Security & Ethical Security & Ethical HackingHacking

Luke ArntsonLuke ArntsonCentral Washington UniversityCentral Washington University

Winter 2007Winter 2007

Presentation #1 – “Script-Kiddie” Tools & Presentation #1 – “Script-Kiddie” Tools & TricksTricks

IntroductionIntroduction

Ethical HackingEthical Hacking

Knowledge is PowerKnowledge is Power

To Teach is to DefendTo Teach is to Defend

HackingHacking is frowned upon is frowned upon

About MeAbout Me

I have been interested in computer I have been interested in computer security for security for around six yearsaround six years..

First encounter in the wild with viruses First encounter in the wild with viruses was the was the IRC .vbs auto-scriptsIRC .vbs auto-scripts..

Went to Went to Defcon 14Defcon 14 during the Summer during the Summer 2006 to learn and enjoy, came back 2006 to learn and enjoy, came back with some new knowledge.with some new knowledge.

Presentation OverviewPresentation Overview

Presentation #1 will be an Presentation #1 will be an introduction to tools and tricks used introduction to tools and tricks used by “by “script-kiddiesscript-kiddies”, or those new to ”, or those new to the hacker community.the hacker community.

Many people may have seen or used Many people may have seen or used the following tools and tricks, but the following tools and tricks, but most moderate to advanced users most moderate to advanced users frown upon themfrown upon them..

Presentation OverviewPresentation Overview NetBios HackingNetBios Hacking – Connect, view, – Connect, view,

shareshare

IP ScanningIP Scanning – Angry IP Scanner – Angry IP Scanner

CainCain – Excellent script-kiddie tool – Excellent script-kiddie tool

Sub7Sub7/Netbus – Remote Admin Tools/Netbus – Remote Admin Tools

PuTTyPuTTy//Token2Token2 – Tools of the trade – Tools of the trade

Windows NetBios HackingWindows NetBios Hacking

This is one of the This is one of the most basicmost basic file file access tricks known to Windows.access tricks known to Windows.

Not necessarily hacking, but Not necessarily hacking, but beginnersbeginners call it such. call it such.

Can be used with a Can be used with a samba brute-samba brute-forceforce password guesser. password guesser.

Connect, View…Connect, View… First we must First we must acknowledge file sharingacknowledge file sharing has been has been

enabled. We do so by opening our Command-enabled. We do so by opening our Command-Prompt, and running Prompt, and running nbtstatnbtstat..

C:>nbtstat.exe –a 192.168.1.101C:>nbtstat.exe –a 192.168.1.101

NetBIOS Remote Machine Name TableNetBIOS Remote Machine Name Table

Name Type StatusName Type Status

------------------------------------------------------------------------------------------

SOMBA <00> UNIQUE RegisteredSOMBA <00> UNIQUE Registered

CALIMINE <00> GROUP RegisteredCALIMINE <00> GROUP Registered

SOMBA SOMBA <20><20> UNIQUE Registered UNIQUE Registered

CALIMINE <1E> GROUP RegisteredCALIMINE <1E> GROUP Registered

MAC Address = C0-FF-33-0B-33-50MAC Address = C0-FF-33-0B-33-50

We find the We find the <20><20> we’re looking for which we’re looking for which indicates file sharing has indeed been enabled.indicates file sharing has indeed been enabled.

Connect, View…Connect, View… Now let us view what Now let us view what directoriesdirectories are are

actually being shared.actually being shared. C:>net view \\192.168.1.101C:>net view \\192.168.1.101Shared resources at \\192.168.1.101Shared resources at \\192.168.1.101Base StationBase StationShare name Type Used as CommentShare name Type Used as Comment--------------------------------------------------------------------------------------------------------------------------------------------------------------C$ C$ Disk DiskIPC$IPC$The command completed successfully.The command completed successfully.

Bingo, Bingo, C:\ was sharedC:\ was shared to the world to the world through the file sharing. We now through the file sharing. We now have our target.have our target.

… … Share!Share!

Finally we are going to map a network Finally we are going to map a network drive to our newly found net share.drive to our newly found net share.

C:>net use x: C:>net use x: \\192.168.1.101\C$\\192.168.1.101\C$ The command completed successfully.The command completed successfully.

Now check Now check My ComputerMy Computer> and you will > and you will see the newly acquired see the newly acquired remote C: Driveremote C: Drive..

NetBios Hacking ProtectionNetBios Hacking Protection

DisableDisable file sharing! file sharing! Use a Use a firewallfirewall such as ZoneAlarm such as ZoneAlarm

when you are not sharing files.when you are not sharing files. Password protect your shares.Password protect your shares. Use a Use a hardware firewallhardware firewall such as a such as a

router with built-in firewall.router with built-in firewall. This is an old hack, but it still can This is an old hack, but it still can

compromise an compromise an entireentire system. system.

