Hacking for system administrators I

Markus a Campo
SySS GmbH

3rd June 2008

Preamble

M. a Campo (SySS GmbH)

3rd June 2008

2 / 89

General requirement for the course

Ethical hacking only

You are aware that an attack against a system on the internet may
constitute a punishable offence. Therefore, youll only conduct attacks
against systems when you are authorised to do so by their owner. All
network activity in the course-room may be recorded, either by the
provider or other participants, so please do not use the training
equipment and network to transmit or access any confidental data.
The courseroom is not secured by any means against attacks from the
inside.
Please think first and hack later

M. a Campo (SySS GmbH)

3rd June 2008

3 / 89

General requirement for the course

Ethical hacking only

You are aware that an attack against a system on the internet may
constitute a punishable offence. Therefore, youll only conduct attacks
against systems when you are authorised to do so by their owner. All
network activity in the course-room may be recorded, either by the
provider or other participants, so please do not use the training
equipment and network to transmit or access any confidental data.
The courseroom is not secured by any means against attacks from the
inside.
Please think first and hack later

M. a Campo (SySS GmbH)

3rd June 2008

3 / 89

Disclaimer

Exercises and content:

We have prepared certain topics with exercises for this course.
However, current developments (licence- and version-changes) or the
availability of services on the internet may influence the way exercises
can be performed. Depending on the situation, our trainer may have to
deviate from the schedule in the slides, or place more weight on a
certain topic
Sometimes hacks are just not done by the book

M. a Campo (SySS GmbH)

3rd June 2008

4 / 89

Disclaimer

Exercises and content:

We have prepared certain topics with exercises for this course.
However, current developments (licence- and version-changes) or the
availability of services on the internet may influence the way exercises
can be performed. Depending on the situation, our trainer may have to
deviate from the schedule in the slides, or place more weight on a
certain topic
Sometimes hacks are just not done by the book

M. a Campo (SySS GmbH)

3rd June 2008

4 / 89

Disclaimer

Tools and their alternatives:

The tools shown and used in the exercises have been selected by us
for their suitability in this enviroment - a workshop. For almost any tool
discussed, there are many alternatives which may or many not be
suited better for certain tasks.

M. a Campo (SySS GmbH)

3rd June 2008

5 / 89

Worm authors
Sven Jaschan (Sasser Author)
The suspect confessed that the worms mydoom and bagle
motivated him to create an Antivirus - encouraged by talks
with his classmates he developed netsky further, to sasser
source:
http://www.heise.de/security/news/meldung/47212

comment in the sasser source code

Hey, av firms, do you know that we have programmed the sasser
virus?!?. Yeah thats true! Why do you have named it Sasser? A Tip:
Compare the FTP-Server code with the one from Skynet.V!!! LooL! We
are the Skynet...

M. a Campo (SySS GmbH)

3rd June 2008

6 / 89

Defacements

Definition
any kind of malicious modification of websites
archived at http://www.zone-h.org

target audience
Whom do the defacers want to reach anyway?

M. a Campo (SySS GmbH)

3rd June 2008

7 / 89

The real intent

standing in the scene

The scene itself is the primary focus of attention.
Almost no interest in the outside world .
Not much communication between different scenes, scenes may
despise each other

M. a Campo (SySS GmbH)

3rd June 2008

8 / 89

More or less organised crime

Highly automated attacks for financial gain

Write (spam-) trojans/spyware/worms/bots
Sell or lend/lease botnets
DDOS-extortions, using leased botnets
Trading the data of others, industrial espionage

M. a Campo (SySS GmbH)

3rd June 2008

9 / 89

Results...

