SyS64738: admin@zone-h.org Agris Krusts: agris@zone
Transcription
SyS64738: admin@zone-h.org Agris Krusts: agris@zone
Attacchi alla infrastruttura Luigi D’Amato – Lugano 24 Settembre 2010 Hackers and such … Whitehat Hackers Good technical skills, good programmers, enjoy the intellectual challenge but no damages on systems. Knowledge is free for everyone. Blackhat Hackers Good technical skills and programmers but used to steal information, cause damages, and control the attacked system. Knowledge is for a small elite. Crackers/Defacers/Script Kiddies People with low technical and programming skills, usually teenagers, that use tools written by other people to cause damages and for self amusement. Phreakers Active on hacking telephone lines, originally mostly oriented to hardware hacking but nowadays turning to the digital side (VoIP). Collecting information on our target The most critical phases revolve around the accessibility of various online resources such as: Internet Service Registration: Registration and maintenance of IP addresses information Domain Name System: Registration and maintenance of host naming Naming Conventions: How an organization encodes or categorizes the name of machines or services Email Systems: Info contained inside email headers Search Engines: For retrieving material related to organizations and/or their employees Website Analysis: Public information that may pose a risk to security Internet Service Registration Internet Service Registration - Regional Internet Registries (RIR): APNIC (Asia-Pacific Network Information Center) ARIN (American Registry for Internet Numbers) LACNIC (Latin American and Caribbean Internet Addresses Registry) RIPE NCC (Réseaux IP Européens Network Coordination Centre) Internet Service Registration 2 Whois There are two kinds of Whois: 1) Network service-based. It provides details of network management data; includes information such as the contact provider of the network numbers and the company leasing the address space. 2) Name service-based. It provides a number of details about a domain: - Registrant of the domain - Street address of the domain - Contact number for the registrant http://www.internic.net/whois.html --- non military http://www.uwhois.com --- non military http://whois.nic.mil --- military Zone Transfer DNS servers need to exchange data to allow replication between primary DNS (SOA) and secondary server. This is performed through “Zone transfers” - Any client system can try to query a DNS server for a “zone transfer”. - A bad configured DNS server will respond to the client query and provide a list of all the information about the queried domain. - An attacker can obtain a list of all named hosts, sub-zones and associated IP addresses. - A zone transfer is a very effective method of obtaining a lot of information about an organization’s network. There are 2 ways to try a “zone transfer”: Zone Transfer 2 1) Direct zone transfer query Zone Transfer 3 2) Indirect zone transfer query: http://www.watchmouse.com/en/dns_dig.php Naming convention It is important to analyze the names used to define each service.The naming convention used provides valuable insights into the use and position of hosts within an organization. Common naming convention includes: Functional information (e.g. FW.acme.com for firewall, OWA.acme.com for exchange Web-mail interface, webdev.acme.com for developer webserver, etc.) Network location information (fwDMZ.acme.com) Physical location information or common location shorthand (e.g. NY - New York, LA - Los Angeles, etc.) Operations system information (e.g. the Microsoft Windows 2003 as w2k3) Hardware/model information (Cisco2611.acme.com) Common sequences to identify servers (jupiter.acme.com, moon.acme.com) Users name like (pc-bob.acme.com, smith-pc.acme.com) Naming convention 2 IBM example: Name server: ibm.com nameserver = ns.watson.ibm.com ibm.com nameserver = ns.almaden.ibm.com ibm.com nameserver = internet-server.zurich.ibm.com ibm.com nameserver = ns.austin.ibm.com Function Geographical site @ Email info gathering A lot of information about an organization can be gathered through analysis of its e-mail system. Email headers provide insight into internal server naming, IP addresses, possible content filtering or anti-virus solutions, smtp server type, patch levels and even the version of the client’s mail client. How can we get this info ? Through search engines or by sending an email to nonexistent email addresses… And why? …because returned error notification e-mails contain headers! Email info gathering 2 Hiding your traces It is mandatory, for an attacker, to cover as much as possible his traces during all the phases of the attacking process, including the simple web based information gathering. In order to do so, several methods are available. Proxies Strategic shell bouncing TOR Strategic shell bouncing Your server The shell The hacker IP/Port Scanners IP scanners are designed to scan for active hosts or active services on a network. Port Scanners instead, are designed to search a network host for open ports. They are often used by administrators to check the security of their networks and by hackers to compromise it. WINDOWS Superscan - www.foundstone.com Nmap - www.insecure.org Advanced IP Scanner - www.famatech.com Advanced Port Scanner - www.famatech.com LINUX Nmap - www.insecure.org Synscan - www.bindshell.net/tools/synscan Hping - www.hping.org Knocker - knocker.sourceforge.net Exploits / 0day What is an exploit? An exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug or vulnerability in order to get unintended or unanticipated behavior out of computer software, hardware, or something electronic (usually computerized). This frequently includes such things as gaining control of a computer system or allowing privilege escalation or a denial of service attack. Password tools Login sessions Hydra - www.thc.org Brutus - www.hoobie.net/brutus/ Buruts.pl - www.0xdeadbeef.info Password Cracking John the Ripper - www.openwall.com/john MDcrack - mdcrack.openwall.net L0phtcrack - download.insecure.org/stf/lc5-setup.exe Attacking the users The techniques used nowadays to perform attacks against users are: • Web Browser attacks • Mail Client attacks • Personal Application attacks (multimedia players, office suites, etc) • Open shares • Trojanized USB sticks/CD/DVD In conjunction with social engineering techniques. The first three kind of attacks imply the use of specific vulnerabilities that can change over the time and often most of them being 0day and unpatched. Illegal Market •Eleonore Exploits Pack v1.2 •Price: -latest version is USD 700. For an additional cost of USD 50 provides access to their crypter. -Exploit: -MDAC, MS009-02, Telnet - Opera, Font tags - FireFox, PDF collab.getIcon, PDF Util.Printf, PDF collab.collectEmailInfo, DirectX DirectShow and Spreadsheet. Illegal Market •Barracuda Botnet v3.0 - This is a crimeware with two versions of marketing, the Full version at a cost of USD 1600 and the Lite version at USD 1000. -Module DDoS (HTTP GET / POST flood, UDP flood, ICMP flood, TCP flood, IP Spoofing) at a cost of USD 900. •Email Grabber module that collects email addresses stored on the zombie. Its value is USD 600. •Proxy Module, allows to increase the number of simultaneous connections for a more "efficient" sending spam. Its value is USD 500. •Module PWDGRAB. Clearly oriented to the theft of private information. The value is USD 500. •Module SSLSOCKS. This module is in its beta stage and can build a VPN "through the botnet. The price is USD 500. Q& A •Q&A. . . •Thank you for your attention!