Chapter 5

Chapter 5. Hackers and Crackers

IN THIS CHAPTER

        The Difference Between Hackers and Crackers

        Tools of the Trade

        Exploits and the SANS Top 10

The purpose of this chapter is to illustrate the methodology and steps a hacker or cracker employs when attacking a network. It also provides an overview of the System Administration Network Security (SANS) Top 10 vulnerabilities that crackers can exploit.

The Difference Between Hackers and Crackers

In order to understand the methodology of a hacker or cracker, one must understand what a hacker or a cracker is. Internet enthusiasts have argued the difference between hackers and crackers for many years. This chapter contains my contribution to that debate.

If I were forced to define the terms hacker and cracker, my bottom line would probably be this:

        A hacker is a person intensely interested in the arcane and recondite workings of any computer operating system. Hackers are most often programmers. As such, hackers obtain advanced knowledge of operating systems and programming languages. They might discover holes within systems and the reasons for such holes. Hackers constantly seek further knowledge, freely share what they have discovered, and never, ever intentionally damage data.

        A cracker is one who breaks into or otherwise violates the system integrity of remote machines with malicious intent. Having gained unauthorized access, crackers destroy vital data, deny legitimate users service, or cause problems for their targets. Crackers can easily be identified because their actions are malicious.

Tools of the Trade

The "tools of the trade" are the means a cracker or hacker might use to penetrate your network. Some of the tools covered are programs, and some of these tools are techniques.

Reconnaissance

When most people hear the word reconnaissance, they think of spies and the espionage world. Although, that community does indeed uses reconnaissance, so does the cracker community. What is reconnaissance, and why do crackers use reconnaissance? First, reconnaissance is the process of gathering information about specific target(s). When a good burglar decides to rob a house he will scope out an area to see how often neighbors, cops, and other traffic passes through. This gives the robber a good idea of the time of day he can attack. The same basic philosophy holds true for a cracker when she wants to attack a network or Web site.

When a cracker decides she wants to attack a network, there are many "recon" tools at her disposal. Let's look at a few of them and see how they work.

Social Engineering

The first and probably the most underrated tool available is social engineering. Social engineering involves tricking, conning, or manipulating people into providing information detrimental to a company, organization, or a person. This type of information can be used to help plan, organize, or execute an attack.

Note

Ira Winkler wrote an excellent book called Corporate Espionage. This book covers social engineering along with many other tactics used in obtaining information. It also talks about how to protect yourself against these types of attacks. It was published by Prima Publishing (ISBN 0-7615-0840-6). For more on Ira, you can go to http://www.thetrainingco.com/html/BioIraWinkler.html.

How does social engineering work? A good example is through a help desk. Cracker A wants to attack ABC123 inc., a computer software company. Cracker A wants to find out usernames, passwords, and maybe even some security measures ABC123 has in place. Cracker A begins by calling ABC123's main number, explains to the secretary that he is new to the company, he works off-site, and he needs the help desk number in order to set up his account and password. The secretary provides him with the number. Cracker A then calls up the help desk number, explaining to the person on the phone what the situation is and asks for a username, a password, and how can he get access to the network from the outside. Help Desk Worker B happily provides this information within seconds, not once questioning his request. (Why not? Most help desk operations I have seen stress customer service. "Remember: Never anger a customer.")

That simple scenario can provide the attacker with enough information to make an attack much easier to pull off without being detected. Other techniques that are related to social engineering are

        Dumpster Diving. A person goes through a dumpster or trash can looking for "trash" that contains information, such as an IP address, old passwords, and quite possibly a map of the network. Although this technique is often a dirty one, it is very effective.

        Impersonations. A cracker pretends to be someone important and use that authority to obtain the information he is looking for.

These social engineering techniques are effective, and there are many more that are beyond the scope of this book. Keep in mind that people still use these techniques, and they are a threat to your security and your company's security.

Port Scanners and Passive Operating System Identification

This section provides a technical overview of port scanners and sniffers, along with details regarding the art of passive operating system identification.

