Hacking demo - most spectacular techniques

From: Mike Ahern (mc_ahern@yahoo.com)
Date: 10/02/01

Message-ID: <20011002193723.70421.qmail@web9205.mail.yahoo.com>
Date: Tue, 2 Oct 2001 12:37:23 -0700 (PDT)
From: Mike Ahern <mc_ahern@yahoo.com>
Subject: Hacking demo - most spectacular  techniques
To: pen-test@securityfocus.com, ilici_ramirez@yahoo.com

I think one of the more fun & spectacular techniques
is to show them session hijacking of a telnet session
or an X-Windows session or the like. Tools like
T-Sight and IPWatcher from Engarde are excellent for
this, and there are others like Hunt that you might
want to use for session hijacking.

It is always effective to show them serious
vulnerabilities on real production systems - in a way
that doesn't make it seem like you are picking on
anyone in attendance (you don't want to alienate
anyone). For example if you can remotely gain access
and root/admin level privs in a matter of seconds or a
few keystrokes they often are impressed. I would
replay or show the results of that kind of thing if
you are unable to do so at the time.

I would definitely show them session sniffing to
illustrate the problem with unencrypted logins.

Every manager and executive needs to see the hackers
disapearing act - such as blowing WTMP/UTMP and hiding
processes (either with utilities, backdoors, or
rootkit). They need to see that standard logging is
not in effect on backdoor access, and that the hacker
can effectively hide himself on a system including
processes, files, directories, network connections,

Most Executives and IT Managers need to see how fast
most NT/2000 passwords crack (on most networks with
the LAN MAN hash enabled). You can get the majority of
passwords in a couple days, especially if you know
what you are doing (have a dictionary of previously
cracked passwords from prior audits, and analyze last
few password cracks for character frequency - so you
can brute force crack most efficiently). I'd start it
at the beginning of the effort and then produce
results at the end. LC3 can output results without
displaying actual passwords, although maybe a top
executive or two should see how poorly people often
choose the passwords in the first place. They need to
understand how big a problem this is and how trivial
and quick it is to crack.

Senior executives are not all that technical and have
short attention spans. I would think that tying your
testing to important or sensitive business processes,
or illustrating financial or other impact to the
business is as important as a flashy demo. Nothing got
my CEO's and Exec VP's attention like seeing the
primary financial and other business-critical systems
compromised. In the words of one CEO I worked for in
the past, "if someone gets these other systems they
may get the companies money. If someone gets this
particular financial system they get **REAL** money".

These are just a few suggestions, but there are really
lots of things you can do. ARP spoofing in interesting
(dsniff). Web based vulnerabilities. Enumeration of
NT/2000 networks via null user, open network shares.
SNMP often reveals ALOT, and some Cisco tools can be
fun! Getting a router and displaying all known routes.
Illustrating common stupid things like r-services
issues and trusts, NFS mounts of user space, improper
file permissions, displaying what services remotely
advertise about the system (rusers, finger, SMTP
VRFY/EXPN, showmount, rpcinfo, etc., etc.).

IT Managers will be more technical and some may be
defensive - more oriented at providing services and
features than in doing things securely - and feeling
adversarial about security (like you are there to make
their life more complicated and make them look bad).
It is really important to get these guys on your side
to be effective. Having the ability to generically
discuss vulnerabilities in each IT Managers area of
business is also a positive (and it can disarm them
somewhat - its hard to argue against the facts), but
actual details must be provided discretely with each
individual manager. The "names can be changed to
protect the innocent" if you want to use actual data
for examples in your presentation.

Anyhow, have fun and keep it interesting. Don't bog
down too much in the technical details. Just do a
quick show and tell. Keep it simple.

Good Luck!!

 - Mike

Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.

This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:

Relevant Pages

  • Re: Hacking demo - most spectacular techniques
    ... Hacking demo - most spectacular techniques ... Remote VNC install - GUI session on target machine ... This list is provided by the SecurityFocus Security Intelligence Alert ...
  • Re: secure login form
    ... For my point of view I'm thinking of using md5 passwords in db. ... If you want the avoid the man-in-the-middle eavesdropping on you: Then you need https, ... If you are afraid the username/password you store in your database is hacked somehow, then it can make sense to store them with an md5 hash, which is one-way encryption indeed. ... (You can propagate the sessionid from http to https via a form, and let the receiving script use that sessionid for its https session. ...
  • Re: Its not possible to allow non-OPIE logins only from trusted networks
    ... However, OPIE, nobody cares about OPIE? ... As to the possibility of someone hijacking my session and sending \n ... of passwords with you, ... One time passwords made the most sense with insecure connections. ...
  • How to encrypt password forms in my web app? (Cant SSL)
    ... In the beginning of a session, the users log in, giving ... disregard the browser's certificate warning at the beginning of every ... All I'm trying to accomplish is to avoid sending users' passwords over ... SSL or that there is a "secure icon" in the bottom of the browser. ...
  • Re: list of papers on room eq
    ... >This is right where the "how many session under your belt" inquiry ... >becomes pertinent. ... A few hundred sessions under your belt would ... There are so many capture techniques from which to choose, ...