SyS64738: [email protected] Agris Krusts: agris@zone

Attacchi alla infrastruttura
Luigi D’Amato – Lugano 24 Settembre 2010
Hackers and such …
Whitehat Hackers
Good technical skills, good programmers, enjoy the intellectual challenge
but no damages on systems. Knowledge is free for everyone.
Blackhat Hackers
Good technical skills and programmers but used to steal information,
cause damages, and control the attacked system. Knowledge is for a small
elite.
Crackers/Defacers/Script Kiddies
People with low technical and programming skills, usually teenagers, that
use tools written by other people to cause damages and for self
amusement.
Phreakers
Active on hacking telephone lines, originally mostly oriented to hardware
hacking but nowadays turning to the digital side (VoIP).
Collecting information on
our target
The most critical phases revolve around the accessibility of
various online resources such as:
Internet Service Registration:
Registration and maintenance of IP addresses information
Domain Name System:
Registration and maintenance of host naming
Naming Conventions:
How an organization encodes or categorizes the name of
machines or services
Email Systems:
Info contained inside email headers
Search Engines:
For retrieving material related to organizations and/or their
employees
Website Analysis:
Public information that may pose a risk to security
Internet Service
Registration
Internet Service Registration - Regional Internet
Registries (RIR):
APNIC (Asia-Pacific Network Information Center)
ARIN (American Registry for Internet Numbers)
LACNIC (Latin American and Caribbean Internet Addresses Registry)
RIPE NCC (Réseaux IP Européens Network Coordination Centre)
Internet Service
Registration 2
Whois
There are two kinds of Whois:
1) Network service-based.
It provides details of network management data;
includes information such as the contact provider of
the network numbers and the company leasing the
address space.
2) Name service-based.
It provides a number of details about a domain:
- Registrant of the domain
- Street address of the domain
- Contact number for the registrant
http://www.internic.net/whois.html --- non military
http://www.uwhois.com --- non military
http://whois.nic.mil --- military
Zone Transfer
DNS servers need to exchange data to allow replication
between primary DNS (SOA) and secondary server.
This is performed through “Zone transfers”
- Any client system can try to query a DNS server for a
“zone transfer”.
- A bad configured DNS server will respond to the client
query and provide a list of all the information about the
queried domain.
- An attacker can obtain a list of all named hosts, sub-zones
and associated IP addresses.
- A zone transfer is a very effective method of obtaining a
lot of information about an organization’s network.
There are 2 ways to try a “zone transfer”:
Zone Transfer 2
1) Direct zone transfer query
Zone Transfer 3
2) Indirect zone transfer query:
http://www.watchmouse.com/en/dns_dig.php
Naming convention
It is important to analyze the names used to define each
service.The naming convention used provides valuable insights
into the use and position of hosts within an organization. Common
naming convention includes:
Functional information (e.g. FW.acme.com for firewall,
OWA.acme.com for exchange Web-mail interface,
webdev.acme.com for developer webserver, etc.)
Network location information (fwDMZ.acme.com)
Physical location information or common location
shorthand (e.g. NY - New York, LA - Los Angeles, etc.)
Operations system information (e.g. the Microsoft Windows
2003 as w2k3)
Hardware/model information (Cisco2611.acme.com)
Common sequences to identify servers (jupiter.acme.com,
moon.acme.com)
Users name like (pc-bob.acme.com, smith-pc.acme.com)
Naming convention 2
IBM example:
Name server:
ibm.com nameserver = ns.watson.ibm.com
ibm.com nameserver = ns.almaden.ibm.com
ibm.com nameserver = internet-server.zurich.ibm.com
ibm.com nameserver = ns.austin.ibm.com
Function
Geographical site
@
Email info gathering
A lot of information about an organization can be
gathered through analysis of its e-mail system.
Email headers provide insight into internal server naming,
IP addresses, possible content filtering or anti-virus
solutions, smtp server type, patch levels and even the
version of the client’s mail client.
How can we get this info ?
Through search engines or by sending an email to nonexistent email addresses… And why?
…because returned error notification e-mails contain
headers!
Email info gathering 2
Hiding your traces
It is mandatory, for an attacker, to cover as much as
possible his traces during all the phases of the attacking
process, including the simple web based information
gathering. In order to do so, several methods are available.
Proxies
Strategic shell bouncing
TOR
Strategic shell bouncing
Your server
The shell
The hacker
IP/Port Scanners
IP scanners are designed to scan for active hosts or active services on a network.
Port Scanners instead, are designed to search a network host for open ports.
They are often used by administrators to check the security of their networks and
by hackers to compromise it.
WINDOWS
Superscan - www.foundstone.com
Nmap - www.insecure.org
Advanced IP Scanner - www.famatech.com
Advanced Port Scanner - www.famatech.com
LINUX
Nmap - www.insecure.org
Synscan - www.bindshell.net/tools/synscan
Hping - www.hping.org
Knocker - knocker.sourceforge.net
Exploits / 0day
What is an exploit?
An exploit is a piece of software, a chunk of data, or sequence of
commands that take advantage of a bug or vulnerability in order to get
unintended or unanticipated behavior out of computer software,
hardware, or something electronic (usually computerized). This
frequently includes such things as gaining control of a computer
system or allowing privilege escalation or a denial of service attack.
Password tools
Login sessions
Hydra - www.thc.org
Brutus - www.hoobie.net/brutus/
Buruts.pl - www.0xdeadbeef.info
Password Cracking
John the Ripper - www.openwall.com/john
MDcrack - mdcrack.openwall.net
L0phtcrack - download.insecure.org/stf/lc5-setup.exe
Attacking the users
The techniques used nowadays to perform attacks against
users are:
• Web Browser attacks
• Mail Client attacks
• Personal Application attacks (multimedia players, office
suites, etc)
• Open shares
• Trojanized USB sticks/CD/DVD
In conjunction with social engineering techniques.
The first three kind of attacks imply the use of specific
vulnerabilities that can change over the time and often most of
them being 0day and unpatched.
Illegal Market
•Eleonore Exploits Pack v1.2
•Price:
-latest version is USD 700. For an additional cost of USD
50 provides access to their crypter.
-Exploit:
-MDAC, MS009-02, Telnet - Opera, Font tags - FireFox,
PDF collab.getIcon, PDF Util.Printf, PDF
collab.collectEmailInfo, DirectX DirectShow and
Spreadsheet.
Illegal Market
•Barracuda Botnet v3.0
- This is a crimeware with two versions of marketing, the Full
version at a cost of USD 1600 and the Lite version at USD
1000.
-Module DDoS (HTTP GET / POST flood, UDP flood, ICMP
flood, TCP flood, IP Spoofing) at a cost of USD 900.
•Email Grabber module that collects email addresses stored
on the zombie. Its value is USD 600.
•Proxy Module, allows to increase the number of simultaneous
connections for a more "efficient" sending spam. Its value is
USD 500.
•Module PWDGRAB. Clearly oriented to the theft of private
information. The value is USD 500.
•Module SSLSOCKS. This module is in its beta stage and can
build a VPN "through the botnet. The price is USD 500.
Q& A
•Q&A. . .
•Thank you for
your attention!