Port scanners are programs that check a computer's TCP/IP stack for ports that are in the LISTEN state. As you learned in the previous chapter, TCP/IP combines many protocols, enabling communication on the Internet. The TCP/IP protocol suite consist of 65,535 ports. Ports 1 through 1023 are considered "well known" and, on many computer systems, only users with root/admin privileges can use these ports. Ports 1024 through 49151 are called registered ports, and ports 49152 through 65535 are considered dynamic and/or private ports.

Find the PORT NUMBERS list online at http://www.isi.edu/in-notes/iana/assignments/port-numbers.

The Transmission Control Protocol is covered by RFC 793, which defines many standards that socket programmers need to follow. It also defines how TCP will react to certain packets (that is, FIN, ACK, and SYN). In order to understand port scanners and how they work, a person needs to understand RFC 793.

RFC 793 (http://www.ietf.org/rfc/rfc0793.txt?number=793) defines how TCP (Transmission Control Protocol) will react to the FIN, ACK, and SYN packets:

If the state is CLOSED (that is, Transmission Control Block does not exist) then all data in the incoming segment is discarded. An incoming segment containing a RESET (RST) is discarded. An incoming segment not containing a RST causes a RST to be sent in response. The acknowledgment and sequence field values are selected to make the reset sequence acceptable to the TCP that sent the offending segment.

If the state is LISTEN then first check for an RST, An incoming RST should be ignored. Second check for an ACK. Any acknowledgment is bad if it arrives on a connection still in the LISTEN state. An acceptable reset segment should be formed for any arriving ACK-bearing segment. Third check for a SYN, if the SYN bit is set, check the security. If the security/compartment on the incoming segment does not exactly match the security/compartment in the TCB then send a reset and return.

What this tells us is how listening and closed ports respond to certain TCP flags. Knowing this, programmers can write programs that go out and identify open and closed ports. These programs are considered port scanner(s).

Let's look at some "famous" port scanners and see what they can and cannot do.

To find out more information on TCP/IP, see the RFCs online at http://www.ietf.org/rfc/rfc0793.txt?number=793 and http://www.ietf.org/rfc/rfc0793.txt?number=791.

For some great information on TCP/IP fingerprinting, see the following: http://www.insecure.org/nmap/nmap-fingerprinting-article.html

NMAP

NMAP is probably the most popular port scanner being used and actively developed today. The brainchild of Fyodor (http://www.insecure.org), NMAP has grown through the active participation of the open source community. NMAP allows the user many options in scanning. Listing 5.1 shows us the results of nmap h. This is a great starting point for nmap. If you need more details on nmap, see the man page (available online at http://www.insecure.org/nmap/nmap_manpage.html).

Listing 5.1 nmap -h Results

Nmap V. 2.54BETA7 Usage: nmap [Scan Type(s)] [Options] <host or net list>

Some Common Scan Types ('*'options require root privileges)

-sT TCP connect() port scan (default)

* -sS TCP SYN stealth port scan (best all-around TCP scan)

* -sU UDP port scan

-sP ping scan (Find any reachable machines)

* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)

-sR/-I RPC/Identd scan (use with other scan types)

Some Common Options (none are required; most can be combined):

* -O Use TCP/IP fingerprinting to guess remote operating system

-p <range> ports to scan. Example range: '1-1024,1080,6666,31337'

-F Only scans ports listed in nmap-services

-v Verbose. Its use is recommended. Use twice for greater effect.

-P0 Don't ping hosts (needed to scan www.microsoft.com and others)

* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys

-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy

-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]

-oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>

-iL <inputfile> Get targets from file; Use '-'for stdin

* -S <your_IP>/-e <devicename> Specify source address or network interface

--interactive Go into interactive mode (then press h for help)

Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'

Listing 5.1 shows us how easy NMAP is to configure and what options are available for scanning. Let's take a look at a few switches, discuss what they do, and how they can be used in reconnaissance.

The sT switch is probably the loudest switch we will cover (not as stealthy as others). This switch tells NMAP to make a complete connection with the targeted computer. This type of scan is easy to detect and probably won't be used if an attacker is serious about performing reconnaissance on a computer system.

