Notes from hacking tutorial
RECONNAISANCE:
Before making an attempt to penetrate any site, all intruders gain as much information on the target without directly probing the target. This could involve one of the many ways listed below
whois database (Domain and IP )
Telephone directory
Government Records
Search Engines
Company’s website
Company’s support line/help desk
Dumpsters
Business cards
Social Engineering
others
SCANNING:
SCANNING TECHNIQUES:
This is the first stage of active penetration, which requires the attacker to send suspicious packets to the target network. There are few things which the attacker needs to keep in mind while attempting this scan.
List possible entry points
Keep a low profile. Use stealth mode as much as possible.
Go as slow as possible
Do not repeat tests
Prepare to change tools quickly depending on output from the current tools.
Decoy is your friend
So are bounce scans
WAR DIALING
War dialing is an act of gaining access to modems by repeatedly dialing a block of phone numbers looking for a modem handshake. If the attacker has sufficient information on the block of phone numbers assigned to a target, he/she can get a lot of information based on this scan which includes
Generate list of modems
Generate list of unsecure modems
Generate list of misconfigured devices
Generate list of fax numbers
Deciding on the right tool
How many numbers do I need to dial?
How often will I be performing the war dial assessment?
What is the false positive rate?
Is the software user friendly?
Does the software contain documentation?
What type of reporting am I looking for?
What extension(s) can I use to export my findings?
Can I trust the download site or does the software contain malicious code?
Is technical support offered?
What is the time frame offered to finish the assessment?
Does the application have a scheduling feature?
Does the application allow for differential reporting?
Tools used
THC-Scan (freeware) http://www.securityfocus.com/tools/47
Toneloc (freeware) http://www.securityfocus.com/tools/48
SecureLogix Telesweep Secure (commercial)
Sandstorm PhoneSweep (commercial)
References
http://www.sans.org/rr/penetration/wardialing.php
WAR DRIVING
War driving is an act of gaining access to network by listening to mis-configured or unsecured wireless Access Points.
Generate list of APs
Generate list of unsecured APs
Generate list of misconfigured AP
More info
Attacks possible
No Encryption – Anyone can join
MITM attack possible
DOS leading to MITM. After Disassociating, the client might re-attach to attackers AP.
Sending a “Disassociate†forces the client to send SSID in cleartext
MAC address can easily be sniffed. MAC based authentication is no good
MAC poisoning is also another problem
Static WEP encryption can be hacked easily using statistical analysis. It can be speeded up by replay-packet attacks which creates network activity.
DOS/Jamming attacks.
Wireless Bands
802.11a – Direct Sequence Spread Spectrum
2.4GHz – 2.4835GHz
11mbps
14 Channels, 1-11 used in US
1000mW max power, Most use between 10-100mW
802.11b
5GHz
54mbps
More
CMSA/CA - (Carrier Sense Multiple Access/Collision Avoidance)
LBT
Exponential Backoff and retry
Collision avoidance via physical carier sence and Network allocation vector.
Types of management packets
Beacon
Probe requests and response
Associate request and response
Disassociate
RTS – request for tramist
CTS – clear to transmit
ACK – transmit ok
Packet format – (Ref: http://www.zytrax.com/tech/wireless/802_mac.htm)
MAC Packet Format
Tools used
Wellenreiter - http://www.remote-exploit.org/modules.php?op=modload&name;=Downloads&d;_op=viewdownload&cid;=13
Prism-decode (http://www.grymoire.com/Unix/prism-decode.pl)
§ 802.11 protocol decoder for prismdump output. Either specify prismdump capture file or pipe prismdump
THC-wardrive (freeware) http://www.thehackerschoice.com/releases.php?q=wardrive
Netstumbler http://www.netstumbler.com/
Airsnort - http://airsnort.shmoo.com/ (linux/bsd)
Ethereal - http://www.ethereal.com/
Aerosol - http://www.sec33.com/sniph/aerosol.php
Istumbler (imac) - http://homepage.mac.com/alfwatt/istumbler/
Apsniff - http://www.bretmounet.com/ApSniff/index.asp
KisMAC - http://www.binaervarianz.de/projekte/programmieren/kismac/
KisMet - http://www.kismetwireless.net/
PocketWarrior - http://www.pocketwarrior.org/
Prism2 Dump - http://www.seattlewireless.net/index.cgi/Prism2Dump
Tcpdump - http://www.tcpdump.org/
Wavemon - http://www.jm-music.de/projects.html
Wistumbler - http://www.gongon.com/persons/iseki/wistumbler/index.html
Airscope - http://www.linux-wlan.com/
Mognet - http://chocobospore.org/mognet/
Libraries
Libradiate
http://www.packetfactory.net/projects/libradiate/802.11_toolkit-2.0.pdf
Ideas
The encryption apparently is a form of XOR
The WEP key is 40 or 104 bit long. This is a shared key.