...of this activity:

Spamscourge: High workload just to keep email usable
Running unpatched systems on the internet is wantonly negligent
Constant background noise on the internet due to automated
attacks

General problem:
My security depends on your security - Theo de Raadt

M. a Campo (SySS GmbH)

3rd June 2008

10 / 89

Collecting information from the internet

M. a Campo (SySS GmbH)

3rd June 2008

11 / 89

Data from WHOIS servers:

Name, email addresses of technical contacts

Providers
IP-ranges
Name, email addresses of technical contacts

M. a Campo (SySS GmbH)

3rd June 2008

12 / 89

Data from WHOIS:

whois tells us to which range an IP address belongs

Definition
whois -T dn -h whois.denic.de 193.99.145.37

Exkursus:
ping or host can be used to find out the matching IP address for a
hostname
-T dn Type set to domain

M. a Campo (SySS GmbH)

3rd June 2008

13 / 89

AXFR & MX

Syntax for host and dig

host -l heise.de ns.heise.de
host -t mx heise.de
dig axfr heise.de @ns.heise.de
dig mx heise.de

M. a Campo (SySS GmbH)

3rd June 2008

14 / 89

Finding out the version of BIND

The software-version of a DNS-server can be read using dig or host

Syntax for host and dig

host -t txt -c chaos version.bind ns.heise.de
dig @ns.heise.de version.bind chaos txt

M. a Campo (SySS GmbH)

3rd June 2008

15 / 89

Using whois and DNS

Exercise:
Please find out the mail- and DNS-servers (and their version)
responsible for fsb.ru and the IP-ranges they are in Please try to do a
zone-transfer.

M. a Campo (SySS GmbH)

3rd June 2008

16 / 89

Information found on websites

Programm- or coding errors which provice access to critical data

Databases provide clues about the webserver and OS used
The HTML-Source may provide additional clues - for example in
comments

M. a Campo (SySS GmbH)

3rd June 2008

17 / 89

Netcraft

Netcraft (http://www.netcraft.com) provides and collects

information about the technical history of webservers.

Exercise:
Check http://www.geneva.ch
Has the webserver been changed? If yes, when?
... how often did the provider change?
... is the version of the webserver up-to-date?

M. a Campo (SySS GmbH)

3rd June 2008

18 / 89

Usenet search engine

Informations:
Mail/Newsclient used
Headers allowing to trace back the path of an email (e.g.
the received-stamps in the SMTP-Header)
Information in signatures
http://groups.google.com

M. a Campo (SySS GmbH)

3rd June 2008

19 / 89

Google-Hacking

A typical vulnerability report:

(Source: http://www.heise.de/newsticker/meldung/58087)
Now we know those systems are vulnerable. But how do we find
them?

M. a Campo (SySS GmbH)

3rd June 2008

20 / 89

Google-Hacking

Please use google to search for the systems

Which elements of the page are good for searching?

M. a Campo (SySS GmbH)

3rd June 2008

21 / 89

Legal considerations
Please use google to find the default password of those VPN systems.

But please be careful:

According to german penal law, accessing data which
...which is protected against unauthorized access by third parties... is
a crime. The quality of the protection is not considered here - which
may be the main difference to other countries and legal systems.

That means anyone not of the legal profession...

... we should not:
Guess passwords and try them out
Connect to services with well-known passwords (SNMP)
Use tools which do the above automatically

M. a Campo (SySS GmbH)

3rd June 2008

22 / 89

Google-Hacking

Please use google to search for the system

How can you find all printservers regardless of language?

M. a Campo (SySS GmbH)

3rd June 2008

23 / 89

Exkursus: Legal considerations

The printers can be re- or misconfigured without a password

But we should be careful:

The unlawful deletion, modification or disruption of data and services
is punishable in many countries.

That means for anyone not of the legal profession...

... we shouldnt:
Change the configuration of other systems.
Write data (besides the general use of applications) on hard
drives.
Dont use tools which do the above for us.

M. a Campo (SySS GmbH)

3rd June 2008

24 / 89

Google-Hacking

Please use Google to find some webcams:

Why cant we use the content of the site for searching?

M. a Campo (SySS GmbH)

3rd June 2008

25 / 89

Google-Hacking

Please use google to look for the VNC-servers:

How can we find certain versions?

M. a Campo (SySS GmbH)

3rd June 2008

26 / 89

Google-Hacking

A classical seach-engine hack: looking for old frontpage extensions

inurl:/_vti_pvt/service.pwd
... what if the file is not on the webserver anymore?