Note

In the summer of 2000, a group of SANS analysts put together a book about intrusion detection signatures, called Intrusion Signatures and Analysis. Published by New Riders (ISBN 0-7357-1063-5), this book is a great reference for anyone who wants to dig deeper into intrusion detection and attack signatures.

The sF switch sends FIN packets to the targeted computer. How does this work? When a computer receives a FIN, it has a few options in how to react:

        If the port is in the LISTEN state, the computer will not reply.

        If the port is in the CLOSED state, the computer will respond with a RESET.

        If there has been a connection, the computer will begin breaking the connection. (Hint: We don't care about this option right now.)

The computer's response tells NMAP what ports are open when using the sF switch. Listing 5.2 shows us the results of an sF scan from a user standpoint.

Listing 5.2 nmap -sF User Results

Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )

Interesting ports on (192.168.1.3):

(The 4000 ports scanned but not shown here are in state: closed)

Port  State  Service

47017/tcp  open  unknown

TCP Sequence Prediction: Class=random positive increments

Difficulty=3980866 (Good luck!)

Remote operating system guess: Linux 2.1.122 - 2.2.16

Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds

This scan ran against a Linux machine that had the t0rn rootkit (port 47017 is a dead giveaway) running, and these are the results:

[View full width]

20:00:48.813047 > 192.168.1.5.47257 > 192.168.1.1.473: F 0:0(0) win 1024 (ttl 48, id 

31728)

  4500 0028 7bf0 0000 3006 8b89 c0a8 0105

  c0a8 0101 b899 01d9 0000 0000 0000 0000

  5001 0400 6e1a 0000

20:00:48.813153 > 192.168.1.5.47257 > 192.168.1.1.663: F 0:0(0) win 1024 (ttl 48, id 

56669)

  4500 0028 dd5d 0000 3006 2a1c c0a8 0105

  c0a8 0101 b899 0297 0000 0000 0000 0000

  5001 0400 6d5c 0000

20:00:48.813188 > 192.168.1.5.47257 > 192.168.1.1.1458: F 0:0(0) win 1024 (ttl 48, id 

23854)

  4500 0028 5d2e 0000 3006 aa4b c0a8 0105

  c0a8 0101 b899 05b2 0000 0000 0000 0000

  5001 0400 6a41 0000

If a person was running a sniffer, they would see this code. What you don't see here are the resets being sent back by the ports being scanned. This technique is used by many crackers to perform reconnaissance against target(s). This scan is much harder to detect then the sT switch covered earlier.

The sS switch uses SYN packets to determine whether a port or group of ports is open. This scan is commonly referred to as the half-open scan. Why? Well, NMAP sends a SYN packet to a port. If the port is open, it will respond with a SYN|ACK. If NMAP receives the SYN|ACK, it will respond with a RESET. Therefore, if you send half-open packets, your chance of being detected decreases (in theory) Many crackers use this scanning technique to check for open ports because, sometimes, this activity is logged. In today's world, though, many firewalls and IDSs do log these attempts.

The final switch covered is the sX switch, NMAP's "X-mas tree" packet, in which NMAP sets the FIN, URG, and PUSH flags. Under normal conditions, this is not a normal flag combination. Normally, a person would see a FIN, URG, and ACK but not a FIN, URG, and PUSH combination. The reason for this flag combination is simple: Crackers can bypass some firewalls and intrusion detection systems with it.

How does this relate to reconnaissance? NMAP is a great tool in performing reconnaissance. With all the switches and options available, it is difficult for a firewall administrator or IDS analyst to positively identify all the possible scans available with NMAP.

Dying for more information on NMAP? See the following URL: http://www.insecure.org.

HPING2

Another great port scanner used today for reconnaissance is HPING2. This is probably one of my favorite tools to have because it is very configurable. Table 5.1 shows us many of the options available with HPING2.

Information on HPING2 to can be found at http://www.kyuzz.org/antirez/hping2.html.

