Hacking. The Edge Pieces. Ken Gottry May Ken Gottry

Transcription

1 Hacking The Edge Pieces Ken Gottry May2002

2 Objective - Edge Pieces When you start a jigsaw puzzle, you pick out the edge pieces, the ones with the flat sides. You can do this without knowing what the picture puzzle will eventually look like. This presentation is intended to give you the edge pieces of your first hacking jigsaw puzzle Once you have the edge pieces, when you obtain subsequent knowledge about an aspect of hacking you ll know how it fits into the big picture Since this brief presentation attempts to discuss hacking from A-Z, it obviously can t go into too much technical detail in any one area 2

3 Agenda Introduction Locate a host to compromise (port scan) Compromise a host (buffer overflow) Return later (backdoor) Cover your tracks (rootkit) You re in now what? Play Launch a distributed attack Closing the barn door (vulnerability scanner) Leaving the barn door ajar (honeypot) Forensics Appendix - links 3

4 Introduction

5 Be careful, be considerate Never, ever play around with hacking on someone else s system without their explicit agreement on your production system on your development system unless you have a full backup Your cable modem connects you to many other cable users. You may be tempted to experiment with your newfound hacking knowledge on their systems. DON T!!! Your cable modem connects many other cable modem users to you. They may not be as considerate as you and they may try to hack your system. Make sure your FIREWALL is up-to-date 5

6 A safe computer vs In 1985, an IBM publication about personal computers declared: the only safe computer is one with no wires attached to it, whose power is turned off, and which is locked in a vault In 2002, these safeguards don t work because we have Wireless LANs Remote power-on PC-Anywhere So, is there any such thing as a safe computer? A study showed that if you install Red Hat Linux 6.3 using the default configuration and attach the computer to the Internet, your computer will be compromised within 72 hours 6

7 Locate a host to compromise

8 Locating a host to compromise Hard Way The following slides explain how to search for the IP address of one or many hosts to probe and then how to scan for vulnerable ports on those hosts Easy Way Download nmap from and click OK on a GUI - or - Check hacker bulletin boards where lists of already compromised hosts are posted 8

9 Searching a subnet Subnets are a way of organizing computers by IP address Subnet x contains computers with IP addresses in the range of to The following code snippet can be used to locate active computers on a subnet for n = 1 to 254 ping n Finding subnets is easy. Using your cable modem IP address (e.g ) as a starting point, you can assume subnets x, x, x, and so on up to x. This code snippet can find other TimeWarner cable users (do N-O-T try this) for x = 1 to 254 for y = 1 to 254 ping x.y 9

10 Port scanning Once you have located a computer on the subnet, try to connect to each port on the computer to see if a service is running. Wellknown ports are Other interesting services use ports above for port=1 to 1024 telnet IP port Some common ports to check for 21 ftp 23 telnet 25 smtp (mail) 80 http (web server) 137, 139 NetBIOS Sometimes the response from the server indicates the software and version, which makes it easier to attack # telnet somehost 25 Trying Connected to somehost. Escape character is '^]'. 220 somehost.gottry.com ESMTP Sendmail Sun/9.3.8; 10

11 Vulnerability Lists Several organizations, like CVE, SANS and CERT, distribute vulnerability lists that describe exposures within certain versions of specific software { } Win - Winamp ID3v2 tag minibrowser overflow { } Win - RealSecure IDS DHCP packet DoS { } Win - Snapgear Lite+ Firewall multiple DoS vulnerabilities { } Win - Macromedia flash plugin parameter overflow { } Win - 4D Webserver authentication information overflow { } Win - AIM AddExternalApp buffer overflow { } Win - 3Cdaemon FTP service overflow DoS Once a hacker knows what ports are open on a computer and what version of what software is listening on the ports, he or she can use the vulnerability lists to his or her advantage 11

12 Compromise a host

13 Compromising a host Hard Way The following slides explain what a buffer overflow is, how it is identified, how an exploit is created and how the exploit is used to compromise a host Easy Way Check web sites for source code. Download, compile, run. 13

14 What is a buffer overflow A buffer overflow occurs when something very large is placed in an area far too small for it to fit. void func(void) { int i; char buffer[256]; //* only room for 256 } for(i=0;i<350;i++) //* stuff 350 NOP instructions into the buffer buffer[i]=x90; buffer[i]= x8bxecx83xecx64 x32x33xc0x50x2fxffxd5 //* evil code return; The local variables (i and buffer) are stored on the stack along with the address of the function that called func. This is how the return statement knows how to get back to the caller. If assembled code instructions are placed in buffer, then they overwrite the RET address. This causes the return statement to branch to our code. STACK Local variables ESP i buffer EBP old value of EBP RET address 14

15 How is a buffer overflow identified Source code is readily available. Read it and find flaws - or - Use a disassembler like SoftICE and step through the code 15