Please do not use the files further

Cracking passwords is illegal around the globe

M. a Campo (SySS GmbH)

3rd June 2008

27 / 89

Exkursus: Legal considerations

We see the password files, their content, and theyre already in our
cache

What we did:
Neither did we circumvent a protection mechanism, nor did we change
anything

Overview of the legal situation:

German (!) law allows reading unprotected content
However, publishing such content is a different case (privacy).
Writing data is might not be a good idea...
... if it is not allowed anyway.
Around the globe, security checks are only legal if properly
authorized.
M. a Campo (SySS GmbH)

3rd June 2008

28 / 89

Google-Hacking

old versions (2.0) use serval files:

inurl:/_vti_pvt/administrators.pwd
inurl:/_vti_pvt/authors.pwd
inurl:/_vti_pvt/users.pwd
How do we find out wether the frontpage extensions are still active on
the server?

M. a Campo (SySS GmbH)

3rd June 2008

29 / 89

Google-Hacking

Systems placed on the internet accidently might be found by

search engines.
Everybody is able to use a search engine to find vulnerable
systems
The removal of the problematic content alone is not enough
(Google-Cache)

Would you like to know more?

Johnny Long has a website with a database of Google-Hacks, and
wrote a book about it.

M. a Campo (SySS GmbH)

3rd June 2008

30 / 89

Excursus: SMTP-Howto

Make a connection using telnet:

telnet eg-mail-in1.apple.com 25
Then issue the following commands:
HELO syss.de
MAIL FROM: <borrmann@syss.de>
RCPT TO: <blablablablabla@apple.com>
DATA
From:
To:

Micha Borrmann <borrmann@syss.de>

blahblahblah@apple.com

Subject:Mail-Bouncing Test

M. a Campo (SySS GmbH)

3rd June 2008

31 / 89

Mail-Bouncing-Test

Our goal:
Send a mail to a address we know is not correct, in order to provoke a
response, which in turn well check for interesting information

Exercise
Please perform a mail-bounce against a domain of your choice!

M. a Campo (SySS GmbH)

3rd June 2008

32 / 89

Overview:

whois
dig, host
http://www.netcraft.com
http://www.google.com
Mail-Bouncing-Test

M. a Campo (SySS GmbH)

3rd June 2008

33 / 89

Sniffing

M. a Campo (SySS GmbH)

3rd June 2008

34 / 89

Why sniffing?

Sniffing is used to find

Securityproblems
Networking issues

or
analysing network services (e.g. telnet)
spying

M. a Campo (SySS GmbH)

3rd June 2008

35 / 89

Why sniffing?

Sniffing is used to find

Securityproblems
Networking issues

or
analysing network services (e.g. telnet)
spying

M. a Campo (SySS GmbH)

3rd June 2008

35 / 89

Communication over several layers

M. a Campo (SySS GmbH)

3rd June 2008

36 / 89

Wireshark (formerly: Ethereal)

common sniffer
running on Windows and UNIX
http://www.wireshark.org
supports a lot of protocols

M. a Campo (SySS GmbH)

3rd June 2008

37 / 89

Filters in wireshark
Filters can be defined (Menu Capture - Start oder STRG+K)
before starting to capture
Important filters:
host
port

host defines an ip address (or DNS-name) which has to be in the

traffic sniffed, as either sender or recipient.
port the same for the TCP-port, sending or receiving port
The Operators and and or can use to connect statements.
For example host banking.postbank.de and port 443 would
only capture data to and from banking.postbank.de and either from or
to port 443.

M. a Campo (SySS GmbH)

3rd June 2008

38 / 89

Exercises with wireshark

Use the sniffer to capture a telnet session

Find the password
Save the captured data to a file

M. a Campo (SySS GmbH)

3rd June 2008

39 / 89

Commandline sniffing programs

tshark http://www.wireshark.org part of wireshark

tcpdump http://www.tcpdump.org available for almost any
UNIX

M. a Campo (SySS GmbH)

3rd June 2008

40 / 89

Special sniffing programs

Certain sniffers are used for single purposes

driftnet http://www.ex-parrot.com/~chris/driftnet/
shows JPEG-pictures transported with HTTP
dsniff http://www.monkey.org/~dugsong/dsniff/ looks
for password-data in several protocals (u.a. FTP, POP3, HTTP,
SMTP, IMAP, LDAP, SNMP)
Cain http://www.oxid.it/cain.html does the same for
and more

M. a Campo (SySS GmbH)

3rd June 2008

41 / 89

Tcpdump as an example for filters

Common syntax for filters, used by libpcap and winpcap

Statements: (src/dst) host, net, port
Operators: and, not, or

Example:
tcpdump dst host banking.postbank.de and dst port 443

M. a Campo (SySS GmbH)

3rd June 2008

42 / 89

Passwort-Sniffer

dsniff
Reads traffic and displays any transmitted password
Understands quite a few protocols (HTTP, SMTP, POP3 ...)

