True network protection could mean thinking and acting like a hacker. As an NT administrator, here are your weapons of choice.
Concealed Weapons
True network protection could mean thinking and acting like a hacker. As an NT administrator, here are your weapons of choice.
- By Roberta Bragg
- July 01, 1999
So you think you’ve protected your NT network from
accidental or purposeful intrusion? You say you’ve
applied the latest service packs and security-related
“hot-fixes”? Got a firewall installed and configured?
Feeling pretty smug, are you? Hackers can’t penetrate
your defenses. No way. Not at all. Not one bit.
You could simply be the emperor with no clothes, naked
in front of the world and thinking you’re showing
off your finery. Unlike the emperor’s subjects, there
are quite a few people out there ready to take advantage
of your exposure to poke and prod your system. By peeking
at your most intimate and private parts, they may discover
your weaknesses, share their knowledge, block legitimate
access to your information, destroy (accidentally or willfully)
your data, or merely—like peeking Toms—make
you nervous about leaving the blinds up.
Check out this quote that I found embedded in a C program
I downloaded from one of the numerous hacker sites I’ve
recently visited:
“I live in a world of paradox…My willingness
to destroy is your chance for improvement, my hate is
your fate…my failure is your victory, a victory
that won’t last.”
I don’t think any of us can afford to ignore that
threat. So it seems only rational that you should employ
the very tools used against your network to strengthen
it. After all, if you discover a security flaw, you can
correct it. Each tool you use to scan, penetrate, disrupt,
or attack your systems becomes one less that can be used
against you by “unfriendly” folks.
Come with me then as we embark upon a journey into the
not-so-shadowy world of hackers and crackers and examine
these tools. A word of advice before we begin. Obtain
permission before using these tools on any network. Most
are freely (or at minimal cost) available for download
on the Internet. While as far as I know they’re not
illegal to possess, the use of these tools against a network
could be illegal or certainly against corporate policy.
If caught, you could be arrested, fined, fired, imprisoned,
or—if you live in some countries—beheaded. (Two
Chinese hackers recently lost their lives when they were
convicted of hacking a bank in China.)
Finding the Jewels
Some of these tools are graphical and run from Windows
95 or Windows NT. Others are C or Perl script programs
that you need to compile (and maybe debug).
But script weenies and hacker-wannabes, beware: The best
hacker tools aren’t point and click! To use these
tools, you need programming skills to understand exactly
what the program is doing and how to use it. Many of these
programs are written by hackers for illicit purposes and
a) they assume you know what you’re doing; and b)
they don’t have time to spend, nor proclivity to
spend it, generating help files.
I’ll give you download sites for these tools, but
realize that some sites are here today, gone tomorrow.
Remember that any search engine will turn up hundreds
of references to the word “hacker,” as well
as multiple hits for almost any tool named here.
And be careful with your downloads. Who’s to say
that what you’re downloading is what it says it is?
Test your tool in isolation before letting it run rampant
on your network. While many tools were originally developed
to use against Unix systems, some are now available to
run on and against NT and other operating systems. If
a tool requires Unix to run, it may be well worth your
while to obtain a copy of Linux or Trinux (a floppy-bootable
Unix that you can obtain at ftp.trinux.org/pub/trinux).
These tools—or what you and hackers wanting to see
your network might call, “assault weapons”—generally
fall into categories: war dialers, scanners, password
crackers, disruptive and destructive devices, and sniffers.
None is a shortcut to breaking into another system, nor
does any offer information on the degree to which the
other system recognizes your activity. We’re assuming
you’ll be using these tools to invade your own network
legitimately. Be aware that none automatically covers
its tracks. That is, it will generally be possible to
determine that someone was there and possibly who.
You should also know that not all of these tools are
Windows tools that run on some version of Windows and
probe only Windows networks. Some run on Unix and only
Unix. They’re included because they can be used to
probe our networks and because many of our networks contain
Unix in addition to NT. Other tools run on Windows 95
or NT and may gain us useful vulnerability information
about our entire network, not just NT. Still others are
only able to attack a particular vulnerability of NT.