In RC4 each key has an associated encryption and decryption stream.
The size of each encrypted text is variable. Hence
The Packet is encrypted using RC4 and the key is a combination of the WEP key and a psuedo session IV (initialization vector) which acts as a seed. The IV is 3 bytes long which is unique for each client and the WEP key shared secret is 104 bytes.
Now if we can sniff the 802.11 header and get the cryptic text then logically if you know the date which is encypted you can figure out the key
How to secure yourself against this attack
SLAN - http://slan.sourceforge.net/faq/
Secure the last mile
References
Hacking with a Pringles Tube: http://news.bbc.co.uk/1/hi/sci/tech/1860241.stm
Hacking Techniques: http://www-106.ibm.com/developerworks/security/library/s-dial/?t=gr,lnxw41=WarDialing
http://www.e-secure-db.us/dscgi/ds.py/View/Collection-1517
http://www.secadministrator.com/articles/index.cfm?articleid=24873
http://www.personaltelco.net/index.cgi/WirelessSniffer?action=show&redirect;=WirelessSniffers
http://lava.net/~newsham/wlan/
Layer 2 Protocol Specification: http://www.zytrax.com/tech/wireless/802_mac.htm
!!NETWORK MAPPING
Network Scanning is currently the most watched intrusion space which is both easy to scan and easy to set off alarms if the intruder is not carefull.
Tools used
Arpscan – http://ish.cx/~jason/arpscan/
arpscan is a very simple scanner which sends out arp requests for the given IP addresses and displays a list of the found hosts.
Firewalk - http://www.packetfactory.net/firewalk/
Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response.
Fragroute - http://monkey.org/~dugsong/fragroute/
fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour.
Libdnet - http://libdnet.sourceforge.net/
libdnet provides a simplified, portable interface to several low-level networking routines
Libnet - http://www.packetfactory.net/libnet/
Libnet is a high-level API (toolkit) allowing the application programmer to construct and inject network packets. It provides a portable and simplified interface for low-level network packet shaping, handling and injection. Libnet hides much of the tedium of packet creation from the application programmer such as multiplexing, buffer management, arcane packet header information, byte-ordering, OS-dependent issues, and much more. Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary and complementary functionality. Using libnet, quick and simple packet assembly applications can be whipped up with little effort
Libsf
lsrscan - http://gaia.synacklabs.net/projects/lsrscan/
lsrscan checks the behaviour of remote hosts to loose source routed packets.
Lsrtunnel - http://www.synacklabs.net/projects/lsrtunnel/
lsrtunnel spoofs connections using source routed packets.
RING - http://www.planb-security.net/wp/ring.html
By measuring the behavior of various operating systems' TCP retransmission timeout lengths (or RTOs), it is possible to distinguish between OSes on a network. Franck Veysset, Olivier Courtay, and Olivier Heen of the Intranode Research Team first published this concept in April, 2002, and their paper goes into appreciable detail in its discussion of this technique, the mechanisms by which TCP retransmission timers are computed, and OS fingerprinting in general.
Cheops
Maps network design
Nmap
Nmap another swiss army knife
Xprobe2
Active OS fingerprinting tool
P0f - http://www.stearns.org/p0f/README
The passive OS fingerprinting technique is based on information coming from a remote host when it tries to establish a connection to your system. Captured packet parameters contain enough information to identify the remote OS. In contrast to active scanners such as nmap and queso, p0f does this without sending anything to the remote host.
Queso
Great fingerprinting tool
Other Ideas
FTP Bounce scans - http://www.cert.org/advisories/CA-1997-27.html
Bounces tcp connect scans using open ftp proxy servers
Launching attacks with popular source port
IP Personalities - http://ippersonality.sourceforge.net/
The Linux IP Personality patch adds to your Linux 2.4 kernel the ability to have different 'personalities' network wise, that is to change some characteristics of its network traffic, depending on different parameters
Defeating firewalking
IP Scrubbing, is central part of any new firewall. It cleans up the packets and repackages it which scrubs off critical information which could be leaked to the attacker.
Using Application Proxies
IDS Evasion
IDS evasion is important for penetration testing without generating alarm. Look at fragroute and fragrouter for possible tools which can be used to evade.