M. a Campo (SySS GmbH)

3rd June 2008

43 / 89

Protection

Only kryptographic measures protect against sniffing.

SSL (HTTPS etc.)
IPsec
SSH
Switches decrease the risk, but do not protect!

M. a Campo (SySS GmbH)

3rd June 2008

44 / 89

Wireshark exercise

Logging into a webmail-servive

Please capture the plain text login to mail.ru and gmx.net. Use a
simple capture filter
Please compare mail.ru and gmx.net
Use an easy to find username and password such as test/secret.
Please safe your captures for further exercises.

M. a Campo (SySS GmbH)

3rd June 2008

45 / 89

Sniffing and Cain

Sniffing: Using dump-files with

Start cain on windows and import the files saved in the previous
exercise. Check the results under sniffer and Passwords

M. a Campo (SySS GmbH)

3rd June 2008

46 / 89

Passive OS fingerprinting

Analysis of:
TTL - Time to live of pakets
Windows Size
DF - Dont fragment bit set?
etc.

Exercise
Please try to find out the operating system used by the webservers by
checking the TTL

M. a Campo (SySS GmbH)

3rd June 2008

47 / 89

Default TTL-values

The follow table just shows very common operating systems.

More information is provided at: http://secfr.nerim.net/docs/
fingerprint/en/ttl_default.html
TTL
64
60
128
255

OS
BSD-based UNIX(Linux, Free/Net/OpenBSD, Mac OS X)
AIX, IRIX
Windows-Family (since NT 4.0, 2000, XP)
Solaris, Cisco

M. a Campo (SySS GmbH)

3rd June 2008

48 / 89

Overview

Wireshark
dsniff/Cain
Only cryptography protects from sniffing

M. a Campo (SySS GmbH)

3rd June 2008

49 / 89

Basic portscanning

Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2004-10-20 16:21

Interesting ports on 192.168.1.15:
(The 1657 ports scanned but not shown below are in state: closed)
PORT
STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
MAC Address: 00:00:74:7C:CB:E1 (Aperture Science Laboratories)
Device type: general purpose
Running: GLaDos
OS details: GLaDos 4.5 - 6.5.5 big endian arch
Uptime 8.949 days (since Mon Oct 11 17:35:13 2004)
Nmap run completed -- 1 IP address (1 host up) scanned in 6.555 seconds

M. a Campo (SySS GmbH)

3rd June 2008

50 / 89

What devices are connected to a network?

We already used DNS and WHOIS to find systems and networks.

Now we require more information:
Which systems are active?
What services are running on them?

M. a Campo (SySS GmbH)

3rd June 2008

51 / 89

The 3-way-handshake

Client

Server

client is asking for synchronisation (SYN)

server acknowledge it and is asking for synchronisation too

(SYN/ACK)

client is acknowleding the synchronisation request (ACK)

the connection is established and can be used to transmit data

M. a Campo (SySS GmbH)

3rd June 2008

52 / 89

The 3-way-handshake

SYN

Client

Server

client is asking for synchronisation (SYN)

server acknowledge it and is asking for synchronisation too

(SYN/ACK)

client is acknowleding the synchronisation request (ACK)

the connection is established and can be used to transmit data

M. a Campo (SySS GmbH)

3rd June 2008

52 / 89

The 3-way-handshake

SYN
SYN/ACK

Client

Server

client is asking for synchronisation (SYN)

server acknowledge it and is asking for synchronisation too

(SYN/ACK)

client is acknowleding the synchronisation request (ACK)

the connection is established and can be used to transmit data

M. a Campo (SySS GmbH)

3rd June 2008

52 / 89

The 3-way-handshake

SYN
SYN/ACK
ACK

Client

Server

client is asking for synchronisation (SYN)

server acknowledge it and is asking for synchronisation too

(SYN/ACK)

client is acknowleding the synchronisation request (ACK)

the connection is established and can be used to transmit data

M. a Campo (SySS GmbH)

3rd June 2008

52 / 89

The 3-way-handshake

SYN
SYN/ACK
ACK

Client

Server

client is asking for synchronisation (SYN)

server acknowledge it and is asking for synchronisation too

(SYN/ACK)

client is acknowleding the synchronisation request (ACK)

the connection is established and can be used to transmit data

M. a Campo (SySS GmbH)

3rd June 2008

52 / 89

What is a portscan?