You can see from the help file how configurable HPING2 really is. A cracker can modify almost any byte in the TCP/IP header. This enables a cracker to really become creative with her scanning techniques in performing reconnaissance. This tool also enables the cracker to insert crafted data into the packet. This means that the cracker could insert malicious code of any kind buffer overflows, Trojans, and so on into a packet and use it to penetrate networks. If you don't have HPING2, I recommend downloading it and giving it a test drive.

There are many more great port scanners out there then what we have covered here. Port scanners provide the cracker with a tool that "knocks" on the door of computer networks. This also gives the cracker an idea of what operating system and services the targeted network is running. With this type of information, the cracker can then proceed to her favorite exploit toolkit and proceed to penetrate the targeted network. These tools can be and should be used by the computer professional to evaluate systems. By using these tools, a systems administrator can identify vulnerabilities before an attacker does.

Passive Operating System Identification Fingerprinting

Passive OS fingerprinting is a technique that is gaining popularity in both the cracker world as well as in the security world. Passive OS fingerprinting allows a person to identify an operating system by analyzing its TCP/IP stack. This technique is as stealth as stealth can get because all you need is a packet sniffer and some time. An attacker using a sniffer does not have to worry about sending strange packets to determine what OS he is up against.

Almost all operating systems have default settings, including settings for TCP/IP. An example of this is Linux. If you look at /proc/sys/net/ipv4 in Listing 5.3, you'll find a wide range of settings that contain default information that the system uses in its daily task(s). Listing 5.3 shows the TCP/IP parameters in Linux.

Listing 5.3 /proc/sys/net/ipv4

Conf

icmp_destunreach_rate

icmp_echo_ignore_all

icmp_echo_ignore_broadcasts

icmp_echoreply_rate

icmp_ignore_bogus_error_responses

icmp_paramprob_rate

icmp_timeexceed_rate

igmp_max_memberships

ip_always_defrag

ip_autoconfig

ip_default_ttl

ip_dynaddr

ip_forward

ip_local_port_range

ip_masq_debug

ip_no_pmtu_disc

ipfrag_high_thresh

ipfrag_low_thresh

ipfrag_time

neigh

route

tcp_fin_timeout

tcp_keepalive_probes

tcp_keepalive_time

tcp_max_ka_probes

tcp_max_syn_backlog

tcp_retrans_collapse

tcp_retries1

tcp_retries2

tcp_rfc1337

tcp_sack

tcp_stdurg

tcp_syn_retries

tcp_syncookies

tcp_timestamps

tcp_window_scaling

Let's look at a few of these parameters and determine what they do and how they affect the operating system.

        ip_default-ttl: This parameter sets the default time-to-live value to 64. It can be changed on a Linux box by echo 128 >> ip_default_ttl.

        ip_forward: Although this parameter does not directly affect passive OS fingerprinting, it does have a big effect on OS security. By default, ip_forward is set to 0, which disables IP forwarding. Setting it to 1 enables IP forwarding.

        ip_local_port_range: This parameter identifies the default source port range that Linux will use. Normally, this is set to 1024-4999. This is good information to know if you are attempting to determine whether a packet is good or bad.

        tcp_sack: This parameter lets the operating system know whether it supports the Selective Acknowledgment standard (RFC 2883). By default (Linux), this is set to 1 (supports this standard).

        tcp_timestamps: This parameter lets the operating system know whether it supports the timestamp function. By default (Linux), this is set to 1.

        tcp_window_scaling: This parameter lets the operating system know whether it supports the window scaling function. This option is used to decrease congestion. By default (Linux), this is set to 1.

Listing 5.3 shows only the parameters that are related to passive OS fingerprinting. Although we have only covered Linux default settings so far, every OS has its own set of default settings. A good example is the Windows platform; Windows 98, NT, and 2000 all use default TTL of 128.

There is, however, a whole world using ICMP. To check this out go to http://www.sys-security.com.

Let's look at a few other operating systems and their default TCP/IP settings:

        Microsoft (98, NT)

Packet size (just headers) = 44 bytes (default)

SYN or SYN|ACK packets = Sets the Don't Fragment flag and the Maximum Segment Size (MSS)flag

TTL = 128

        Microsoft (2000)

Packet size (just headers) = 48 bytes (default)

SYN or SYN|ACK packets = Sets the Don't Fragment (DF)flag, Maximum Segment Size (MSS)flag, two (2) NOPs, and the Selective Acknowledgment flag.