Much of the hacker hype sites dedicate themselves to explaining
the penetration of the Unix OS.
War Dialers
This software dials a specified range of telephone numbers
and records those that offer computer responses—in
other words, the phone numbers of computers for user access.
The information returned may identify the type of system,
such as a fax machine, speed of modem, and the like. Tools
of this type are generally written to run on a Unix system;
however, they clearly expose dial-up numbers for any computer.
Administrative uses are twofold:
- To convince yourself how easy it is to find your dial-up
servers and back-doors through modems on PCs.
- To find modems in your network you didn’t know
existed and remove them or protect them behind a security
layer.
An early war dialer, ToneLoc, is available with other
war dialers at www.hackers.co.za/archive/hacking/wardialers.
Scanners
Scanners detect security weaknesses in remote networks.
They probe TCP/IP ports and record responses. For example,
they may query the FTP port and report that anonymous
users can log in.
Administratively, scanners are developed for use by security
personnel to help administrators probe for weaknesses;
however, the unsolicited use of scanners to obtain information
about others’ networks may be punishable under state
or federal “computer trespass” laws. The information
scanners return must be interpreted. More expensive, commercial
scanners may do that for you.
Scanners can find machines or networks, determine the
services being run on the host, and test these services
for known holes. “Known holes” is the key here.
A known hole may be a default login that is sometimes
left on the system, a weakness in certain TCP/IP protocol
stacks, etc. Usually a known hole exists in a certain
OS or protocol stack version. To utilize this hole, I
need to find machines running this OS or protocol stack.
A good scanner returns the addresses of machines that
use the given OS or stacks and even makes the first attempt
at probing it for this weakness. An example of this might
be identifying computers running Microsoft Internet Information
Server by attempting logons with the IUSR_computername
once the host name was known. Once identified, attempts
could begin at probing for known NT or IIS weaknesses.
A well-written scanner will do all of this without user
intervention.
Incidentally, while they don’t offer the far-reaching
utility of scanner programs, some Unix network utilities
assist administrators in obtaining information about the
host system. Some are installed on Windows NT when the
entire TCP/IP protocol stack is installed. Examples include
Rusers and finger, which can be used to identify a user.
Finger can be used to obtain information on services such
as lpd. (lpd is the line printer service. On Windows NT
it’s the TCP/IP printing services.) Use these utilities
to probe your network servers for vulnerabilities!
Some Unix-based scanners are:
- NSS, Network Security Scanner.
- Strobe, Super Optimized TCP Port Surveyor.
- SATAN, Security Administrators Tool for Analyzing
Networks.
- ISS, Internet Security Scanner (a forerunner of the
commercial SAFEsuite tool).
Check out www.giga.or.at/pub/hacker/unix
and www.fish.com (the
latter is managed by Dan Farmer, the author of SATAN,
COPS, and most recently TITAN).
GUI tools include:
Password Crackers
Most password crackers don’t decrypt anything. Most
encrypt word lists with the same algorithm that the passwords
are encrypted in and then run a comparison of the passwords
against the file looking for matches. Although they can
be programmed to try random combinations of letters and
characters, their success is usually due to human stupidity
and laziness. We all typically choose passwords that are
words or word combinations. Most people are rarely advised
on what constitutes strong passwords and even more rarely
required to use them.
To use a password cracker, you must have three things:
the password cracking utility, a good set of wordlists,
and access to or a copy of the password file or list.
You can find wordlists at:
Password cracking is CPU and memory-intensive. You can
do distributed cracking by running the cracking program
in parallel, using many processors, either on the same
computer or on multiple machines. The password file is
broken into pieces and run on separate processors.
A prime administrative use for password crackers is to
determine whether your password policy is being followed.
The results can also help you determine if you need a
stronger password policy. Nothing like presenting the
boss with his or her password to assist you in strengthening
your security structure.
Password cracking tools are going to be OS- and application-relevant,
so look for those that will work on your system.
