Download - Network.Penetration.CGSOL
![Page 1: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/1.jpg)
Network PenetrationAdrian Catalan
@ykro
![Page 2: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/2.jpg)
¿Quien soy y que hago aqui?
![Page 3: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/3.jpg)
El arte de la guerra nos enseña a no depender en que nuestro enemigo no aparezca, sino en nuestra capacidad de recibirlo; a no depender en que no ataque, sino de la habilidad de haber hecho impenetrable nuestra posición.
-Sun Tzu
![Page 4: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/4.jpg)
Agenda
● Consideraciones eticas● Scanning y reconocimiento
● NMAP FTW!
● ElAtaque● Alguien dijo script kiddies?● Infames overflows● Metasploit
● Y despues?● Rootkits● Analis Forense
![Page 5: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/5.jpg)
Consideraciones eticas
● Cual es mi sombrero?
![Page 6: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/6.jpg)
Divulgacion
● Casos DEFCON● 2001 Adobe ebooks - Dmitry Sklyarov● 2005 Cisco - Michael Lynn● 2008 Boston Subway – Estudiantes de MIT
![Page 7: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/7.jpg)
Divulgacion
● CERT● RFP● Zero Day Initiative
![Page 8: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/8.jpg)
![Page 9: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/9.jpg)
Scanning y Reconocimiento
● Por que hablamos de dos fases aqui?● Objetivo claro: Identificación
● Topologia de la red● Hosts● Servicios
![Page 10: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/10.jpg)
Reconocimiento
● Antes de robar un banco…● Soluciones Hi-tech … o ¿ no?
● Herramientas disponibles● Ingenieria Social● Whois● Dig/Traceroute● “Search the <f> web” (<f> as in <fine>)
![Page 11: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/11.jpg)
Reconocimiento
● Google como consultor de seguridad● 20f1aeb7819d7858684c898d1e98c1bb● Mas busquedas interesantes
● intitle:”index of” finance.xls● “welcome to intranet”
● intitle:”welcome to IIS 4.0”
![Page 12: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/12.jpg)
Scanning
● War Driving● Activo● Pasivo● Modo Monitor vs Modo Promiscuo
● Busqueda de vulnerabilidades● Nessus 2.0 & OpenVAS
![Page 13: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/13.jpg)
![Page 14: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/14.jpg)
NMAP TCP Connect Scan(-sT)
● El mas “amable” (y rapido)● No le da problemas al target● Para nada sigiloso● Como funciona?
![Page 15: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/15.jpg)
NMAP TCP SYN Scan (-sS)
● Envio de SYN y luego de RESET● Solo 2/3 del handshake se completan● Menos paquetes
● Somos mas sigilosos! ● Es posible que la victima no lo anote en e log
● Desventajas?
![Page 16: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/16.jpg)
NMAP FIN, XMAS & NULL
● Enviamos FIN a una conexion intexistente● Puerto cerrado, protocolo dice “envie RESET”● Puerto abierto, protocolo no dice nada● Si no hay respuesta, puede ser un puerto abierto
● Violacion al protocolo● No funciona contra windows
![Page 17: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/17.jpg)
NMAP OS Fingerprinting (-O)
● Active, Passive & Semipassive● (tambien xprobe2 es una herramienta a
considerar)
![Page 18: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/18.jpg)
El Ataque
● Ataques conocidos disponibles para cualquiera● Script Kiddies se multiplican #ohcielos● Web Goat● Metasploit (mas de esto en un rato)
![Page 19: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/19.jpg)
Stack
● Estructuras de datos● Espacio de direcciones de un proceso
![Page 20: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/20.jpg)
Codigo vulnerable
![Page 21: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/21.jpg)
![Page 22: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/22.jpg)
![Page 23: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/23.jpg)
Atacando el stack
![Page 24: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/24.jpg)
24
Ejemplo
Desensamblando
Nos interesa la direccion 0x401034
![Page 25: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/25.jpg)
25
Ejemplo
Resulta que 0x401034 es “@^P4” en ASCII
![Page 26: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/26.jpg)
26
Ejemplo
Le damos vuelta a “4^P@” y..
![Page 27: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/27.jpg)
27
Defensa
● Utilizar un stack no ejecutable● Bit NX
● Utilizar funciones “seguras”● strncpy en vez de strcpy
● Utilizar un canario● ASLR (Address Space Layout Randomization)
![Page 28: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/28.jpg)
Metasploit
● La mayoria de cosas se vuelven mas “faciles” con el tiempo
● Point.Click.Own.● msf
● Que es y que hace?
● Por que usarlo?
![Page 29: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/29.jpg)
29
Arquitectura
Libraries
ModulesInterfaces
Custom Plugins
msfapi
msfgui
msfconsole
msfcli
msfweb
auxiliary
nops
encoders
payloads
exploits
Framework:Base
Framework:Core
REX
Interfaces
Interfaces
Interfaces
Protocol Tools
Security Tools
Web Services
Integration
Diagram by HDMoore/MSF
![Page 30: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/30.jpg)
Interfaces
● Msfgui● Msfweb● Msfcli● Msfconsole● Msfd
![Page 31: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/31.jpg)
metasploit
● Tenemos exploits y payloads● Inicialmente eran 15 exploits, hoy son 300+● Tipos de payload
● Inline (Single Round Trip)● Staged (Multiple Round Trips)
![Page 32: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/32.jpg)
metasploit
● Meterpreter● Exploits avanzados
![Page 33: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/33.jpg)
Y despues?
● Rootkits● Estado de procesos, usuarios, red
● last | awk '$1 !~ /ykro/ {print $0}'
● lrk4 y lrk5
![Page 34: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/34.jpg)
Rootkits
● Deteccion● Tripwire● Chkrootkit● AIDE
![Page 35: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/35.jpg)
Rootkits
● Algo un poco mas avanzado● Modificando codigo del kernel● Colocando codigo en modulos● Escondiendo procesos
![Page 36: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/36.jpg)
Analisis Forense
![Page 37: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/37.jpg)
Analisis Forense
● Computer forensics● Preservacion● Identificacion● Extraccion● Documentacion● Interpretacion
● Esteganografia
![Page 38: Network.Penetration.CGSOL](https://reader034.vdocumento.com/reader034/viewer/2022051411/54539a5baf79591d308b5705/html5/thumbnails/38.jpg)
Preguntas | KTHXBYE