TTL = 128

        Linux (Red Hat 6.2)

Packet size (just headers) = 60 bytes (default)

SYN or SYN|ACK packets = Sets the Don't Fragment (DF)flag, Maximum Segment Size (MSS)flag, NOPs, Selective Acknowledgment flag, Timestamp, Window Scaling (wscale). These hold true for initial SYN. SYN|ACK Linux responds according to the computer that made the initial SYN.

TL = 64, on a RESET packet the TTL is 255

Knowing this, you can identify operating systems by looking at network traffic. One thing to keep in mind is that, if a sys-admin or cracker changes any of the parameters, it will throw off your analysis. Therefore, passive OS fingerprinting is not 100% accurate, but, then again, nothing is. Listing 5.4 shows two packets and will help us identify an OS, using passive fingerprinting.

Listing 5.4 Identifying Operating Systems

[View full width]

15:59:52.533502 > my_isp.net.1100 > 134.11.235.232.www: S 325233392:325233392(0) win 

32120 <mss 1460,sackOK,timestamp 88950 0,nop,wscale 0> (DF) (ttl 64, id 505)

  4500 003c 01f9 4000 4006 0522 xxxx xxxx

  860b ebe8 044c 0050 1362 aaf0 0000 0000

  a002 7d78 7887 0000 0204 05b4 0402 080a

  0001 5b76 0000 0000 0103 0300

16:00:14.188756 >my_isp.net.1105 > 134.11.235.232.www: R 346737591:346737591(0) win 0 

(ttl 255, id 544)

  4500 0028 0220 0000 ff06 860e xxxx xxxx

  860b ebe8 0451 0050 14aa cbb7 0000 0000

  5004 0000 973c 0000

In Listing 5.4, you see two packets. The first is a SYN packet, and the second is a RST packet. Looking at the SYN packet, notice some important indicators:

        The SYN has a TTL of 64.

        The SYN sets its mss, sackOK, nop, and wscale parameters and the DF flag. Also, pay close attention to the header size (3c = 60 bytes).

        Look at the source port as well. Port 1100 falls with in the default source port range of 1024 through 4999.

These indicators point to LINUX. That's right, the OS we were looking at in Listing 5.4 is coming from a Linux machine. Let's take a brief look at the RST packet. First, look at the TTL (255). When Red Hat Linux sends an RST, it will use a default TTL of 255, whereas, when it is trying to establish a connection, it uses a TTL of 64. Another characteristic of Linux RST packets is their size. Normally, a Red Hat packet is 60 bytes in length. When setting the RST flag, RH Linux has a packet length of only 40 bytes.

How does OS fingerprinting and Linux tie back into reconnaissance? If a cracker uses any of the previously mentioned techniques, he can obtain very valuable information about a computer network. That type of information includes network mapping, IP addresses, patch levels, and discovery of different operating systems.

Exploits and the SANS Top 10

In this section, we will cover the exploits run by crackers. We will also look at the SANS 10 Most Critical Internet Security Threats list.

Exploits

Reconnaissance is vital in figuring out what is open and what is closed. The next step for a cracker is to actually break in to a computer network. Crackers do this by exploiting weaknesses in operating systems services.

There are many exploits out there; finding the right exploit can be a headache. Not all exploits are created equal. By this, I mean that most exploits are operating system dependent. Just because there is a line printer exploit for Linux doesn't mean it would work on Solaris, and vice versa.

If you want to find out the latest in exploits and vulnerabilities, subscribe to the BUGTRAQ mailing list at http://www.securityfocus.com/forums/bugtraq/intro.html.

To help explain what an exploit is and looks like when it is being executed, I have included in this section the output from an exploit and some packets involved in the exploit. First, a little background on the exploit I decided to run. In late 2000, probing activity increased on port 515 (line printer port). This was related to an exploit in the Red Hat 7.0 line printer daemon. At the time of this writing, I am still seeing many probes for this service on my firewall.