- The following Unix password cracking tools—crack,
CrackerJack, PaceCrack95, Claymore—are available
from http://tms.netrom.com/~cassidy.
- A POP3 password cracker (for Unix-based POP3 servers)
is pop3hack.c available from www.paultec.com/alliance/xploitz.
- Of course, the now infamous L0phtcrack, for cracking
NT passwords, is available from www.L0pht.com.
(That’s a zero, not the letter O.)
- Visit www.undergroundarchive.com/tools.htm for password cracking tools for Windows 95 pwl files
(glide.zip, w95pass.zip, ucfjohn2.zip), decoding AMI
bios passwords (AMIDecode.zip), and Excelcrack.zip for
cracking Excel passwords.
Sniffers
Sniffers grab information traveling across a network.
Typically, packets that aren’t broadcasts or directed
to the specific host are ignored by it. A sniffer allows
the network interface card to capture all of the communications
and records them. It may be a combination of hardware
and software; however, many software-only products can
be effective and far less costly. Sniffers have the potential
to capture password, confidential, or proprietary information,
and therefore compromise the security of networks.
To prevent sniffer attacks, you can check for the presence
of a promiscuous device driver that allows the sniffer
to be installed.
NT 4.0 comes with Network Monitor, a software-based sniffer
covered extensively in last month’s issue by Michael
Chacon and Paul
Cernick. [Paul’s article appeared exclusively
online.—Ed.] This product, however, is limited
to capturing packets that originate with or are sent to
the host (directed, multi-cast, or broadcast). A full-blown
product is available for purchase with SMS. Use these
products to:
- Test programs on your system that may be passing
passwords in the clear.
- Watch for suspicious activity, such as probing of
ports.
- Test your topology design. (A good topology design—one
that segments the network to localize packets and limits
Internet exposure—can limit your exposure to sniffers.)
Other sniffers, such as gobbler, NetMan, and esniff,
are available at http://agape.kuntrynet.com/hack/network-sniffers.
Trojan and other Disruptive and
Destructive Devices
These programs create havoc by destroying data or through
sheer annoyance caused by denial-of-service attacks, email
bombs, and viruses.
Like soldiers in the belly of the famed wooden horse
at the gates of Troy, “Trojaned” programs hide
malicious code. The program that hides this code appears
harmless but, when executed, releases the hidden code
and performs an unexpected and undesired task. This may
be a function that returns information to its programmers
about a system (passwords or services) or holes in that
system, or it may reveal privileged information (files
and contents) or compromise or damage a system (like reformatting
a hard disk).
Two renowned Trojans are the PCCYBORG program, which
advertised AIDS information but then hid directories and
encrypted file names, and the AOLGOLD Trojan, which advertised
itself as an upgrade to AOL software but in reality deleted
critical directories.
Trojans have been planted by developers on a project.
Their exploits have included the placement of user names,
allowing a user to become root. You only have to look
to the current exploits of the Cult of the Dead Cow and
its BackOrifice program or NetBus to see current examples
of this type of tool. While it’s impossible to protect
against every possible Trojan—by definition, they’re
hidden within known good code—most administrators
think they can recognize the existence of a Trojan and
therefore remove it from the system. Unfortunately, many
hackers have equal understanding of the same tools used
by administrators (file integrity checkers, which identify
known .DLL changes and object reconciliators, which compare
time stamps and object size). Modern Trojans can fake
the file size and time stamps and escape detection. Some
new object reconciliators calculate the digital fingerprint
or signature for each file. This is the most reliable
method. A product that does this for Unix systems is Tripwire,
available at ftp://coast.cs.purcue.edu/pub/tools/unix/TripWire.
The same programs that you purchase for virus protection
can detect known Trojans. You may wish to download known
Trojans to test virus protection on your network. (Limit
its use to an isolated machine in case your virus protection
doesn’t work.) However, perhaps your best use of
this hacker tool type is to create a harmless Trojan,
say, one that emails you if someone on your network runs
the Trojaned executable. (It could also flash a warning
on users’ screens to let them know they’ve violated
security.) Here, you test the most vulnerable part of
your network: its users. Trained and forewarned, users
establish a reasonable defense; that said, you should
always test your defenses.
