[X] Close

Free Site Evaluation

Please let us know how we can help you?

Contact Information

captcha

Posts CommentsSign up for email news and updates!

vSpaceLab - San Antonio Hacking Boot Camp – Gary Neubauer II – vSpaceLab

Security Incidents on the Rise
The Internet has made networked computers accessible and vulnerable to anyone in the world. This is a Hacking Boot Camp setup to train security professionals in the art of network defense.

Recent examples of Web Attacks, Worms and Viruses:

•MIME Headers – a vulnerability exists in how Internet Explorer (IE), Outlook, and Outlook Express handles certain MIME headers in web pages and HTML email messages. An attacker could exploit this vulnerability to execute arbitrary code on the victim’s system when the victim visits a web page or views an HTML email message. (CERT® Advisory CA-2001-36)

•Nimda – propagates through email as a MIME message, enables the sharing of the c:\drive as C$, creates a “Guest” account on Windows NT/2000 systems, adds the Guest account to the “Administrator” group, causes bandwidth denial-of-service conditions due to scans for additional IIS hosts. (CERT® Advisory CA-2001-26)

•Code Red – self-propagating code that exploits IIS web servers susceptible to the buffer overflow in the Indexing Service DLL. (CERT® Advisory CA-2001-19 and CA-2001-23)
•SirCam – file deletion or space filling payload, propagates via email. (CERT® Advisory CA-2001-22)

•sadmind/IIS Worm – Exploits an RPC service (sadmind) on Solaris systems and installs malicious code to attack IIS web servers. It propagates itself to other vulnerable Solaris systems by adding “+ +” to the .rhosts file in the root user’s home directory. (CERT® Advisory CA-2001-11)

Recent examples of Buffer Overflows:

•CDE Subprocess Control Service (dtspcd) – a remotely exploitable buffer overflow vulnerability in a library function used by the CDE Subprocess Control Service, could allow an attacker to crash the service or execute arbitrary code with root privileges. (CERT® Advisory CA-2001-31 and CA-2002-01)

•UPnP – a remotely exploitable buffer overflow vulnerability exists in the Universal Plug and Play (UPnP) service installed by default on Windows XP (and optionally on Windows Me and Windows 98) could allow an attacker to execute arbitrary code with administrative privileges on a vulnerable system. (CERT® Advisory CA-2001-37)

•SSH v1 – a remotely exploitable buffer overflow vulnerability exists in several implementations of the Secure Shell (SSH) protocol. The CRC32 attack detection code or compensation attack detector could be exploited to execute arbitrary code with the privileges of the SSH daemon, which is typically root. (CERT® Advisory CA-2001-35)

•Login – a remotely exploitable buffer overflow vulnerability exists in several implementations (AIX, HP-UX, SCO, IRIX, and Solaris) of login derived from System V. An attacker could exploit this vulnerability to gain root access to the server. (CERT® Advisory CA-2001-34)

•Line Printer Daemon (lpd) – a remotely exploitable buffer overflow vulnerability on various OS platforms (BSD, FreeBSD, NetBSD, OpenBSD, Debian, AIX, SCO, IRIX, Solaris, SuSE, RedHat, and Mandrake) could allow an attacker to gain root access to the lpd server. (CERT® Advisory CA-2001-30)

Network Vulnerabilities

Types of Vulnerabilities
IP Protocol weaknesses

• IP spoofing

• TCP “Session” Hijacking

• IP Fragmentation

Software application holes

• Improper input handling (Buffer Overflow)

Weak passwords

• no (null) password

• joe password

• default username/password

•IP Spoofing – an attacker sends a message to a target host with an IP address indicating that the message is coming from a trusted host. The attacker must know the IP address of a trusted host in order to modify the packet headers so that it appears that the packets are coming from that host.

•TCP Session Hijacking – an attacker sniffs for packets being sent from a client to a server in order to identify the two hosts’ IP addresses and relative port numbers. Using this information an attacker modifies his packet headers to spoof TCP/IP packets from the client. The attacker then waits to receive an ACK packet from the client communicating with the server (which contains the sequence number of the next packet the client is expecting). The attacker replies to the client using a modified packet with the source address of the server and the destination address of the client. This results in a RST which disconnects the legitimate client. The attacker takes over communications with the server spoofing the expected sequence number from the ACK that was previously sent from the legitimate client to the server.

•IP Fragmentation – Firewalls that support stateful inspection of established connections analyze packets to see if they are being received in the proper sequence. In the case of IP fragments, the firewall attempts to reassemble all fragments prior to forwarding them on to the final destination. If an attacker sends repeated incomplete or out-of-order fragmented packets to the firewall it will log and wait for all remaining fragments to be received before handling the connection. As a result, system resources are exhausted due to logging and the firewall is subject to a denial of service. Also, some Intrusion Detection Systems (IDS) do not handle IP fragmentation, Out-of-Order fragmentation, TCP segment overlap, and Out-of-Order TCP segments properly; which results in packets slipping through because the IDS failed to alarm!!!

