|
|
|
|
|
Packet Storm Security http://packetstorm.securify.com |
|
Technotronic Security Information http://www.technotronic.com |
|
Security Focus Bugtraq Archives http://www.securityfocus.com |
|
|
|
|
|
|
|
|
Stack-based buffer overflow attacks |
|
Password attacks |
|
Web application attacks |
|
|
|
|
Allows attacker a way to execute arbitrary
commands and take control of a vulnerable machine |
|
“Smashing the Stack for Fun and Profit” http://packetstorm.securify.com/docs/hack/smashstack.txt |
|
Any poorly written application or operating
system component could have a stack-based buffer overflow |
|
|
|
|
|
|
|
|
|
|
A data structure that stores important
information for processes running on a computer |
|
Used to store information associated with
function calls on the computer |
|
Used to store function call arguments, return
instruction pointer, frame pointer, and local variables |
|
|
|
|
|
|
|
|
|
|
|
|
|
NOP sled |
|
Series of “No Operation” instructions |
|
Machine language code containing attacker’s
commands |
|
Return pointer |
|
|
|
|
Advanced Buffer Overflow Exploit paper http://ohhara.sarang.net/security/adv.txt |
|
http://www.blackhad.com/presentations/bh-asia-00/greg/greg-asia-00-stalking.ppt |
|
Windows buffer overflow http://www.beavuh.org/dox/win32_oflow.txt |
|
eEye’s buffer overflow exploit on Windows NT
systems running IIS http://www.eeye.com/html/advisories/AD19990608.html |
|
|
|
|
|
|
|
|
Match signatures associated with NOP sleds |
|
Identify typical machine language exploit code
to get attackers’ commands executed |
|
Look for frequently used return pointers
associated with popular buffer overflows |
|
|
|
|
|
|
|
Tool used evade IDS detection of buffer
overflows |
|
http://www.ktwo.ca/security.html |
|
exploit code fed into ADMutate which modifies
the exploit code while retaining the same ultimate function |
|
NOP instruction replaced with other code that
functionally does nothing |
|
Main part of exploit code contains code to
decrypt encrypted instructions |
|
Least significant byte of Return Pointer
modified |
|
|
|
|
|
|
|
|
Force exploit code to spawn a command shell and
enter another command to be executed by command shell |
|
Shell and command will run under the context of
the vulnerable process |
|
Installing a backdoor using inetd |
|
Backdooring with TFTP and Netcat |
|
Shooting back an Xterm |
|
|
|
|
|
|
Netcat:
A tool used to push a command shell prompt across the network |
|
Overflow buffer of victim with command to spawn
a shell to download Netcat from attacker’s machine via TFTP and then run
Netcat |
|
Victim machine runs Netcat configure to execute
a shell and push it to the attacker’s machine |
|
Attacker’s machine is also running Netcat, but
is configured to wait for a connection from victim |
|
|
|
|
|
|
|
|
|
Useful against networks that block incoming
connections but allow outgoing connections |
|
Allows attacks to gain command-line access to
victim machine |
|
victim machine’s configuration need not be
modified |
|
No additional software needs to be installed on
victim machine |
|
|
|
|
|
|
Attacker configures his own machine to accept
incoming X sessions from the target machine via “xhost +victim” |
|
Attacker overflows the buffer of vulnerable
program on the target machine with
shell command to run the Xterm program and directing the display to
the attacker’s machine |
|
Commands typed by attacker into Xterm are
executed on the victim machine. |
|
|
|
|
|
|
IIS Unicode exploit which lets an attacker
execute commands on a Windows NT/2000 machine running IIS http://www.wiretrip.net/rft/p/doc.asp?id=57 |
|
wu-ftp string input validation problem http://www.kb.cert.org/vuls/id/29823 |
|
Rainforest Puppy’s RDS exploit which lets an
attacker execute commands on a Windows NT server running IIS http://www.wiretrip.net/rft/p/doc.asp?id=1 |
|
|
|
|
|
|
BugTraq http://www.securityfocus.com/frames/?content=/forums/bugtraq/intro.html |
|
CERT http://www.cert.org/contact_cert/certmaillist.html |
|
SANS Newsbite mailing list http://www.sans.org |
|
|
|
|
|
|
|
Keep systems patched |
|
Subscribe to security mailing lists |
|
Subscribe to vendors’ mailing lists |
|
Remove unneeded services from servers |
|
Control outgoing traffic such as X |
|
|
|
|
|
|
|
|
Configure operating systems with nonexecutable
stack |
|
Solaris:
add the following to /etc/system file |
|
set noexec_user_stack=1 |
|
set noexec_user_stack_log=1 |
|