A specialized kind of Trojan, email bombs, such as UpYours,
KaBOom, Avalanche (multiple messages to every address
on a list), and Unabomber (which sends the same message
over and over) create havoc for users and mail system
administrators. They’re difficult to protect against
and some are tough to eliminate. Most are unsophisticated
and easily disabled through removal of the original message
and the files they produce. Others may require contact
to the postmaster of the source. Obtain copies to understand
how they work.
IRC Flash bombs are used on Internet Relay Chat to force
users from a channel (crash.irc), or fill a channel with
garbage so no one can chat. Botkilll2.irc allows the scripting
of bots or automated scripts that run in the IRC environment.
Denial of Service Tools
These tools effectively shut down servers and prevent
legitimate access. They don’t usually destroy data
or allow access to the network. A reboot usually solves
the problem. Among these DoS (Denial of Service) tools
are:
- Ping of Death, which sends
abnormally large ping packets. When the target receives
it, it dies and blue screens.
- Syn_flooder, which floods
machines with half open connection requests.
- DNSKiller, which kills the
DNS server.
- Arnudp100.c, which forges
addresses of UDP packets and denial of service on UDP
ports 7, 13, 19, and 37.
- Winnuke, which crashes a
connection under Windows 95.
- OOB BUG, which sends an
Out Of Band exception message to port 129, a standard
listening port on Windows.
- smurf, which sends a spoofed
icmp echo request to each of multiple broadcast lists;
multiple computers respond to the request, thus resulting
in an attack on the spoofed source address.
- snork, which sets up bad
RCP packets that can set up an endless loop between
servers.
Use these programs to test your server’s defense.
Load relevant service packs and patches first. Or you
may wish to identify servers that haven’t been updated.
Obviously, you’ll pick a non-critical time to run
your tests, right?
- Cisco has information and strategies to help protect
against UDP denial of service attacks. Visit http://cio.cisco.com/warp/public/707/3.html.
- Microsoft has patches, service packs (3, 4, and 5),
and articles describing and fixing common DoS attacks.
A good starting place is www.microsoft.com/security.
- Winnewk.c and other DoS programs (boink.c, pepsi.c,
syndrop.c, and snork.c) are available from www.paultec.com/alliance/xploitz.html.
The Two Most Important Tools
This month’s column has been an attempt to introduce
you to some of the tools that hackers may use against
your network. I’ve left the two most important tools
they use until last.
- Intelligence. No, this
is no fancy GUI or downloadable c program. It’s
just what it says it is. The crème-de-la-crème of hackers,
the uebercrackers, don’t rely on some grab-bag
of tools that any columnist can locate on the Internet.
They study the OS, the networking protocols, the ways
of people and business—and use their weaknesses
against them. They may do that by adapting readily available
programs or writing their own. As Dan Farmer says on
his site at www.fish.com/security/admin-guide-to-cracking.html,
to “improve the security of your site by breaking
into it,” you must do this too.
- Community. Check out hacker
sites. A good starting place is www.2600.com. Pick up
its magazine, 2600 Magazine. The site lists where
it’s sold and when—Borders and Barnes and
Nobles carry it. Go to a meeting in a city near you
on Friday evenings from 5 to 8 p.m. (check out locations
at the same site). Read Phrack and ask to be
put on the mailing list [email protected]
. Diligently search the Internet. Many so-called “hacker”
sites are put up by script weenies (people who run scripts
or programs others write without really understanding
what they’re doing) and hacker wannabes (who want
to be hackers but lack the intelligence or sophistication).
Some sites are nothing more than links to viruses or
other sites that no longer exist. Don’t be fooled
by their seeming lack of polish; assume all hacker sites
are the same.
I’ll leave you with this thought: “The security
of the Internet is not a static thing. New Holes are discovered
at the rate of one per day.” Maximum Security
by anonymous, Sams.net Publishing, 1997.