Systems can provide different services:

Service
Web
Filetransfer
Send emails
Fetch emails

Protocol
HTTP
FTP
SMTP
POP3

Port
80
21
25
110

Definition
Open ports are always seen from the perspective of an IP address.

M. a Campo (SySS GmbH)

3rd June 2008

53 / 89

Exercise

Which services does your webserver or mailserver provide?

telnet www.firma.de 80
telnet www.firma.de 443
telnet mx.firma.de 25
usw. usw.
...
Please capture the requests using wireshark and check the TCP-flags

M. a Campo (SySS GmbH)

3rd June 2008

54 / 89

Nmap

Powerful portscanner
available for windows and UNIX
http://www.insecure.org/nmap/

M. a Campo (SySS GmbH)

3rd June 2008

55 / 89

Nmap: Exercises

Ping-Sweep nmap -sP hosts

Portscan nmap -sT hosts
When scanning systems not on the local network, nmap will ping all
targets. Only systems which respond will be scanned. The parameter
-P0 prevent this.nmap -P0 -sT hosts
hosts defines the targets to scan.
Targets can be defined using:
DNS-names
IP addresses
IP-ranges, d.h. 10.1.1.0-255 or 10.1.1.0/24
any of these, seperated by space.

M. a Campo (SySS GmbH)

3rd June 2008

56 / 89

Sniffing: NMAP

Please scan a system in this network using nmap.

Read the traffic using wireshark.

How does NMAP display the results?

Using a display filter like (tcp port eq 80) you can check what
behaviour cases which output.

M. a Campo (SySS GmbH)

3rd June 2008

57 / 89

Status of TCP ports as shown by NMAP

Status
Open
Closed
Filtered
Filtered/ICMP

description
connection can be established (3-way-handshake)
connection attemp is denies with
RST/ACK-paket
No reaction to the SYN-paket within a certaintimeframce
No reaction by TCP, but
ICMP (destination unreachable)

M. a Campo (SySS GmbH)

3rd June 2008

58 / 89

UDP scanning

NMAP syntax
nmap -sU <target-IP>

Exercise:
Please scan a host in this network with an UDP-scan. Again use a
sniffer to check what the portscanner does.

M. a Campo (SySS GmbH)

3rd June 2008

59 / 89

UDP scanning

NMAP syntax
nmap -sU <target-IP>

Exercise:
Please scan a host in this network with an UDP-scan. Again use a
sniffer to check what the portscanner does.

M. a Campo (SySS GmbH)

3rd June 2008

59 / 89

Results of an UDP-Scans

Nmap uses
open|filtered
to describe one of several states
a) The port is open.
b) The request was lost or filtered away and never reached the target.
c) The response of the target was lost or filtered away.
d) ICMP Message Throtteling (RFC 1812) prevents an answer. The
number of ICMP-responses the systems sends is limited.

M. a Campo (SySS GmbH)

3rd June 2008

60 / 89

Overview

nmap
The state of an UDP-port cannot easily be established with a
portscanner
Scans of all ports might take a long time

M. a Campo (SySS GmbH)

3rd June 2008

61 / 89

Hydra: Network Login Cracker

Source: http://freeworld.thc.org/thc-hydra/.
Supported protocols: TELNET, FTP, HTTP, HTTPS,
HTTP-PROXY, LDAP, SMB, SMBNT, MS-SQL, MYSQL, REXEC,
SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, Cisco
(auth/enable/AAA), SMTP-AUTH, SSH2, SNMP, CVS.
Supported OS: Unix

, Mac OSX

, Windows(Cygwin)

Please consider the following before using hydra:

Binary distributions are not compiled with support for all possible
protocols.
Hydra is not always reliable, might crash or not work with certain
protocols.