•Buffer Overflows, Why, How and Prevention: http://www.sans.org/infosecFAQ/threats/buffer_overflow.htm

•Good and Bad Passwords How-To: http://geodsoft.com/howto/password/

Default network services configurations

• Anonymous ftp (port bounce, world-writable)

• Default services enabled (e.g., chargen, echo, finger)

• DNS (buffer overflows, zone transfers – recon)

• SMTP (e-mail relaying, username enumeration)

• SNMP community names (public & private)

Trust relationships between hosts

• Windows NT/2000 Domains and Forests

• UNIX NIS or NIS+ domains

• “R” services (.rhosts and hosts.equiv)

Network device configurations

•Network device configurations – no authentication (e.g., telnet, ftp, http)

Top Ten Vulnerabilities by Cisco Secure Consulting Services

• Password Issues

• HTTP Issues

• Trojans, Viruses, and Worms

• File Sharing Issues

• Remote Procedure Call (RPC)

• SNMP

• DNS Issues

• FTP Issues

• Remote Access

• Other Services

•Passwords – Default accounts, Easily guessable passwords, Joe accounts, Null passwords

•HTTP – Frontpage Extensions (config files), IIS (buffer overflows), Netscape (cgi scripts), Apache (cgi scripts) , Remote management (no auth), Common languages (PHP, ASP, Javascript, and ActiveX)

•Trojans/Viruses/Worms – Backdoors (Code Red, SubSeven), Email and Network Shares (Nimda, SirCam, LoveLetter), Macros (Melissa)

•File Sharing – NFS export controls, No Auth, SMB/CIFS cleartext passwords, NFS trust relationships

•RPC – NetBIOS null session connections, MS RPC endpoint mapper service, UNIX daemons (admind, cmsd, mountd, sadmind, snmpXdmid, statd, and tooltalk)

•SNMP – default or easily guessable community strings, manipulate system or device configurations, enumerate users on Windows NT/2000

•DNS – Denial of Service (transfer of compressed zone files, SRV records, SO_LINGER timeout, FD_SETSIZE descriptors, SIG record contents), Buffer Overflows (TSIG queries, nslookupComplain(), NXT records), Reconnaissance (unauthorized zone transfers, inverse query information leak)

•Other Services – Finger (enumerate valid users), TFTP (configuration downloads, unauthorized file transfers), X-Windows (keystroke and screen capturing)

•FTP – anonymous access, buffer overflows (wuftpd, proftpd), unauthorized file transfers (/etc/passwd), world writable directories

•Remote Access – applications (pcAnywhere, Remotely Possible, VNC), “R” services (weak authentication – rlogin, rexec, rsh), Telnet (local and remote buffer overflows), No Authentication, hardware platforms (dial-in access)

Types of Exploits Local exploits

• Requires user level access

• Used to escalate user privileges

• NT winlogon exploit (GetadmforSops.exe)

• IIS system privilege exploit (hk.exe)

• Solaris libc exploit (ex_lobc-2.c)

• Solaris dtprintinfo exploit (ex_dtprintinfo.c)

•GetadmforSops.exe – exploits a vulnerability in “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon” registry key on NT 4.0 that allows elevation of user privileges to both the local and global Administrator level. (http://archives.neohapsis.com/archives/ntbugtraq/1998-1999/msg00266.html)

•hk.exe – exploits IIS web servers to launch “cmd.exe” with system privileges. Use “IIS-ZANK.exe” to initiate a command-line session with a vulnerable IIS web server (e.g., Decode, MSADC.dll, Unicode). Upload “hk.exe” and “nc.exe” (NetCat) into an executable directory on the web server (e.g., /scripts, /images) and run the following command: hk.exe+cmd+/c+nc.exe+”-n”+”-l”+”-v”+”-p”+6000+”-e”+cmd.exe (http://razor.bindview.com/publish/advisories/LPCAdvisory.html)

• ex_lobc – allows a non-privileged user to exploit a buffer overflow in the SUID program libc for Solaris 2.5, 2.6, and 2.7 that would allow users to gain root privileges. (http://www.atstake.com/research/advisories/1997/getopt.txt)

•ex_dtprintinfo – allows a non-privileged user to exploit a buffer overflow in the CDE Print Viewer utility for Solaris 2.6 and 2.7 to gain root privileges. (http://www.securiteam.com/exploits/2KUQ9QAQRM.html)

Remote exploits

Does not require user level access.
–Used to gain access without user access.