Linux: apply a kernel patch http://www.openwall.com/linux/README |
|
Windows NT: install SecureStack http://www.securewave.com/products/securestack/secure_stack.html |
|
|
|
|
|
|
|
Avoid programming mistakes involving allocation
of memory space |
|
Check the size of all user input |
|
Use automated code-checking tools such as ITS4
(It’s the Software, Stupid – Security Scanner) http://www.cigital.com/its4/ |
|
|
|
|
|
|
Users often choose passwords that are easy to
remember, but are also easily guessed |
|
default passwords used by vendors left unchanged |
|
Database of vendor default passwords http://security.nerdnet.com |
|
|
|
|
|
|
|
|
|
|
THC-Login Hacker tool http://thc.inferno.tusculum.edu |
|
Authforce http://kapheine.hypa.net/authforce/index.php |
|
brute_ssl and brute_web http://packetstrom.security.com/Exploit_Code_archive/brute_ssl.c
http://packetstrom.security.com/Exploit_Code_archive/brute_web.c |
|
Windows NT password guessing http://packetstorm.securify.com/NT/audit/nt.remotely.crack.nt.passwords.zip |
|
Xavier http://www.btinernet.com/~lithiumsoft/ |
|
Guessing email passwords using POP3 protocol:
Hypnopaedia http://packetstorm.securify.com/Crackers/hypno.zip |
|
Other password guessing tools http://packetstorm.securify.com/Crackers |
|
|
|
|
|
|
More sophisticated and faster than password
guessing through login script |
|
Requires access to a file containing user names
and encrypted passwords |
|
Dictionary attacks |
|
Brute force attacks |
|
Hybrid dictionary and brute force attacks |
|
|
|
|
|
|
|
|
L0phtCrack, a Windows NT/2000 password cracker http://www.l0pht.com/l0phtcrack |
|
John the Ripper, a Unix password cracker http://www.openwall.com/john |
|
Crack, a Unix password cracker http://www.users.diron.co.uk/~crypto/ |
|
Pandora, a password cracker for Novell http://www.nmrc.org/pandora |
|
PalmCrack, a Windows NT and Unix password
cracker that runs on the Palm OS PDA platform http://www.noncon.org/noncon/download.html |
|
|
|
|
|
|
Tool used to crack Windows NT/2000 passwords |
|
Easy to use GUI interface |
|
Runs on MS Windows 9x, NT, and 2000 systems |
|
Free trial period of 15 days |
|
|
|
|
|
|
|
Attacker must get a copy of the encrypted/hashed
password representations stored in the SAM database of target machine |
|
L0phtCrack includes “pwdump” tool for dumping
Windows NT password representation from a local or remote machine across
the network |
|
Requires administrator privileges on target
machine |
|
Pwdump3 http://www.ebiz-tech.com/pwdump3/ allows
attacker to dump passwords from a SAM database or a Windows 2000 Active
Directory |
|
|
|
|
|
|
|
|
|
Boot system from a Linux or DOS floppy disk and
retrieve SAM database at %systemroot%\system32\config |
|
Since DOS cannot read NTFS partition, attacker
can use NTFSDOS program http://packetstorm.securify.com/NT/hack/ntfsdos.zip
to access SAM database |
|
To access NT and 2000 passwords from Linux boot
disk http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html |
|
Use L0phtCrack’s SMB Packet Capture tool to
sniff a user’s password off of the network |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
make the password hash come to you for
authentication |
|
Send email containing URL |
|
file://attacker-pc/sharename/message.html |
|
When victim clicks on URL, victim’s machine
attempts to mount the share on attacker’s server using a
challenge/handshake protocol |
|
Password hash is captured by attacker-pc running L0phtcrack’s integrated sniffing
tool |
|
Password hash is fed into L0phtcrack to retrieve
user’s password |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Used to crack Unix and WinNT passwords |
|
Runs on Unix, Win9x, NT, and Win2000 systems |
|
Automatically detects the encryption algorithm
used |
|
Quickly generates many permutations for password
guesses based on a word list |
|
|
|
|
|
|
|
|
|
find an exploit that will perform a stack-based
buffer overflow of an SUID root program to gain root access |
|
Force a process that reads the encrypted
password file to generate a core dump (memory dump of a dying process) |
|
Crash one instance of a FTP server |
|
Use another instance of the FTP server to
transfer the core file to look for passwords to crack |
|
|
|
|
Attacker must feed John with a file that has all
user account and password information |
|
May need to merge /etc/password and /etc/shadow
via “unshadow” |
|
|
|
|
|
|
|
|
|
|
|
Do not select passwords that can be easily
guessed by an automated tool |