M. a Campo (SySS GmbH)

3rd June 2008

62 / 89

Passwordcracking over the network

Identify a target for an attack.

Create small and suitable lists of passwords and usernames.
Attack the target with hydra

How fast is hydra?

Please compare the speed when attacking different services

M. a Campo (SySS GmbH)

3rd June 2008

63 / 89

Usage of hydra

The syntax for windows and linux is identical:

hydra [-l/-L Username/list] [-p/-P Password/list]
[-s Port] [Target/IP] Service
Target: Hostname or IP address of the target.
Service: The service to attack (telnet, smb, ssh and so on)
Port: Port, if not the standard port usually used by the service

M. a Campo (SySS GmbH)

3rd June 2008

64 / 89

Tools for local password guessing

John http://www.openwall.com/john/ (Windows+Unix)

Cain http://www.oxid.it/ (Windows)

John and Cain

John is just a cracker and must be provided with a file. Cain has its
own sniffer and can also read dumpfiles from other sniffers.

M. a Campo (SySS GmbH)

3rd June 2008

65 / 89

Hashes

used in order not to store passwords in plain text.

Hashes do not provide real cryptography, the operation just
cannot be reversed.
The plain text equivalent to a hash can be guessed.

Common rule
Password (Brute-Forcing) guessing may be used against any
mechanism which relies on hashes, if those hashes are accessible by
third parties.

M. a Campo (SySS GmbH)

3rd June 2008

66 / 89

Knowing password-culture leads to success!

First step: check trivial passwords

username=password / servicename=password
username=password+[0-99] - simple permutations (suffixes,
prefixes)
simple chains of letters from the keyboard (qwerty,aqwsx)
Passwords like abcdef, aaa, bbb and so on.

M. a Campo (SySS GmbH)

3rd June 2008

67 / 89

Use clever wordlists:

Second step: check passwords influenced by culture

Known names
Common terms (products, companies)
Expand with pre- and suffixes

M. a Campo (SySS GmbH)

3rd June 2008

68 / 89

Intelligent bruteforcing:

Third step: guessing made efficient

Start with small keyspaces, then larger ones
Re-use any password found

What is the policy for passwords?

Who will use passwords longer then necessary?

M. a Campo (SySS GmbH)

3rd June 2008

69 / 89

Highly efficient bruteforcing

Fourth step: use rainbow tables

Only against static hashes (no SALT).
Hashes of a complete keyspace are precomputed and stored.
Very efficient sorting is used for faster checking.

Specialities:
Computing and pre-sorting tables will take a long time
Only bottlenecks are available memory and disk perfmance

M. a Campo (SySS GmbH)

3rd June 2008

70 / 89

John the Ripper

Use John with the service.pwd provided

Linux: john service.pwd
Windows: john service.pwd

Finished already?
Please use john -show to see your results again.

M. a Campo (SySS GmbH)

3rd June 2008

71 / 89

Without username & hash there is no bruteforcing!

Linux: /etc/shadow
Windows: SAM-database
can be read locally with pwdump2, over the network with
pwdump3

Please use john with the /etc/shadow:

Which difference is there to the frontpage service.pwd?

M. a Campo (SySS GmbH)

3rd June 2008

72 / 89

How to access windows password hashes:

as an administrator: pwdump2 > passworte.txt

pwdump3 [systemname] [name of the output file]
[username]

How to dump hashes from a training image using pwdump3

pwdump3 schulung5 windows-hashes.txt schulung
Please crack this file with john

M. a Campo (SySS GmbH)

3rd June 2008

73 / 89

Cain

Can sniff passwords or read them locally.

Supports many hashes: LM, NT, SHA-1-2, MD-2-5
Supports wordlists with simple permutations and bruteforcing
Supports several precomputed tables (rainbow tables).
Can sniff any windows network login.

