerprinting or
Footprinting
Network Surveying

Evading Firewall
Rules
Reviewing Logs
and Generating
Final Report with
Remediation &
Workarounds

Port Scanning and

Services
Identification
Automated
Vulnerability
Scanning
Exploiting for
Known
Vulnerabilities

Remote Services

Password Cracking /
Brute Forcing

Escalation of
Privileges (Gaining
Remote Shell)

Denial of Service
Testing

Web-Based
Authentication

24

1. Information Gathering
This is the first step for any remote host Penetration
Testing. Here the pen-tester try to gather maximum information
on the remote host to precise the attack.
Expected Results:

Zone Transfer Information

Domain Registration Information
Email IDs
IP Addresses Range

Sample Screenshot (Server queried for Zone-Transfer Info):

25

1. Information Gathering (Contd)

Sample Screenshot: (Information Gathered from Zone-Transfer Info)

26

2. Footprinting / Fingerprinting
In this step, information like WebServer and OS type running on
remote host are gathered to further precise the attack.
Expected Results:

Remote server OS type

Remote server web-server type
Applications running on remote server

Sample Screenshot (Banner displaying OS, application &

WebServer details):

27

Foot printing (contd)

ICMP USAGE
UDP SCANING
IP FRAGMENTATION
MTU USAGE

28

Advanced Host Detection

The advanced host detection methods rely on the idea that we
can use various methods in order to elicit an ICMP Error
Message back from a probed machine and discover its
existence. Some of the methods discussed are:
Mangling IP headers
Header Length Field
IP Options Field
Using non-valid field values in the IP header
Using valid field values in the IP header
Abusing Fragmentation
The UDP Scan Host Detection method

29

UDP Scans The Usual

Approach
UDP Datagram

Destination Port Is Closed

ICMP Destination Unreachable Port
Unreachable
Type 3, Code 3

30

UDP Scans The Usual

How can we determine
if a host is alive using a UDP
Approach
probe?
We use the UDP scan method that uses ICMP Port
Unreachable error message that may be generated from
probed hosts as indicator of alive hosts.
If we have sent the datagram to a closed UDP port we will
receive an ICMP Port Unreachable error message.
If the port is opened, we would not receive any reply.
When a filtering device is blocking UDP traffic aimed at the
attacked machine, it would copycat the behavior pattern as
with opened UDP ports.
If we probe a large number of UDP ports on the same host and
we do not receive a reply from a large number of ports, it
would look like that a large number of probed UDP ports are
opened. While a filtering device is probably blocking the traffic
31
and nearly all of the ports are closed.

IP Fragmentation
Tools For Remote Host Detection
Nmap
Xprobe

32

IP Fragmentation
ACL detection
0

4
4 bit
Version

8
4 bit
Header
Length

16
8-bit type of
service

16-bit total length ( in bytes )

3 bit
Flags

16-bit identification
8-bit time to live
( TTL )

31

8-bit protocol
(TCP)

13-bit Fragment Offset

16-bit header checksum

20
bytes

32-bit source IP address

32-bit destination IP address
Options ( if any )
16-bit Source Port
IP Data
Field

16-bit Destination Port

12
bytes

32-bit Sequence Number

4-bit Data
Offser

6-bit
Reserved

U A P R S
R C S S Y
G K H T N

F
I
N

16-bit W indow

We can divide the first packet of the TCP handshake into two
fragments. We would put enough TCP information in the first packet
that would be enough to verify the packet against the Firewalls Rule
base (this means the port numbers we are using are included in the
packet). We will not send the second part of the packet, forcing any
host that gets such a packet to send us back an ICMP Fragment
Reassembly Time Exceeded error message when the
33time for
reassembly exceeds.

IP Datagrams with non-valid field

value
The Protocol Field Example
[root@techmaxkenya]# nmap -vv -sO 192.168.1.1

Starting nmap V. 2.54BETA1 by fyodor@insecure.org ( www.insecure.org/nmap/ )

Host

(192.168.1.1) appears to be up ... good.