If you want to see the exploit I used, it can be found at http://www.netcat.it.

Here are the listings promised along with some play by play for each:

+++ www.netcat.it remote exploit for LPRng/lpd

+++ Exploit information

+++ Victim: 192.168.1.25

+++ Type: 0 - RedHat 7.0 - Guinesss

+++ Eip address: 0xbffff3ec

+++ Shellcode address: 0xbffff7f2

+++ Position: 300

+++ Alignment: 2

+++ Offset 0

+++ Attacking 192.168.1.25 with our format string

+++ Brute force man, relax and enjoy the ride ;>

From this output, we know that the exploit is attacking a Red Hat 7.0 line printer (Type 0-RedHat7.0 -Guinesess). Want to see how tcpdump views this attack?

[View full width]

18:34:19.991789 > 192.168.1.5.2894 > 192.168.1.25.printer: S 4221747912:4221747912(0) win 

32120 <mss 1460,sackOK,timestamp 4058996 0,nop,wscale 0> (DF) (ttl 64, id 11263)

  4500 003c 2bff 4000 4006 8b4e c0a8 0105

  c0a8 0119 0b4e 0203 fba2 c2c8 0000 0000

   a002 7d78 8bb1 0000 0204 05b4 0402 080a

  003d ef74 0000 0000 0103 0300

18:34:19.993434 < 192.168.1.25.printer > 192.168.1.5.2894: S 397480959:397480959(0) ack 

4221747913 win 32120 <mss 1460,sackOK,timestamp 393475 4058996,nop,wscale 0> (DF) (ttl 64,

 id 3278)

  4500 003c 0cce 4000 4006 aa7f c0a8 0119

  c0a8 0105 0203 0b4e 17b1 13ff fba2 c2c9

  a012 7d78 5ee7 0000 0204 05b4 0402 080a

  0006 0103 003d ef74 0103 0300

18:34:19.993514 > 192.168.1.5.2894 > 192.168.1.25.printer: . 1:1(0) ack 1 win 32120 <nop,

nop,timestamp 4058996 393475> (DF) (ttl 64, id 11264)

  4500 0034 2c00 4000 4006 8b55 c0a8 0105

  c0a8 0119 0b4e 0203 fba2 c2c9 17b1 1400

  8010 7d78 8dac 0000 0101 080a 003d ef74

  0006 0103

18:34:19.999662 < 192.168.1.25.printer > 192.168.1.5.2894: P 1:31(30) ack 1 win 32120 

<nop,nop,timestamp 393476 4058996> (DF) (ttl 64, id 3279)

  4500 0052 0ccf 4000 4006 aa68 c0a8 0119

  c0a8 0105 0203 0b4e 17b1 1400 fba2 c2c9

  8018 7d78 3e5b 0000 0101 080a 0006 0104

  003d ef74 6c70 643a 203a 204d 616c 666f

  726d 6564 2066 726f 6d20 6164 6472 6573

  730a

18:34:19.999686 > 192.168.1.5.2894 > 192.168.1.25.printer: . 1:1(0) ack 31 win 32120 <nop,

nop,timestamp 4058997 393476> (DF) (ttl 64, id 11265)

  4500 0034 2c01 4000 4006 8b54 c0a8 0105

  c0a8 0119 0b4e 0203 fba2 c2c9 17b1 141e

  8010 7d78 8d8c 0000 0101 080a 003d ef75

  0006 0104

18:34:20.000863 < 192.168.1.25.printer > 192.168.1.5.2894: F 31:31(0) ack 1 win 32120 

<nop,nop,timestamp 393476 4058997> (DF) (ttl 64, id 3280)

  4500 0034 0cd0 4000 4006 aa85 c0a8 0119

  c0a8 0105 0203 0b4e 17b1 141e fba2 c2c9

  8011 7d78 8d8b 0000 0101 080a 0006 0104

  003d ef75

18:34:20.000878 > 192.168.1.5.2894 > 192.168.1.25.printer: . 1:1(0) ack 32 win 32120 <nop,

nop,timestamp 4058997 393476> (DF) (ttl 64, id 11266)

