Handbook. Step by step practical hacking training

Transcription

1 HACKING SCHOOL Handbook Step by step practical hacking training

2 Title: Hacking School - Handbook First English Edition, ISBN: Copyright 2010 by CSH Press. All rights reserved. The authors of the respective chapters are: Damian Put (chapters 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 20, 21), Wojciech Adamczyk (chapters 1, 17, 19), Adam Wróbel (chapters 2, 3, 15), Paweł Bylina (chapter 4). Translated by Joanna and Simon Bone. All rights reserved. The unauthorized reproduction, in whole or in part, of this publication in any form is prohibited. Photocopying, photographing, or any copying of the book by means of film or magnetic or any other medium is a violation of the authorship rights of the present publication. All brand names mentioned in the text are registered trademarks of their respective owners. The authors and CSH Press make all possible effort to ensure that the information contained in this book is complete and correct. However, they cannot be held responsible for damages resulting from its use, nor for any possible breach of patent or authorship rights in connection with it. Furthermore the authors and CSH Press are not liable for any damages whatsoever resulting from the use of information contained therein. Feel free to contact us: contact@hackingschool.com For the latest information about this publication, go to

3

4 Table of contents Preface Who are hackers? Hacking School Mission Introduction Who is this book addressed to? What will I learn from this handbook? How to use the Hacking School Handbook? Training Operating System and Live Training Videos Summary Recovering lost passwords Using Advanced RAR Password Recovery Recovery of DOC files with Advanced Office Password Recovery Interception of information over LANs What will we need, then? A short presentation of the programs used What is the ARP protocol? How does it work? Where do we find the target? Interception of encrypted data, attacks on SSL sessions Entering the system by the backdoor Modification of /etc/passwd Adding a new service ICMP backdoor Hiding files using kernel modules Structure and compilation of modules... 65

5 Compilation of kernel modules Servicing modules through the kernel System calls More about registers Registers Service functions, sys_call_table Access to sys_call_table in the new 2.6.x kernels Substitution of functions in sys_call_table Hiding files using the kernel module Developing our module Buffer overflow attacks Memory The stack What is a buffer? A simple example of the use of a buffer overflow Advanced example of buffer overflow Use of shellcodes How not to make mistakes Practical examples of remote attacks Collecting information Examination of web site Choice of programming language The Python language Python modules Writing an exploit Practical uses of exploits Heap overflow attacks Memory segments Heap Buffer overflow An example of heap overflow An example of bss overflow...140

6 9. Format string attacks What is a format string? Incorrect use of the printf() function Use of the %n tag Practical use of the format string error Using shellcodes Overwriting the EIP copy Overwriting the GOT section Overwriting the DTORS section How do we avoid errors? Practical examples of format string attacks Choosing software to attack Obtaining access to the transferred shellcode address Determining the best location for the shellcode in memory Finding a location suitable for overwriting Overwriting a specific location with the shellcode address Problems with the query length File stream pointer overwrite attacks Exploiting the file stream pointers File stream pointer exploitation Attacking FreeBSD Attacking the Linux system Errors on the system kernel level Kernel errors Buffer overflows a short reminder Susceptible kernel modules Creating a shellcode Exploit Real-life example - Bluetooth Creating an exploit Lack of address of bt_proto table Exploiting the ICMP protocol The ping tool...241

7 Determining the packet route using the traceroute program Exploiting ICMP in DoS attacks Ping flooding Creating own ping flooder Backdoor using ICMP Sending data using ICMP Scanning ICMP Remote identification of the operating system The stone age OS fingerprinting Active fingerprinting How it works Passive fingerprinting Exploiting p0fa against nmap Netfilter and system security services Fingerprinting: a recap Kernel modules Netfilter Filtration of packets Port filtering Instant modification of packets Impersonate FreeBSD Securing the system step by step Preparation of the hard disk Choice of installation Administrator s password Firewalls The xinetd superserver SSH configuration Hiding information and the SUID bit Software to improve system security The kernel the system s weak point What next?...320

8 17. Security scanners What are scanners? Nmap Scanning techniques Scanning using connect() TCP SYN scanning TCP FIN scanning TCP ident scanning UDP scanning with ICMP UDP scanning with write() and recvfrom() ICMP echo scanning Fragmentation scanning Scanning with version detection Scanning with the IP protocol ACK scanning Scanning with the TCP window size RPC scanning List scanning Scanning with ping Idle scan Starting up nmap Introduction to Nessus Configuration Starting up Nessus Creating rules for users Using Nessus Nikto Installation Use and options Nikto configuration Practical application of Nikto Improving security with patches Grsecurity Patching and configuring a new kernel Compiling a kernel with grsecurity patch...356

9 Stack-Smashing Protector LibSafe Intrusion detection systems What is an IDS? Snort Installation of Snort Configuration of Snort Use The rules of Snort Portsentry Installation of Portsentry Using Portsentry Attacking a web server Targets The Apache server and its possibilities PHP Dangerous startup functions Listing of directory contents and reading files PHP modules Compilation of modules and related problems Everything is blocked. What now? It s impossible to do anything Have we reached an impasse? CGI The mod_python, mod_perl, and mod_* modules Creating shellcodes in the Win32 environment What is a shellcode? Types of shellcodes Finding the kernel address Exploitation of hard-coded addresses Finding API addresses using the kernel s export section API functions What the shellcode needs the API functions for The export section...427

10 Finding API function addresses using the import address table Shellcode to download and start up a Trojan horse using Win32-IF 438 Win32 Internet Functions Postscript