The internet is composed of many computers linked together using TCP/IP, many of which offer some kind of network service to remote users.
The three most common applications used are email, file transfer, and the World Wide Web.
Examine port scanning and review these services by using telnet to connect to the service ports.
Port 21 = SMTP service. (Mail transfer)
Port 25 = FTP service. (File transfer)
Port 80 = HTTPD service. (World Wide Web)
Simple Mail Transport Protocol (SMTP)
Besides SMTP, there is also POP3, MHS, or MS-MAIL
You can use Telnet to connect to a local machine using port 25, the port for SMTP services, then asking for help.
"HELO/EHLO" = Greets the Remote Host
"RCPT" = Specifies recipient of email
"MAIL" = Specifies sender of email
"DATA" = Body of email message
"VERB" = Turns on "verbose" message mode
"EXPN" = Expand and email alias to full list of recipients
"VRFY" = Verifty that username is on the system
"HELP" = Help
"Quit" = Exit the SMTP service
"NOOP" = Do nothing
Fake Mail
Looking at the logs above, anyone can see how easy it is for a hacker to fake email from an SMTP server just by connecting to port 25 of any remote host and typing in the correct sequence of commands.
SMTP Logs
View the logs from the remote computer which has been hacked on to.
Shows activity on the SMTP port, including where the connection has been coming from and which userid has been committing these actions.
HyperText
A concept first pioneered by XEROX PARC labs at Palo Alto, and then taken up by Apple.
HyperText is like reading a book with a "smart index" where the index isn't at the back and you don't have to look it up.
Uniform Resource Locators (URL)
Defined a more general HyperText linking scheme which enables stacks to reference other stacks on the internet by including external links to remote hosts.
HyperText Markup Language (HTML)
Attempts to guarantee uniform display format of documents whenever viewed on the World Wide Web
Common Gateway Interface (CGI)
Allows user input rather than just URL requests to be passed back to the server and processed to provide information to be displayed dynamically rather than statically.
Blocking Ports
If nobody needs to telnet in to your servers from the internet you would block all incoming connections to port 23 (telnet). If you needed to provide these services it might be better to think about providing SSH (port 22) connectivity instead.
Attempt running a port scanner against some of the computers on a LAN.
NetBIOS = Port 139.
One of the oldest way to gain access is to get access to the password file and use a tool like CRACK to obtain the plain-text passwords.
If the target is running Sun's Network Information Service (NIS), the cracker can get a program like YPX and try guessing the NIS domain.
A security administrator must be aware of how a cracker's mind works and why they are so intent to get root, admin, or supervisor status depending on the system they are hacking.
There are numerous ways of getting system prvileges.
Network Filing Services
One of the most common services offered on any LAN is network filing which allows access to files stored remotely on a server as though those files were available locally.
The second most common service provided by servers in a client-server environment is remote printing and spooling, which allow users at remote hosts to direct printing to a centralized spooling system and redirects output to remote printers.
Remote Procedure Calls (RPC)
A mechanism for users on remote hosts to execute commands on a server. Network filing and remote-printing services are often offered as an RPC service on the remote server.
One example of a password database system is Sun Microsystem's Network Information Service (NIS) which centralizes a service of passwords via NIS servers.
Due to the way that NIS workds, anyone with the valid NIS domain name can request NIS database files, including the password file and have them sent to the remote computer, even though the remote computer is not in the NIS domain.
Covering their tracks
Once a cracker has got inside a remote system, they need to try and hide themselves from systems administrators and remove all traces of their entry when they leave. This is yet another reason why they need to know why they are cracking the target before starting, and do basic research to find out how they could be tracked on the target system, and where this information is stored.
If they are cracking a common system, such as a Solaris or LINUX variant, then there are pre-packaged toolsets called "root-kits" which contain virtually everything a cracker could need. A rootkit will contain software to be compiled on the target system that will perform many of the routine tasks needed to cover a cracker's tracks.