   4500 0034 2c02 4000 4006 8b53 c0a8 0105

  c0a8 0119 0b4e 0203 fba2 c2c9 17b1 141f

  8010 7d78 8d8b 0000 0101 080a 003d ef75

  0006 0104

18:34:20.049095 > 192.168.1.5.2894 > 192.168.1.25.printer: P 1:424(423) ack 32 win 32120 

<nop,nop,timestamp 4059002 393476> (DF) (ttl 64, id 11267)

  4500 01db 2c03 4000 4006 89ab c0a8 0105

  c0a8 0119 0b4e 0203 fba2 c2c9 17b1 141f

  8018 7d78 54c5 0000 0101 080a 003d ef7a

  0006 0104 4242 f0ff ffbf f1ff ffbf f2ff

  ffbf f3ff ffbf 5858 5858 5858 5858 5858

  5858 5858 5858 5858 252e 3137 3675 2533

  3030 246e 252e 3133 7525 3330 3124 6e25

  2e32 3533 7525 3330 3224 6e25 2e31 3932

Let's look at what is happening here. First, we see 192.168.1.5 and 192.168.1.25 attempting to make a connection using the TCP typical three-way handshake. In the next sequence of events, we see 192.168.1.5 attempting to run the exploit against 192.168.1.25. Finally, we see the 192.168.1.5 pushing 423 bytes of data to 192.168.1.25. The exploit continues this for a while until it is able to brute-force the exploit.

When this exploit worked, 192.168.1.25 provided me with a shell (not that I needed it), and I could do what ever I wanted.

Exploits are the way crackers break into systems. To protect yourself against them, you will have to update your operating system with patches. (This goes for all systems.)

The SANS Top 10

The SANS Top 10 Most Critical Internet Security Threats is a list of the most common exploits found on computer networks. What makes this list so valuable is the fact that the group System Administration Network Security provides a list of the related CVE entries (Common Vulnerabilities and Exposures), so that a person can do more research if necessary. This list was compiled by SANS with the help of many security experts and the security community.

The CVE database can be found at http://www.cve.mitre.org/.

To read more on the SANS Top 10, visit http://www.sans.org/topten.htm.

The first exploit listed on the Top 10 is BIND. BIND is a program used for DNS servers (to help resolve names to addresses) and is used throughout the Internet. In the past couple years, major holes have been found in many versions of BIND. It is vital for anyone who runs BIND to always keep up on the latest vulnerabilities. On Jan. 29, 2001, Network Associates Incorporated announced that it discovered more vulnerabilities relating to BIND version 4 and BIND version 8. Patches have been released and can be downloaded from your operating system vendor's Web site.

If you would like to read the paper released by NAI, you can get it here: http://www.pgp.com/aboutus/press/pr_template.asp?PR=/PressMedia/01282001-A.asp&Sel=900 or you can read the CERT advisory at http://www.cert.org/advisories/CA-2001-02.html.

The second exploit in SANS Top 10 is Vulnerable CGI programs. These have been around for years and are the main reason for most of the hack Web sites that receive mainstream attention.

Many of these CGI-BIN programs leave sample programs after installation that are vulnerable and allow a malicious user to obtain "root" access. When an attacker obtains that level of access, he can do as he pleases (include changing the Web site). I provided some links to obtain more information on CGI-BIN attacks. This list is not comprehensive; please dig a little further if you think you are vulnerable.

More information can be found on CGI-BIN attacks from http://www.cert.org/advisories/CA-1997-24.html, http://www.cert.org/advisories/CA-1996-11.html, or http://www.cert.org/advisories/CA-1997-07.html.

The third exploit is vulnerable Remote Procedure Calls (RPCs). RPCs allow C programs to make procedure calls on other machines across the network. Most vendors provide patches to help tighten down RPC services. Nevertheless, the best policy regarding this service is, if you don't need it, then kill it. You can run ps-ef|grep rpc, find the Process ID (PID), and then run kill 9 PID. You can also disable RPC services at start upon most UNIX operating systems by changing the startup file (located at /etc/rc.d/) from an S (start up) to K (kill). You can find out what RPC programs are running by using rpcinfo p.