IP ScanningIP Scanning

Finding vulnerable targets Finding vulnerable targets in the in the wildwild..

Angry IP Scanner – Angry IP Scanner – http://www.angryziber.com/ipscan/http://www.angryziber.com/ipscan/

Viruses and bots use Viruses and bots use IP sweepersIP sweepers, so , so ISPs will flag this activity.ISPs will flag this activity.

IP Scanning is IP Scanning is very commonvery common among among exploit seeking viruses.exploit seeking viruses.

Finding Appropriate IP RangeFinding Appropriate IP Range

First we must find a First we must find a rangerange to search. to search. This could be any combination of IP This could be any combination of IP ranges such as 192.168.*.*ranges such as 192.168.*.*

Next we must determine what we are Next we must determine what we are searching forsearching for..

Finally, we decide whatFinally, we decide what tools tools to use. to use. For now, we will stick to For now, we will stick to Angry IP Angry IP ScannerScanner..

Searching for HTTPSearching for HTTP

Lets find some Lets find some HTTP serversHTTP servers!! In Angry IP Scanner, set IP range and In Angry IP Scanner, set IP range and

change Ports to [x] Scan Port: port 80change Ports to [x] Scan Port: port 80 Begin scan….Begin scan…. After scan has completed, to only sort After scan has completed, to only sort

out which IPs have port 80 open, go to out which IPs have port 80 open, go to Utils>Delete From List>Closed PortsUtils>Delete From List>Closed Ports

Our list is complete.Our list is complete.

What We Often FindWhat We Often Find

Generally we will find Generally we will find routers and routers and modemsmodems. Often if they are default, . Often if they are default, they also have default passwords (for they also have default passwords (for another day)another day)

Sometimes we stumble upon Sometimes we stumble upon websites, personal projects, etc.websites, personal projects, etc.

This is This is VERY dangerousVERY dangerous as you could as you could be scanning a computer which is be scanning a computer which is illegalillegal to access… to access…

Prevention from IP scans?Prevention from IP scans?

If you’re on the internet, you have an If you’re on the internet, you have an IP. IP scanners will give an IP. IP scanners will give an ALIVE ALIVE messagemessage..

FirewallsFirewalls are are VITALVITAL if you are directly if you are directly connected to the internet connected to the internet (ZoneAlarm, etc.)(ZoneAlarm, etc.)

HTTP access to routers should be HTTP access to routers should be turned offturned off unless absolutely unless absolutely necessary. If enabled, ensure necessary. If enabled, ensure passwords are hard to guess/break.passwords are hard to guess/break.

Cain & Abel :-DCain & Abel :-D

Cain is a very, very evil Cain is a very, very evil script-kiddie script-kiddie tool.tool.

We can spoof, crack, trace, inject, We can spoof, crack, trace, inject, sniff, poison, and a few other things.sniff, poison, and a few other things.

This program is dangerous in the This program is dangerous in the wrong hands because it works wrong hands because it works verywell.verywell.

Arp PoisoningArp Poisoning Cain currently only arp poisons through Cain currently only arp poisons through ethernetethernet cards. cards.

Broad overview of how to get it to run.Broad overview of how to get it to run.

First, First, enable the snifferenable the sniffer and retrieve list of potential and retrieve list of potential victim IPs.victim IPs.

Next, click the IP you want to add and press the + sign.Next, click the IP you want to add and press the + sign.

At this point, you should have At this point, you should have two IPstwo IPs in a network, the in a network, the sourcesource and the and the destinationdestination IPs. Click the source IP on IPs. Click the source IP on the left, and the destination IP on the left, in this case the left, and the destination IP on the left, in this case 192.168.0.2 and 192.168.0.1.192.168.0.2 and 192.168.0.1.

Watch the packets come in, and Watch the packets come in, and capture EVERYTHINGcapture EVERYTHING the IP is sending and receiving via ARP poisoning.the IP is sending and receiving via ARP poisoning.

Creative & Powerful ToolCreative & Powerful Tool Cain is creative, powerful, and has a Cain is creative, powerful, and has a

huge damage potentialhuge damage potential in the wrong in the wrong hands.hands.

Keep thoseKeep those firewalls firewalls up! ARP Poisoning up! ARP Poisoning can be prevented by firewalling your can be prevented by firewalling your connection.connection.

Be aware of malicious users on your Be aware of malicious users on your network, watching for that network, watching for that little Cain little Cain programprogram to pop up on their screen. to pop up on their screen.

Sub7/NetBusSub7/NetBus

Remote Admin ToolsRemote Admin Tools, or , or RATRAT for short are for short are essentially total control over a computer.essentially total control over a computer.

