1. Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp

2. Information Networking Security and Assurance Lab National Chung Cheng University 2 Description There have many intrusion accident happened in day. Do you know what technique that crackers can intrude your web server, mail server and ftp server. Today, this exercise will guide you through the process of discovering a vulnerable system, exploiting the vulnerability, and installing software to cover your tracks.

3. Information Networking Security and Assurance Lab National Chung Cheng University 3 Purpose Located a vulnerable system Exploit that vulnerability to gain a root shell Installed a RootKit Access the system via the RootKit

4. Information Networking Security and Assurance Lab National Chung Cheng University 4 Principle and Pre-Study (I) CERT Advisory CA-1999-13 Multiple Vulnerabilities in WU-FTPD 1.MAPPING_CHDIR Buffer Overflow 2.Message File Buffer Overflow 3.SITE NEWER Consumes Memory http://www.cert.org/advisories/CA-1999-13.html

5. Information Networking Security and Assurance Lab National Chung Cheng University 5 Principle and Pre-Study (II) What is Buffer overflow? 2003 Top Ten Vulnerability Threat (Symantec) 1Microsoft Windows DCOM RPC Internet Buffer Overrun 2Microsoft RPCSS DCOM Interface Long Filename Heap Corruption 3Microsoft Windows ntdll.dll Buffer Overflow 4Sun Solaris Sadmin Client Credentials Remote Administrative Access 5Sendmail Address Prescan Memory Corruption 6Multiple Microsoft Internet Explorer Script Execution 7Microsoft Windows Workstation Service Remote Buffer Overflow 8Samba ‘call_trans2open” Remote Buffer Overflow 9Microsoft Windows Locator Service Buffer Overflow 10Cisco IOS Malicious IPV4 Packet Sequence Denial of Service A type of programmatic flaw that is due to a programmer allowing for an unbounded operation on data.

6. Information Networking Security and Assurance Lab National Chung Cheng University 6 Required Facilities WARNING:  This process of cracking a system is only tested in internal network.  Do not actual exploit on unprivileve host Hardware  PC or Workstation with UNIX-like system Software  Wu-ftp 6.2.0  RootKits and Buffer Overflow Program

7. Information Networking Security and Assurance Lab National Chung Cheng University 7 Step (I): reconnaissance and scanning Use “nmap” for system scanning Test the account of anonymous

8. Information Networking Security and Assurance Lab National Chung Cheng University 8 Step (II): exploit the target Decompress the buffer overflow file and compile it List the usage of this tool

9. Information Networking Security and Assurance Lab National Chung Cheng University 9 Step (III): cracking Execute the buffer overflow on target host Got the root right

10. Information Networking Security and Assurance Lab National Chung Cheng University 10 Step (IV) Download the rootkit from outside and install it checking the login user Download the tool from another victim Execute the rootkit Decompress the rootkit

11. Information Networking Security and Assurance Lab National Chung Cheng University 11 Step (V): auto-patch the victim the default login password change the system command open the telnet port close the system filewall Report the system information

12. Information Networking Security and Assurance Lab National Chung Cheng University 12 Step (IV) try the rootkit if it works Now you can do anything We have got a root shell now The Telnet daemon has been replaced Input the ID and the Password Which predefine by us

13. Information Networking Security and Assurance Lab National Chung Cheng University 13 Summary Checking the OS and applications’ vulnerability periodically. Catch the idea of “Defense in Depth.”

14. Information Networking Security and Assurance Lab National Chung Cheng University 14 Reference CERT  http://www.cert.org/ http://www.cert.org Nmap  http://incsecure.org/ http://incsecure.org/ Buffer Overflow and RootKits download site  http://www.flatline.org.uk/~pete/ids/ http://www.flatline.org.uk/~pete/ids/