References
http://www.sans.org/rr/penetration/wardialing.php
http://www.megasecurity.org/Info/Fingerprinting.htm
http://www.packetstormsecurity.org/UNIX/audit/firewalk/firewalk-final.txt
Before making an attempt to penetrate any site, all intruders gain as much information on the target without directly probing the target. This could involve one of the many ways listed below
whois database (Domain and IP )
Telephone directory
Government Records
Search Engines
Company’s website
Company’s support line/help desk
Dumpsters
Business cards
Social Engineering
others
SCANNING:
SCANNING TECHNIQUES:
This is the first stage of active penetration, which requires the attacker to send suspicious packets to the target network. There are few things which the attacker needs to keep in mind while attempting this scan.
List possible entry points
Keep a low profile. Use stealth mode as much as possible.
Go as slow as possible
Do not repeat tests
Prepare to change tools quickly depending on output from the current tools.
Decoy is your friend
So are bounce scans
WAR DIALING
War dialing is an act of gaining access to modems by repeatedly dialing a block of phone numbers looking for a modem handshake. If the attacker has sufficient information on the block of phone numbers assigned to a target, he/she can get a lot of information based on this scan which includes
Generate list of modems
Generate list of unsecure modems
Generate list of misconfigured devices
Generate list of fax numbers
Deciding on the right tool
How many numbers do I need to dial?
How often will I be performing the war dial assessment?
What is the false positive rate?
Is the software user friendly?
Does the software contain documentation?
What type of reporting am I looking for?
What extension(s) can I use to export my findings?
Can I trust the download site or does the software contain malicious code?
Is technical support offered?
What is the time frame offered to finish the assessment?
Does the application have a scheduling feature?
Does the application allow for differential reporting?
Tools used
THC-Scan (freeware) http://www.securityfocus.com/tools/47
Toneloc (freeware) http://www.securityfocus.com/tools/48
SecureLogix Telesweep Secure (commercial)
Sandstorm PhoneSweep (commercial)
References
http://www.sans.org/rr/penetration/wardialing.php
WAR DRIVING
War driving is an act of gaining access to network by listening to mis-configured or unsecured wireless Access Points.
Generate list of APs
Generate list of unsecured APs
Generate list of misconfigured AP
More info
Attacks possible
No Encryption – Anyone can join
MITM attack possible
DOS leading to MITM. After Disassociating, the client might re-attach to attackers AP.
Sending a “Disassociate†forces the client to send SSID in cleartext
MAC address can easily be sniffed. MAC based authentication is no good
MAC poisoning is also another problem
Static WEP encryption can be hacked easily using statistical analysis. It can be speeded up by replay-packet attacks which creates network activity.
DOS/Jamming attacks.
Wireless Bands
802.11a – Direct Sequence Spread Spectrum
2.4GHz – 2.4835GHz
11mbps
14 Channels, 1-11 used in US
1000mW max power, Most use between 10-100mW
802.11b
5GHz
54mbps
More
CMSA/CA - (Carrier Sense Multiple Access/Collision Avoidance)
LBT
Exponential Backoff and retry
Collision avoidance via physical carier sence and Network allocation vector.
Types of management packets
Beacon
Probe requests and response
Associate request and response
Disassociate
RTS – request for tramist
CTS – clear to transmit
ACK – transmit ok
Packet format – (Ref: http://www.zytrax.com/tech/wireless/802_mac.htm)
MAC Packet Format
Tools used
Wellenreiter - http://www.remote-exploit.org/modules.php?op=modload&name;=Downloads&d;_op=viewdownload&cid;=13
Prism-decode (http://www.grymoire.com/Unix/prism-decode.pl)
§ 802.11 protocol decoder for prismdump output. Either specify prismdump capture file or pipe prismdump
THC-wardrive (freeware) http://www.thehackerschoice.com/releases.php?q=wardrive
Netstumbler http://www.netstumbler.com/
Airsnort - http://airsnort.shmoo.com/ (linux/bsd)
Ethereal - http://www.ethereal.com/
Aerosol - http://www.sec33.com/sniph/aerosol.php
Istumbler (imac) - http://homepage.mac.com/alfwatt/istumbler/
Apsniff - http://www.bretmounet.com/ApSniff/index.asp
KisMAC - http://www.binaervarianz.de/projekte/programmieren/kismac/
KisMet - http://www.kismetwireless.net/
PocketWarrior - http://www.pocketwarrior.org/
Prism2 Dump - http://www.seattlewireless.net/index.cgi/Prism2Dump
Tcpdump - http://www.tcpdump.org/
Wavemon - http://www.jm-music.de/projects.html
Wistumbler - http://www.gongon.com/persons/iseki/wistumbler/index.html
Airscope - http://www.linux-wlan.com/
Mognet - http://chocobospore.org/mognet/
Libraries
Libradiate
http://www.packetfactory.net/projects/libradiate/802.11_toolkit-2.0.pdf
Ideas
The encryption apparently is a form of XOR
The WEP key is 40 or 104 bit long. This is a shared key.