RAT tools are servers designed to take RAT tools are servers designed to take complete controlcomplete control without the user’s notice. without the user’s notice.

Sub7Sub7 is a well known black-hat RAT used is a well known black-hat RAT used to take over computers without the need to take over computers without the need for a “server” broadcast.for a “server” broadcast.

NetBusNetBus is also well known, but is a bit is also well known, but is a bit noisier and often leaves more traces.noisier and often leaves more traces.

Many other RATs out there.Many other RATs out there.

Sub7 ConfigureSub7 Configure

First, the hacker First, the hacker configures Sub7configures Sub7 with a configuration exe. This with a configuration exe. This produces a new server with the produces a new server with the desired options.desired options.

Options can include IRC control, Options can include IRC control, broadcast of infection, methods of broadcast of infection, methods of install, ways to stick server, etc.install, ways to stick server, etc.

Sub7 can also be Sub7 can also be password protectedpassword protected to prevent other hackers access to to prevent other hackers access to the victim.the victim.

Our Sub7 ServerOur Sub7 Server

For now we know the victim will be For now we know the victim will be able to able to broadcastbroadcast via port 4000 via port 4000 (radmin port)(radmin port)

We want to ensure server sticks.We want to ensure server sticks. We want a password to prevent other We want a password to prevent other

uninvited guestsuninvited guests.. Only install the Only install the minimum,minimum, IRC, ICQ, IRC, ICQ,

AIM is extra so disable it.AIM is extra so disable it.

Send Our Victim The ExeSend Our Victim The Exe

This part is This part is difficultdifficult to pull off, to pull off, hackers have many ways to hackers have many ways to social social engineerengineer victims to do this part. victims to do this part.

User User must executemust execute server.exe server.exe Once executed, server is Once executed, server is

automaticallyautomatically launched and we are launched and we are ready to take control.ready to take control.

Client Side RAT ControlClient Side RAT Control

We now have We now have total controltotal control of our victim of our victim machine, so lets view their hard drive.machine, so lets view their hard drive.

EjectEject their cd-rom. their cd-rom. Ok, enough of this, lets Ok, enough of this, lets let them knowlet them know

we have taken over with a we have taken over with a friendly errorfriendly error.. Finally, using Sub7’s fun little Finally, using Sub7’s fun little Matrix Matrix

modemode, let us remind them that reality is , let us remind them that reality is a mere fictional state of mind.a mere fictional state of mind.

Prevention of RATsPrevention of RATs

Do not executeDo not execute anything you do not trust! anything you do not trust! Always enable Always enable show file extensionsshow file extensions to be to be

turned on (Windows defaults them off?!?)turned on (Windows defaults them off?!?) Be aware of Be aware of strange activitystrange activity. RATs do not . RATs do not

need to broadcast to take over, they can need to broadcast to take over, they can use other methods such as use other methods such as AIM messages, AIM messages, IRC bot commands, and other various IRC bot commands, and other various client messagesclient messages..

Advanced RATs will be covered in a later Advanced RATs will be covered in a later presentation.presentation.

PuTTy/Token 2PuTTy/Token 2

Excellent Excellent text basedtext based ssh/telnet/ftp/raw ssh/telnet/ftp/raw TTY clients.TTY clients.

Learn how to use these as they Learn how to use these as they become become vital vital later in a hackers life.later in a hackers life.

Token 2Token 2 has excellent has excellent proxy proxy abilities, abilities, so read up on how to use so read up on how to use Socks-5Socks-5 and and SSH.SSH.

Begin learning about potential Begin learning about potential tunneling tunneling via SSH and PuTTy.via SSH and PuTTy.

ConclusionConclusion Keep safe! Just because I teach this Keep safe! Just because I teach this does not does not

mean it is legit stuffmean it is legit stuff. Play around on . Play around on test test boxesboxes, use VMWare, give your roomie a , use VMWare, give your roomie a scare but not your college professor!scare but not your college professor!

I would like to continue this as long as I have I would like to continue this as long as I have an an audienceaudience. I learn as everyone else learns.. I learn as everyone else learns.

Ideas include Ideas include advanced scanningadvanced scanning and and penetrationpenetration, , wireless hackingwireless hacking, , root kitroot kit exploration, exploration, shell/exploitshell/exploit writing, writing, web web defacing/hackingdefacing/hacking, , virusvirus exploration/writing, exploration/writing, maybe some old school maybe some old school hardware hackshardware hacks (red/blue/beige boxes, credit card readers), (red/blue/beige boxes, credit card readers), and whatever else people want to hear and whatever else people want to hear about.about.

Questions?Questions?

Thank you for your time! If you have Thank you for your time! If you have any questions feel free to email me any questions feel free to email me arntsonl@cwu.eduarntsonl@cwu.edu