An experienced hacker knows that using a rootkit without understanding how it works, and without ensuring that there aren't other logs on the system will inevitably lead to them getting caught.
login = "modified" to accept backdoor password
netstat = "modified" to not list certain connections
du = "modified" to incorrectly report disk usage
ls = "modified" to not list certain files
ps = "modified" to not show certain processes
zap = hides logins by removing entries in system logs
fix = fake checksum on file after being "modified"
ifconfig = "modified" to remove PROMISC flag
CRACK = Password cracker and dictionary
YPX = Exploits holes in NIS, gets more passwords
SNIFFERS = Ethernet sniffer that will run on the target
PGP = Encrypt the files the cracker leaves on the target
EXPLOITS = All exploits that are needed for that target/network
MISC TOOLS = Unshadow passwords, low-level TCP/IP tools, port scanners, etc.
Before attempting to crack a system
- What is the aim of the test?
- What happens if you succeed?
- What happens if you are detected?
Very important if running a test against a corporate entity, especially if the systems administrator are not told that a test is being run against the company. Having the systems administrator alert CERT, the FBI and any other law enforcement agencies will be highly embarassing for the company if it is just a test.
Fact Finding
- Network Internet Searches
Start with "who is" to look up the network details, contact addresses, responsible person, name servers, and mail exchange (MX) records.
If the company domain is hosted by a third party, look up the hosting company, and any web or mail hosting company also. Try and build up a picture of the "web of trust" surrounding the corporate LAN > identify the weakest link in the security chain.
- Financial Internet Searches
- Trade Journals and Print Media
- Trashing > Recycling Bin
- Social Engineering
Once you have gathered information about the internal structure of the company, it would be time to launch social engineering attacks. (For example, pose as part of the IT team to get a normal user to disclose passwords or other important information)
- Infiltration Hacking = Does the company or individual have public access terminals anywhere?
Once you have gathered all the information you need, it is time to start probing the IT infrastructure to see what else is available.
- Network Scanner (NMAP). Must map out any pub;lic network space and open ports. If you use a tool like NMAP, you will also get to OS fingerprint any hosts you find.
- Firewall Scanning Tools (Firewalk, HPING2) = If a large part of the accessible network is behind a firewall, then use a tool mentioned before to infiltrate beyond and map out hosts and ports that would normally be unavailable.
- HTTP CGI Scanner (ScreamingCobra, Whisker) = Assuming the company has a corporate website, you must check for Common Gateway Interface (CGI) vulnerabilities.
- WarDialler and Scanners (ToneLoc, "TLO") If the company has a PBX or voicemail system then run a phone scan across the exchange and see if there are any modems within the company.
- SMB tools (SMBClient, ADMSMB) Windows file sharing using SMB is common inside organizations. Use "NBTSTAT" and "NBTSCAN" to determine which hosts on a network have shares available and Port 139 open.
- Password Crackers (lOphtCrack, Crack) Depending on the systems you find, you will need either an NT or UNIX password cracker to check that passwords adhere to the security policy.
- Security Scanners (SARA, NESSUS) To scan quickly for vulnerabilities in any hosts found, use a network security scanner such as the SATAN-based Security Auditor's Research Assistant (SARA) which interfaces with NMAP for OS fingerprinting, and which also supports SMB cracking tools.
- Firewall Evaluations = Did the firewall access control list work effectively? Has it prevented access to ports that should have been blocked? Does the firewall handle fragmented packets correctly? Is it possible to scan beyond the firewall? What hosts can you enumerate behind the firewall that should not be accessible?
Story of the new generation of malware written by professional software writers who live on the dark side of computing - current evidence is that they are clever, organized, and very dangerous.
Check firewall logs
Check SMTP (smaight) logs
Story of young skilled individual penetrating a network though IT team member posing; dismantling financial IT infrastructure from within banking company in Europe before using proceeds to come to USA to do the same thing; employing others to do work and profiting from exploits.
ECHO. PORT NUMBER 7. ECHO OF INPUT.
NETSTAT. PORT NUMBER 15. NETWORK STATISTIC SERVICE.
FTP. PORT NUMBER 21. FILE TRANSFER PROTOCOL.
TELNET. PORT NUMBER 23. NETWORK TERMINAL PROTOCOL.
SMTP. PORT NUMBER 25. SIMPLE MAIL TRANSFER PROTOCOL.
FINGER. PORT NUMBER 79. FINGER SERVICE.
HTTP. PORT NUMBER 80. HYPERTEXT TRANSFER PROTOCOL (WWW).
EXAMPLE OF SNORT DETECTION AT OS FINGERPRINTING.
