1 / 36

Think Like a Hacker

Think Like a Hacker. Paul Hogan Ward Solutions. Session Prerequisites. Hands-on experience with Windows 2000 or Windows Server 2003 Working knowledge of networking, including basics of security Basic knowledge of network security-assessment strategies. Level 300. This sessions are about….

tyler
Download Presentation

Think Like a Hacker

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Think Like a Hacker Paul Hogan Ward Solutions

  2. Session Prerequisites • Hands-on experience with Windows 2000 or Windows Server 2003 • Working knowledge of networking, including basics of security • Basic knowledge of network security-assessment strategies Level 300

  3. This sessions are about… • …about operational security • The easy way is not always the secure way • Networks are usually designed in particular ways • In many cases, these practices simplify attacks • In some cases these practices enable attacks • In order to avoid these practices it helps to understand how an attacker can use them

  4. This sessions are NOT … • a hacking tutorial • Hacking networks you own can be enlightening • HACKING NETWORKS YOU DO NOT OWN IS ILLEGAL • …demonstrating vulnerabilities in Windows • Everything we show stems from operational security or custom applications • Knowing how Windows operates is critical to avoiding problems • …for the faint of heart

  5. The Sessions

  6. By the way… • I will not give you my tools. It does not matter what you do for a living or who you work for • If you do not ask, I don’t have to say no

  7. The Network

  8. Profiles National Interest Spy Personal Gain Thief Trespasser Personal Fame Curiosity Vandal Author Undergraduate Script-Kiddy Expert Specialist SOURCE: Microsoft and Accenture

  9. Approaches ? What is the typical hacker profile: • “Spy”: Slow, careful, precise, invasive • “Thieves”: Fast, careful, precise, sometimes invasive • “Script Kiddies”: Slow, reckless, imprecise, invasive • “Defacers”: Fast, reckless, precise, mildly invasive

  10. Hacking Methodology – Basic steps • Information Gathering / Profiling • Probe / Enumeration • Attack • Advancement • Entrenchment • Infiltration/Extraction

  11. Information Gathering Profiling Involves: • Decide and discover which targets to attack • Often begin with a specific network or a specific company • whois, nslookup queries • Samspade.org • Search Engine (“googlescanning”)

  12. Probe Scan specific targets for vulnerabilities • Search sweeping ranges of ports with a portscan (nmap) • Grab details such as service versions from the discovered ports aka “banner grabbing” (netcat) • Windows: Connect to and enumerate information from NETBios (enum) • Search the Internet for vulnerabilities based on versions of software found on targets Often begin with a specific network or a specific company

  13. Probe Selected Tools • NMAP • Superscan • Nessus • Whisker • Netcat • nikto

  14. Probe • Most often, professional ethical hackers rely on “Vulnerability Scanners” to perform their jobs. • MBSA • NetIQ Vulnerability Manager • Nessus • eTrust Vulnerability Manager • Internet Security Systems Internet Scanner • Retina® Network Security Scanner

  15. nmap Nmap is used to scan the ports of the target system. Using the –O option would also report the Operating System of the target.

  16. nmap Nmap’s guess at the operating system type

  17. Attack • Gather compatible exploits • Compile exploits (if required) • Launch exploits against targets • Modify parameters, re-launch exploits (if required)

  18. Attack • There are many different types of attacks which can be broken down into several classifications. • The attacks are performed from one of two perspectives: • Local: The attacker has access to a command prompt or has gained the ability to execute commands on the target • Remote: The attacker exploits the target box without first gaining access to a command shell

  19. Attacks: Buffer Overflow • Aka the “Boundary Condition Error”: Stuff more data into a buffer than it can handle. The resulting overflowed data “falls” into a precise location and is executed by the system • Local overflows are executed while logged into the target system • Remote overflows are executed by processes running on the target that the attacker “connects” to • Result: Commands are executed at the privilege level of the overflowed program

  20. Attacks: Input validation • An process does not “strip” input before processing it, ie special shell characters such as semicolon and pipe symbols • An attacker provides data in unexpected fields, ie SQL database parameters

  21. Attacks: Weak password • accounts with weak passwords are guessed by a remote attacker • Accounts with weak passwords are cracked by attacker with access to a password database

  22. Attacks: Exploit Sites • SecurityFocus: (http://www.securityfocus.com) • Packetstorm: (http://packetstormsecurity.org) • New Order: (http://neworder.box.sk/) • Hack in the Box: (http://www.hackinthebox.org/) • phreak.org (http://www.phreak.org/archives/exploits/unix/)

  23. Attack Phases • The Attack is most often broken into several phases: • Locating Exploits • Getting Exploits • Modification of Exploits • Building Exploits • Testing Exploits • Running Exploits

  24. Locating Exploits

  25. Obtaining and modifying Exploits

  26. Advancement • If needed, gain further access to targets by further exploitation • Trojans • Local Exploits • The advancement phase will somewhat mirror the Attack phases unless the attacker has already tested the exploits

  27. Entrenchment • Modify targets to ensure future access • Backdoors • Rootkits

  28. Infiltration/Extraction • Install sniffers to monitor network traffic, gather usernames/passwords • Extract data from compromised systems • Compromise neighboring targets based on captured data or trust relationships

  29. Script Kiddies • Named for their annoying ability to (sometimes) successfully compromise a system using pre-written scripts, generally follow a very simple non-cyclical methodology • Exploit Selection • Target Selection • Attack • Generally use Search engines to locate exploits • Generally not a technically savvy lot, so exploit selection is made based on attack platforms available (generally Windows-based) and ease of use

  30. Script Kiddies – Target Selection • Most target selection involves noisy scanners, often launched from Windows platforms • An increasing number of Script Kiddies, however, are gaining familiarity with Linux and use fairly standard tools such as nmap.

  31. Employees & Other Internal Users TRUSTED eC SEGMENT DB Server 2 Internet SAN App Servers DMZ Corporate LAN FTP Drop Firewall S/W Load Balancing 2 2 2 2 DB Servers 4 H/W or S/W Load Balancing Extranet Firewall Web Server (Internal Users) SAN Public DNS Server Web Servers Trusted Business Partners A Typical Hack Level IV Data Firewall Firewall

  32. Don’t patch anything Run unhardened applications Logon everywhere as a domain admin Open lots of holes in the firewall Allow unrestricted internal traffic Allow all outbound traffic Don’t harden servers Use lame passwords Use high-level service accounts, in multiple places Assume everything is OK How To Get Your Network Hacked In 10 Easy Steps

  33. Initial entry is everything Most networks are designed like egg shells Hard and crunchy on the outside Soft and chewy on the inside Once an attacker is inside the network you can… Update resume Hope he does a good job running it Drain the network The moral

  34. Questions and Answers

More Related