More information can be found on RPC attacks from http://www.cert.org/incident_notes/IN-99-04.html.

The fourth exploit on the SANS Top 10 list is vulnerable Remote Data Service security holes in IIS. (To be honest, I am surprised Microsoft doesn't have more vulnerabilities in the Top 10.) I can sum up dealing with this exploit really quick Patch your IIS.

More information can be found on RDS security holes from http://www.wiretrip.net/rfp/p/doc.asp?id=29&iface=2.

The fifth exploit is vulnerable sendmail and MIME attacks. These vulnerabilities are related to buffer overflows as well as pipe attacks that enable immediate root compromise. There are a couple of ways to secure these problem areas. The first is to maintain the correct patches for your sendmail/mail servers. If you do not need to run either of these services, you can disable them (follow the same procedures as spelled out for RPC).

More information can be found on sendmail security holes from http://www.cert.org/advisories/CA-97.05.sendmail.html.

The sixth exploit is vulnerable sadmind and mountd. This vulnerability applies to Linux machines as well as Solaris machines.

For more information on sadmind and mountd security holes, visit http://www.cert.org/advisories/CA-99-16-sadmind.html or http://www.cert.org/advisories/CA-1998.12.mountd.html.

The seventh exploit in the Top 10 is global file sharing, using NetBIOS Ports 135 139). This is probably the biggest security problem users have if they are connected to a cable modem or DSL. Most do not understand the concept of file sharing and leave file sharing enabled. Another problem is Napster. Although Napster is not listed here, it does require people to share directories and that can lead to sharing more then necessary. How do we correct it? These suggestions are from the SANS site http://www.sans.org/topten.htm:

A.       When sharing mounted drives, ensure only required directories are shared.

B.      For added security, allow sharing only to specific IP addresses because DNS names can be spoofed.

C.      For Windows systems, ensure all shares are protected with strong passwords.

D.      For Windows NT systems, prevent anonymous enumeration of users, groups, system configuration and Registry keys via the "null session" connection.

Block inbound connections to the NetBIOS Session Service (tcp 139) at the router or the NT host. Consider implementing the RestrictAnonymous Registry key for Internet-connected hosts in standalone or non-trusted domain environments.

The eighth exploit is weak passwords. Need I say any more? In any form of risk assessment, one of the most common vulnerabilities I see is weak passwords. When coming up with a password, remember to follow these simple guidelines:

        Make sure that the password is eight characters in length.

        Make sure that the password is a combination of numbers, special characters, and alphanumeric characters.

        Pick a password that is not in the dictionary.

For more information on password strengths, visit http://www.cert.org/tech_tips/passwd_file_protection.html.

The ninth exploit is IMAP and POP buffer overflow vulnerabilities or incorrect configuration. Again, the best way to secure yourself from these attacks is to disable the service if you do not need it. Also, apply the latest patches (if you need to run the service).

For more information on IMAP and POP security please visit http://www.cert.org/advisories/CA-1998.09.imapd.html, http://www.cert.org/advisories/CA-1998.08.qpopper_vul.html, or http://www.cert.org/advisories/CA-1997.09.imap_pop.html.

The final exploit in the SANS Top 10 is Default SNMP community strings set to "public" and "private". Along with the weak passwords, this vulnerability can be controlled by basic administration.

For more information on SNMP and community strings, see http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm#xtocid210315.

Keep in mind that these are not the only vulnerabilities on the Web. A cracker can use any exploit he has in his bag of tricks against you and your network.

Summary

This chapter covered a variety of topics including passive OS fingerprinting, social engineering, tools, and the SANS Top 10. Hopefully, from this chapter you can grasp the thinking and the process a cracker will go through to obtain access to a network. With the world becoming one, through the Internet and cybercrime on the rise, protecting yourself and your information will become more challenging. Knowing how a hacker/cracker works can assist you in protecting yourself against these people. As Bruce Scheiner of CTO Counterpane Internet Systems says, "Security is a process, not a product." As for the products you do have, remember to apply the latest patches and disable the services you don't need.