|
Do not use dictionary terms |
|
Change passwords at specified intervals |
|
Know how to create a good password |
|
Use first letters of each word from a memorable
phrase, mixing in numbers and special characters |
|
Use password filtering software to prevent users
from choosing easily guessed
passwords |
|
Use one-time password tokens or smart cards |
|
Use 2 or 3 factor authentication |
|
|
|
|
|
Unix platform |
|
Npasswd ftp.cc.utexas.edu/pub/npasswd |
|
Passwd+ ftp.dartmouth.edu/pub/security |
|
Windows NT |
|
Passprop, available in MS WinNT Resource Kit |
|
Passfilt.dll included in Service Pack 2 |
|
Password Guardian www.georgiasoftworks.com |
|
Strongpass http://ntsecurity.nu/toolbox |
|
Fast Lane http://www.fastlanetech.com |
|
|
|
|
|
|
|
|
|
Can be conducted even if the Web server uses
Secure Sockets Layer (SSL) |
|
SSL used to authenticate the Web server to the
browser |
|
SSL used to prevent an attacker from
intercepting traffic |
|
SSL can be used to authenticate the client with
client-side certificates |
|
Web attacks can occur over SSL-encrypted
connection |
|
Account harvesting |
|
Undermining session tracking |
|
SQL Piggybacking |
|
|
|
|
Technique used to determine legitimate userIDs
and even passwords of a vulnerable application |
|
Targets the authentication process when
application requests a userID and password |
|
Works against applications that have a different
error message for users who type in an incorrect userID |
|
|
|
|
|
|
|
|
|
|
Make sure that error message is the same when a user types in an incorrect userID
or password |
|
|
|
|
Most Web application generate a session ID to
track the user’s session. |
|
Session ID is passed back and forth across the
HTTP or HTTPS connection when client browses web pages, enters data into
forms, or conducting transactions |
|
Session ID allows the Web application to
maintain the state of a session with a user |
|
Session ID is independent of the SSL connection |
|
Session ID is Application-level data |
|
|
|
|
|
|
URL session tracking |
|
Session ID is written directly on browser’s
location line |
|
Hidden form elements |
|
Hidden Session ID element put into the HTML form |
|
Session ID can be seen by user by viewing HTML
source code |
|
<INPUT TYPE=“HIDDEN” MAME=“Session”
VALUE=“22343”> |
|
Cookies |
|
Most widely used session-tracking method |
|
Cookie is an HTTP field that the browser stores
on behalf of a Web server, containing info such as user preference and
session ID |
|
Per-session cookie is stored in browser’s memory |
|
Persistent cookie is written to the local file
system of client |
|
|
|
|
|
|
|
|
|
Attacker changes his session ID to a value
assigned to another user |
|
Application thinks that attacker is the other
user |
|
|
|
|
|
|
|
|
|
|
|
Tool used to edit per-session cookies |
|
www.digizen-securitycom |
|
A Web proxy |
|
Attacker’s browser configured to send all HTTP
and HTTPS data to Achilles |
|
Web browser and proxy can run on same or
different machines |
|
Archilles allows attacker to edit all HTTP/HTTPS
fields, per-session and persistent cookies, hidden form elements, and URLs. |
|
Supports HTTPS connections |
|
one SSL connection set up between browser and
Achilles |
|
Another SSL connection set up between Achilles
and Web server |
|
|
|
|
|
|
|
|
Digitally sign or hash session-tracking
information |
|
Encrypt information in the URL, hidden form
element, or cookie |
|
Make sure that your session IDs are long enough
to prevent accidental collision |
|
Apply a timestamp within the session ID variable
and encrypt it |
|
Allow users to terminate their sessions via a
logout button which will invalidate the session ID |
|
Scan your web site via AppScan http://www.sanctuminc.com |
|
|
|
|
|
|
Attacker may can extend an application’s SQL
statement to extract or update
information that the attacker is not authorized to access |
|
“How I Hacked Packetstorm” http://www.wiretrip.net/rfp/p/doc.asp?id=42 |
|
Attacker will explore how the Web application
interacts with the back-end database by finding a user-supplied input
string that will be part of a database query |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Web application must be programmed to carefully
filter user-supplied data |
|
Potentially damaging characters (such as ‘
” ` ; * % _ ) should be filtered at server side |
|
World Wide Web Security FAQ http://www.w3.org/Security/Faq/www-security-faq.html |
|
|
|
Notes