M. a Campo (SySS GmbH)

3rd June 2008

74 / 89

Overview

Passwords can be guessed remote or locally

Hashes, rainbow-tables
SALTs protect against rainbow tables

M. a Campo (SySS GmbH)

3rd June 2008

75 / 89

Simple D.o.S-attacks

M. a Campo (SySS GmbH)

3rd June 2008

76 / 89

NDN-Attack

based on mail bouncing

an email is send to severel non-existing addresses
with attachments in order to use more bandwidth
the address of the sender should also not exist

General problem:
Legal mail-bouncing can become an illegal D.o.S-Attack if were not
careful when choosing the address of the sender

M. a Campo (SySS GmbH)

3rd June 2008

77 / 89

NDN-Attack

based on mail bouncing

an email is send to severel non-existing addresses
with attachments in order to use more bandwidth
the address of the sender should also not exist

General problem:
Legal mail-bouncing can become an illegal D.o.S-Attack if were not
careful when choosing the address of the sender

M. a Campo (SySS GmbH)

3rd June 2008

77 / 89

Exercise: SMBdie

Please attack a suitable target using SMBDIE

Check the network-traffic with wireshark.
Check the logfiles of the target after the attack

M. a Campo (SySS GmbH)

3rd June 2008

78 / 89

A local buffer-overflow

Error in net use

Net use can be used to trigger a buffer overflow
What parameters does net use accept?
Any hints of a buffer-overflow?
Where could you insert lots of text (300+ characters) in order to
trigger the overflow?

M. a Campo (SySS GmbH)

3rd June 2008

79 / 89

RPC-DCOM-Exploit

Opening a shell
Use kaht.exe in order to access a remote windows-system.

M. a Campo (SySS GmbH)

3rd June 2008

80 / 89

Metasploit Framework

Exploits for services on windows, linux, solaris, irix and MacOS X.

OS: Windows/Cygwin

M. a Campo (SySS GmbH)

, Unix

, MacOS X

3rd June 2008

81 / 89

Metasploit Framework

Exercise
Please use the framework to gain shell access to a remote system.
Create a share on the target afterwards.

M. a Campo (SySS GmbH)

3rd June 2008

82 / 89

Using the metasploit-shell on windows

Some useful net-commands:

net user username password /ADD (Create new users)
net localgroup administrators username /ADD
(Add a user to the local administrators)
net share sharename=path (Share a directory)
net stop/start service
(Start and stop services, even a telnet server)
Such shells are often somewhat restricted:
Interactive requests ((Y)es/(N)o?) cant be answered.
Programs that require any graphical interaction cant be started.

M. a Campo (SySS GmbH)

3rd June 2008

83 / 89

The Upload&Execute-payload

Restrictions when writing shellcode

Space is very limited, not every possible function can be included.
With the Upload&Execute-plugin files of almost any sized can be
uploaded to the target and excuted there. Again, graphical intercation
is not possible.

M. a Campo (SySS GmbH)

3rd June 2008

84 / 89

Trojan horses

Today, a good distinction between spyware and trojans is not

always possible.
May allow remote access to the target (Client/Server).
Usually distributed as seemingly harmless software.

M. a Campo (SySS GmbH)

3rd June 2008

85 / 89

A classical trojan: OptixPro

Client-Server, can handle multiple clients.

Uses a single TCP-port for communication.
Can start/stop services on the target.
If successfully installed, it can use SMTP, ICQ ord IRC to contact
the hacker.
Lots functionality and rather small.

OptixPro is old, but not harmless:

Proper deinstallation can only be done in safe mode with an antivirus
program. Installs multiple copies of itself without telling the creator.

M. a Campo (SySS GmbH)

3rd June 2008

86 / 89

Exercise

Please prepare a trojan.

Attack a windows system over the network ...
... and install the trojan.
If possible, have it send an email to an account accessible by
webmail.
There are several different ways to solve this exercise. Use the task
manager on the target to check if the trojan has properly executed
when unsure. The process should have a size of about 4-5 MB.

M. a Campo (SySS GmbH)

3rd June 2008

87 / 89

Solution

Installtion of the trojan:

Attack the victim with KaHT, create a user and a share, copy the
trojan to the share
Same, just with metasploit
Direct installation using the upload-and-execute payload of the
framework

M. a Campo (SySS GmbH)

3rd June 2008

88 / 89

Please consider

The trojan shouldnt display intentional error messages

The trojan may have to be restarted once or twice in an exploit
shell
Use the trojan to restart the system if not all options seem to be
working

M. a Campo (SySS GmbH)

3rd June 2008

89 / 89