16 How is a buffer overflow exploit created Once a programmer has found a buffer overflow situation, then it is necessary to create a buffer of hex characters that represent assembled code instructions The programmer then creates a C program that executes the target program, overflows the buffer by inserting the hex code to be executed char shell[] = /* 0 */ "xebx45" /* jmp springboard */ /* 2 */ "x9axffxffxffxffx07xff" /* lcall 0x7,0x0 */ /* 9 */ "xc3" /* ret */ /* start: */ /* 10 */ "x5e" /* popl %esi */ /* 11 */ "x31xc0" /* xor %eax,%eax */ /* 13 */ "x89x46xb7" /* movl %eax,-0x49(%esi)*/ /* 16 */ "x88x46xbc" /* movb %al,-0x44(%esi) */ /* execve: */ /* 19 */ "x31xc0" /* xor %eax,%eax */ /* 21 */ "x50" /* pushl %eax */ /* 22 */ "x56" /* pushl %esi */ /* 23 */ "x8bx1e" /* movl (%esi),%ebx */ /* 29 */ "x83xc7x10" /* addl $0x10,%edi */ and so on 16

17 How is a buffer overflow exploit used You have to find a version of the exploit that matches the version of the software and OS that you are attacking. This is required to get the exact offset of the buffer. As mentioned earlier, the port scanning and vulnerability scanning tools easily identify which software (including version) is listening on every port. You can search the Internet looking for the C source code of the matching exploit Then you compile the exploit C program on your computer and run it, pointed at the target computer 17

18 Leave a backdoor open

19 Backdoor From the inside A malicious user can run bindshell which will become a daemon process listening on port Other hackers can enter through this backdoor by telnet somehost At the prompt, the hacker can type any command that will be passed to a command shell and executed. From the outside A buffer overflow exploit often causes inetd to listen on a special port (often 31337) Other hackers can enter through this backdoor by telnet somehost

20 Example of a backdoor exploit The sadmindex.c program exploits a buffer overflow in the sadmin daemon on Solaris 2.6 sadmindex -h target.xxx.com -s 0xefff9596 -c echo stream tcp nowait root /bin/sh sh -i > /tmp/.gotcha; \ /usr/sbin/inetd -s /tmp/.gotcha This creates an inetd config file (/tmp/.gotcha) on the target host and launches the inet daemon on the target host to listen on port When the target host receives an incoming connection on port (e.g. via telnet target 31337), the inet daemon launches /bin/sh -i as defined in the config file 20

21 Cover your tracks

22 Rootkits A rootkit contains modified versions of standard Unix utilities ls netstat ps lsof The rootkit version of netstat will not show any process listening on port The rootkit version of ps will not show certain processes even though they are executing The rootkit version of ls will not list certain files even though they exist The rootkit version of lsof will not list certain files even though they are being used by running processes 22

23 Log cleansing The utmp and wtmp files stored login history. The log cleansing edits these binary files to remove any trace that the hacker logged in Create filenames with imbedded unprintable characters mkdir..^h. The ^H is the backspace character. This hacker directory will appear as.. which is the standard name of any parent directory 23

24 You re in now what?

25 Play You can acquire numerous login ID s on a server You can brag to your friends You can post the hostname and port number on a hacker bulletin board You can use free disk space You can send spam 25

26 Distributed Attacks Trinoo - distributed denial of service (Ddos) Compromised hosts (red) can be instructed by a master (blue) to simultaneously attack a target host (yellow) The identity of the master is not known by the target Master Slave Target Slave Internet Slave Slave Slave 26

27 Closing the Barn Door

28 Nessus - Vulnerability Scanner Scan a host or series of hosts looking for vulnerabilities Sample output Information found on port ftp (21/tcp) The FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it can only cause troubles. Under most Unix system, doing : echo ftp >> /etc/ftpusers will correct this. Information found on port smtp (25/tcp) The remote SMTP server seems to allow remote users to send mail anonymously by providing a too long argument to the HELO command (more than 1024 chars). This problem may allow bad guys to send hate mail, or threatening mail using your server and keep their anonymity. Solution : If you are using sendmail, upgrade to version 8.9.x. If you do not run sendmail, contact your vendor. CVE: CAN

29 Leaving the Barn Door Ajar

30 Honeynet Project HoneyPot - a security resource whose only value lies in being probed, attacked, and compromised The seemingly unprotected computer network is intended to attract hackers. By watching what the hackers do and how they do it, we can learn how to thwart future attacks Legal issues Privacy Entrapment Liability 30

31 Forsenics

32 Crime Scene Investigation I ve been hacked -- now what? Discoverability Spoliation - Intentional alteration or destruction of a document Evidence Privacy 32

33 Appendix - links

34 Links SANS Institute Carnegie Mellon - Software Engineering Institute Mitre - Common Vulnerabilities and Exposures cve.mitre.org Hacker Tools Port scanner Vulnerability scanner Sniffer for Windows windump.polito.it 34

35 Attached files Solaris sadmind exploit code Solaris sadmind remote buffer overflow vulnerability.htm Solaris xlock exploit code Solaris Xlock Heap Overflow Vulnerability.htm Sun article about how hackers do what they do HowHackersDoIt_SunBluePrint_ pdf Analysis of a trinoo DDoS attack trinoo.analysis.txt 35