[**] [111:10:1] spp_stream4: STEALTH ACTVITY (nmap XMAS scan) detection
07/02-18:36:41.773535 192,168.0.166:62247 -> 192.168.0.69:1
TCP TTL:57 TOS: 0x0 ID: 39318 IpLen: 20 DgmLen:60
**U*P**F seq 0xCC5EE576 Ack: 0x0 Win: 0x800 TcpLen: 40 UrgPtr: 0x0
TCP Options (5) => WS:10 NOP MSS: 265 TS: 1061109567 0 EOL
Port
Packet Sniffers
LANALYSER
Ethernet workds by sending packets of information to all the hosts on a network, with the source address and the destination address encapsulated in the header of the packet.
It is possible to place an Ethernet interface in what is called promiscuous mode, and when that happens the machine will accept every packet, no matter what the destination address in the header says.
Of all the packet sniffing tools, tcpdump is the most widely available.
Device Drivers = ODI / NDIS
Effective packet sniffer for DOS is TELNET TAP (TNT)
GOBBLER, ETHDUMP, FERGIE (for DOS), BUTTSNIFF FOR BackOrifice
WireShark (Ethereal) is a fully featured packet-sniffing program. Runs on Windows platforms.
Enables you to filter packets by source and destination, decode protocols and follow TCP/IP streams.
SATAN is one of the oldest and best-known security scanners.
Scans for a number of security vulnerabilities including the following:
NFS file systems exported to arbitrary hosts
NFS file systems exported to unprviliged programs
NFS file systesm exported via the portmapper
NIS password file access from arbitrary hosts
Old sendmail versions
Writable anonymous FTP directory
Enabled TFTP allowing arbitrary files to be read.
Port 7. Echo
Port 9. Discard
Port 11. System
Port 13. Daytime
Port 15. Netstat
Port 19. Charge
Port 21. FTP
Port 23. Telnet
Port 25. SMTP
Port 37. Time
Port 79. Finger
Port 110. POP-3
Port 111. SUNRPC
Port 113. Authorization
Port 119. NNTP
Port 139. NETBIOS-SSN
Port 513. LOGIN
Port 514. SHELL
Port 515. Printer
Port 540. UUCP
Port 676. Unknown
Port 2049. Open (NFS)
DNS Search with "NSLOOKUP" or "DIG"
Used to explore the domains and hosts in the DSN
www.network-tools.com
Perforing a DNS search means asking the nameserver to resolve the address and NSLOOKUP allows you to dig into the DNS database and also see which nameservers are being queried.
"TRACEROUTE"
Traces the route between your host and any other host on the internet, identifying any routers or gateways it passes through the way.
Although designed for debugging routing errors, it is also effective for identifying the IP addresses of the other computers sitting between a hacker and their target.
The TRACEROUTE program workds by sending packets with short "Time-To-Live" (TTL) values incrementing the TTL value by one after every few packets.
Firewall Tunneling
Pharming =Variation on phishing attacks where an attacker subverts the infrastructure of the web itself in order to direct unsuspecting users to fake websites or mount "man in the middle" attacks.
Pharming compromises the DNS system, which underpins the web and allows internet communication using human readable domain names. The DNS system is designed to convert domain names into IP addresses which computers can then use to locate and connect to internet servers. Normally, when a user attempts to connect to an internet site via the domain name, several things happen behind the scenes which the user is not aware of.
What happens when you subvert and control these lookup mechanisms? The end result is that you can falsify the domain name lookup and send back any arbitrary IP address to the computer requesting the information. This is the essence of pharming, the subversion of the basic infrastructure of the internet to mislead and misdirect users to websites that are not what they seem.*
Your computer will look up the address of the name server which your ISP has assigned to your personal computer. It then makes a request to that name server asking it to resolve the domain name into an IP address. If the local name server doesn't know the IP address it will ask a higher level name server, and if that fails the higher level name server will ask yet another even higher level name server. Eventually one of the name servers will resolve the address or, if not, report back down the chain to your personal computer that the domain name is "unresolvable". In this way the DNS system has been likened to an internet phone book because of how it resolves human readable addresses (domain names) into computer readable format (IP Addresses).
DANIEL S. ABRAHAMIAN
PORT SCANNING
FEELMYFLAME
No comments:
Post a Comment