Initiating FIN,NULL, UDP, or Xmas stealth scan against

(192.168.1.1)

The UDP or stealth FIN/NULL/XMAS scan took 4 seconds to scan 254 ports.
Interesting protocols on

(192.168.1.1):

(The 250 protocols scanned but not shown below are in state: closed)
Protocol

State

Name

open

icmp

open

igmp

open

tcp

17

open

udp

Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds

34

IP Datagrams with bad IP

ACL Detection
Headers
Bad IP Options / Bad Header
Length / Bad Total Length

ICMP Parameter Problem

Error Message
Type 12, Code 0/2

What if we are using the ICMP protocol as the protocol

embedded inside our crafted probed, and we do not get
any reply?
The Filtering Device disallows datagrams with the kind of bad field we are
using.
The Filtering Device is filtering the type of the ICMP message we are using.
The Filtering Device blocks ICMP Parameter Problem error messages initiated
from the
protected network destined to the Internet.

35

4. Port Scanning & Services Identification

Port scanning is the invasive probing of system ports on the
transport and network level. This module is to enumerate live or
accessible Internet services as well as penetrating the firewall to
find additional live systems.
Expected Results:

Open, closed or filtered ports

Services Identification
Sample Screenshot (NMAP port scan output):

36

5. Evading Firewall Rules (Contd)

It is clear for the two screenshots (Screenshot 5.a & 5.b) that the
packet filtering device (i.e. Firewall / Router) is not
configured to block UDP packets.
This is a configuration error

Sample Screenshot 5.b: (Trace Route using ICMP packets)

37

6. Automated Vulnerability Scanning

The focus of this module is identifying, understanding, and
verifying
the
weaknesses,
misconfigurations
and
vulnerabilities associated with remote host. The scanning is
done using
automated tools or scripts to make the process faster.
Expected
Results:
List of vulnerabilities associated with each remote services
List of possible denial of service vulnerabilities
Possible misconfiguration on the remote server

38

7.
Exploiting
Services
For
Known
This is the most important phase of penetration testing. Here the
weaknesses found Vulnerabilities
in the remote services are exploited using
openly available exploits or self developed or customized exploits.
Expected Results:

Gaining Access to the system

Retrieving hidden information
Domain Hijacking
Spamming Mail Serversa

Sample Screenshot (FrontPage fp30reg.dll Overflow Exploit):

39

7. Exploiting Services For Known

web application
flaws are(Contd)
exploited to gain
Vulnerabilities

Here the
access to
restricted information. The Web-Based authentication is exploited
by using XSS (Cross-Site Scripting) or SQL injection or MITM
(Man-in-the-middle) attacks etc...
Expected Results:

Access to restricted / confidential information

Control over web configuration
Can also leads to gaining access over other servers

Sample Screenshot (SQL injection used for gaining access to

admin page):

40

9. Final Impact on Successful

Escalation of Privileges
Pen Tester
Console

INTERNET

DMZ
Back Office Network

41

Contents of a Penetration Testing

Executive Summary
Report
Briefing on the type of test performed

A pie graph displaying the vulnerabilities in terms of percentage of high, low &
medium

Risk Matrix
Quantifying the vulnerabilities and showing the high, low & medium in a tabular
format
Giving a brief of the vulnerabilities found

Proof of Concepts (POC)

Giving a detail description with the screenshots and logs of the vulnerabilities
found and exploited.

Remedies and Workarounds

Providing customised remedies and workarounds for the vulnerabilities found

Best practices
Suggesting best practices for the configurations for the device or services

Final Summary
Must contain a brief on the overall vulnerability factor found for the remote
42
device

Tools Of Trade

Network Discovery & Information Gathering Tools

TraceRoute, MIB Walk, Firewalking, nslookup & dig
techniques & Solarwinds
Network Discovery, TraceProto, Trout, Sam Spade
OS Fingerprinting Tools
Nmap, P0F, XProbe2, SuperScan

Port Scanning & Services Identification Tools

Nmap, MegaPing, MingSweeper, SuperScan, THC-Amap
Firewall Bypassing Tools
Firewalking, HPING(1/2/3), MPTraceRoute, Firewall Tester,
SYN-STEALTH
techniques and other open source tools
Automated Vulnerability Scanning Tools
Nessus, eEye Retina, GFI LanGaurd, ISS Scanner, Shadow
Security Scanner,
43
HTTP Scanners (CGI,PHP and ASP etc), SSL Scanners,
Nikto,

Q&A

44