•IIS Web Server Traversal exploit (iis-zank.exe)

•Windows 9x NetBIOS exploit (client.c)

•Solaris RPC Buffer Overflow (sadmindex.c)

•WUFTPd Buffer Overflow (wuftpd2600.c)

•HTTP Tunnel via HTTP Proxy (httptunnel)

•SSH CRC32 Buffer Overflow (in the wild)

•iis-zank.exe – allows an attacker to send a malformed URL (containing Decode or Unicode) to a vulnerable IIS web server to access files and folders anywhere on the logical drive that contains the web folders. The attacker could gain additional privileges on the machine (using hk.exe) that would enable them to add, change or delete data, execute code already on the server, or upload new code to the server and execute it. (http://www.securiteam.com/windowsntfocus/Web_Server_Folder_Traversal_vulnerability__Patch_available__exploit_.html)
•client.c – allows any user to access the Windows 9x file-sharing service with or without password protection. Potential attackers do not have to know the share password. (http://www.securiteam.com/exploits/5WP010K4UA.html)

•sadmindex.c – vulnerable versions of sadmind (on Solaris 2.5, 2.6, 2.7, and 2.8) are susceptible to a buffer overflow if a long buffer is passed to a NETMGT_PROC_SERVICE request (called via clnt_call()). Because sadmind runs as root any code that is executed as a result of the buffer overflow will run with root privileges. (http://www.securiteam.com/exploits/3P5Q1Q0QAO.html)

•wuftpd2600.c – Using anonymous access this exploit attempts to create special directories using the MKD (make directory) command, and then change its current FTP path into those directories using the CWD (change current directory) command, followed by executing a SITE EXEC command on those directories. In some versions of WuFTP this triggers a buffer overflow that can be leveraged to gain root privileges. (http://www.securiteam.com/exploits/5TQ060A1YG.html)

•httptunnel – creates a bidirectional virtual data connection tunnelled in HTTP requests. The HTTP requests can be sent via an HTTP proxy to reach hosts behind restrictive firewalls. If web access (port 80/tcp) is allowed through a HTTP proxy, it is possible to use httptunnel and telnet to connect to an internal host from outside the firewall. (http://www.nocrew.org/software/httptunnel/httptunnel-3.0.5.tar.gz)

•SSH v1 – CRC32 buffer overflow exploit still in the wild (Reference: http://staff.washington.edu/dittrich/misc/ssh-analysis.txt)

Most exploits depend on SUID or privileged use programs

• Buffer overflow exploits are most preferred

• Due to improper input checks

• Allows execution of malicious code

• “Smashing the Stack for Fun and Profit” (Aleph One)

• Trusted environment variables

• Variable values are used by most applications

• Software that does not perform proper checking on environment values can be exploited

• Internal Field Separator (IFS) and TMP

•Internal Field Separator (IFS) – specifies which characters separate commands in a shell environment. It is normally set to a space, tab, or new line. By changing the IFS, an attacker can change what programs our script executes. (http://www.samag.com/documents/s=1149/sam0106a/0106a.htm)

•TMP – many legacy UNIX platforms allow applications to create and store SUID files in /tmp in an insecure manner, allowing local users to overwrite files to which they would ordinarily not have access. An attacker can exploit this vulnerability using symlink attacks to execute privileged commands or view sensitive data files (http://www.kb.cert.org/vuls/id/670568)

•Sharefuzz – a local setuid program fuzzer which automatically detects environment variable overflows in Unix systems. (http://www.atstake.com/research/tools/)

Reconnaissance

Unauthorized discovery and mapping of systems, services, or vulnerabilities
18 – Discovering the Targets

Know thy target…

• Domain name lookup

• whois.networksolutions.com

• IP Address space verification

• whois.arin.net

• DNS zone transfer

• dig, nslookup, host command

Ping Sweeps

• Network mapping with ICMP queries

• Identify potential targets
WHOIS Servers:

•www.internic.net/whois.html (US web sites)

•whois.isi.edu (US educational web sites)

•whois.nic.mil (US Military)

•whois.apnic.net/ (Asia Pacific Network Information Centre)

•whois.ripe.net/ (Réseaux IP Européens Network Coordination Centre)
•whois.aunic.net (Australia)

•whois.cdnnet.ca (Canada)

•www.cnnic.cn/ (China)

•whois.nic.fr (France)

•whois.nic.ad.jp (Japan)

•www.nic.mx/cgi/whois (Mexico)

•whois.nic.net.sg (Singapore)

•whois.nic-se.se (Sweden)

•whois.nic.ch (Switzerland)

•whois.nic.uk (United Kingdom)

•Typical “whois” commands:

•whois –h whois.arin.net
or whois –h whois.arin.net

•whois –h whois.networksolutions.com
Typical “host” commands:

•host –l

•host –l –i