In RC4 each key has an associated encryption and decryption stream.
The size of each encrypted text is variable. Hence
The Packet is encrypted using RC4 and the key is a combination of the WEP key and a psuedo session IV (initialization vector) which acts as a seed. The IV is 3 bytes long which is unique for each client and the WEP key shared secret is 104 bytes.
Now if we can sniff the 802.11 header and get the cryptic text then logically if you know the date which is encypted you can figure out the key
How to secure yourself against this attack
SLAN - http://slan.sourceforge.net/faq/
Secure the last mile
References
Hacking with a Pringles Tube: http://news.bbc.co.uk/1/hi/sci/tech/1860241.stm
Hacking Techniques: http://www-106.ibm.com/developerworks/security/library/s-dial/?t=gr,lnxw41=WarDialing
http://www.e-secure-db.us/dscgi/ds.py/View/Collection-1517
http://www.secadministrator.com/articles/index.cfm?articleid=24873
http://www.personaltelco.net/index.cgi/WirelessSniffer?action=show&redirect;=WirelessSniffers
http://lava.net/~newsham/wlan/
Layer 2 Protocol Specification: http://www.zytrax.com/tech/wireless/802_mac.htm
!!NETWORK MAPPING
Network Scanning is currently the most watched intrusion space which is both easy to scan and easy to set off alarms if the intruder is not carefull.
Tools used
Arpscan – http://ish.cx/~jason/arpscan/
arpscan is a very simple scanner which sends out arp requests for the given IP addresses and displays a list of the found hosts.
Firewalk - http://www.packetfactory.net/firewalk/
Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response.
Fragroute - http://monkey.org/~dugsong/fragroute/
fragroute intercepts, modifies, and rewrites egress traffic destined for a specified host, implementing most of the attacks described in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. It features a simple ruleset language to delay, duplicate, drop, fragment, overlap, print, reorder, segment, source-route, or otherwise monkey with all outbound packets destined for a target host, with minimal support for randomized or probabilistic behaviour.
Libdnet - http://libdnet.sourceforge.net/
libdnet provides a simplified, portable interface to several low-level networking routines
Libnet - http://www.packetfactory.net/libnet/
Libnet is a high-level API (toolkit) allowing the application programmer to construct and inject network packets. It provides a portable and simplified interface for low-level network packet shaping, handling and injection. Libnet hides much of the tedium of packet creation from the application programmer such as multiplexing, buffer management, arcane packet header information, byte-ordering, OS-dependent issues, and much more. Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary and complementary functionality. Using libnet, quick and simple packet assembly applications can be whipped up with little effort
Libsf
lsrscan - http://gaia.synacklabs.net/projects/lsrscan/
lsrscan checks the behaviour of remote hosts to loose source routed packets.
Lsrtunnel - http://www.synacklabs.net/projects/lsrtunnel/
lsrtunnel spoofs connections using source routed packets.
RING - http://www.planb-security.net/wp/ring.html
By measuring the behavior of various operating systems' TCP retransmission timeout lengths (or RTOs), it is possible to distinguish between OSes on a network. Franck Veysset, Olivier Courtay, and Olivier Heen of the Intranode Research Team first published this concept in April, 2002, and their paper goes into appreciable detail in its discussion of this technique, the mechanisms by which TCP retransmission timers are computed, and OS fingerprinting in general.
Cheops
Maps network design
Nmap
Nmap another swiss army knife
Xprobe2
Active OS fingerprinting tool
P0f - http://www.stearns.org/p0f/README
The passive OS fingerprinting technique is based on information coming from a remote host when it tries to establish a connection to your system. Captured packet parameters contain enough information to identify the remote OS. In contrast to active scanners such as nmap and queso, p0f does this without sending anything to the remote host.
Queso
Great fingerprinting tool
Other Ideas
FTP Bounce scans - http://www.cert.org/advisories/CA-1997-27.html
Bounces tcp connect scans using open ftp proxy servers
Launching attacks with popular source port
IP Personalities - http://ippersonality.sourceforge.net/
The Linux IP Personality patch adds to your Linux 2.4 kernel the ability to have different 'personalities' network wise, that is to change some characteristics of its network traffic, depending on different parameters
Defeating firewalking
IP Scrubbing, is central part of any new firewall. It cleans up the packets and repackages it which scrubs off critical information which could be leaked to the attacker.
Using Application Proxies
IDS Evasion
IDS evasion is important for penetration testing without generating alarm. Look at fragroute and fragrouter for possible tools which can be used to evade.
References
http://www.sans.org/rr/penetration/wardialing.php
http://www.megasecurity.org/Info/Fingerprinting.htm
http://www.packetstormsecurity.org/UNIX/audit/firewalk/firewalk-final.txt
Comments