14.7. Penetration through Trusted Systems

When hackers cannot penetrate a system via its server, most often they resort to looking for weak spots in trusted computers in the network. Not all computers in a network can be protected equally well, and hackers will attempt to find one that will yield to their probes.

When looking for vulnerable spots in a system, you have to establish IP addresses of all computers in the network. This can be done using the classical ping utility, manually pinging each IP address of the target network. A better way, however, is to use the nmap utility, which can scan a specified IP address range automatically.

A range of IP addresses can be scanned by issuing the following command:

 nmap -sP 192.168.1.0/24

The IP address is followed by the net mask specifying how many of the address bits define the network ID. In this case, all computers in the network are specified. This will make the program send a ping request to all IP addresses in the network and will show, which of them are used by computers.

Using the ping packets is a handy and quick way to scan a network, but it can produce incorrect results if the target network is protected by a firewall configured to prohibit ping packets.

Thus, if you are an administrator and have no special need for using ping packets, you should configure your firewall to filter them out. But a firewall can only protect the network from outside scanning. To protect against scanning originating within the network, each of the network's computers has to be equipped with a properly-configured firewall. You could disable the service that responds to ping requests , but there is nothing that can be done about port scanning.

After the IP addresses of all computers in the network have been determined, each of these computers is scanned for vulnerable services. It is much easier to break into a network than into a single computer, because at least one of the network's computers will yield to a determined assault.

After breaking into one of the network's computers, the network can be scanned for computers again, this time from the compromised machine. This scanning may produce more precise results because it is not hindered by the firewall.

Having obtained control over one of the network's computers, further taking over the network becomes easier because of the following factors:

The computer broken into may have trusted relations with the server. In Linux, computers can be specified that can be trusted; that is, they can connect to the server without undergoing the authentication procedure. Never use trusted relations, because this is a huge blow to security. This is why the subject of using trusted relations is not considered in this book.
The login password for the compromised computer may be the same as that for the main server. Also, the /etc/passwd file often contains information for users that work with the server. Users normally don't like remembering the password for each server or computer and use the same parameters for connecting to any computer in the network.

There is no guarantee that information will contain the login information for the main server administrator. But quite often all you need is to get your foot in a cracked door to take over the whole system.

Regular users are not the only ones using the same password for accessing different servers; administrators also are guilty of this practice. For example, an administrator may change the user name for a different server but use the same password. Hackers collect all passwords they come across and then use them to crack the root password.

To tell the truth, I am guilty of using the same password for different services. I, however, use a different login password for each system. I only use the same password when using harmless services, for example, when registering on forums or on sites collecting some statistics.

You should protect each computer equally well and use different passwords for users who have root privileges.