True network protection could mean thinking and acting like a hacker. As an NT administrator, here are your weapons of choice.

Concealed Weapons

True network protection could mean thinking and acting like a hacker. As an NT administrator, here are your weapons of choice.

So you think you’ve protected your NT network from accidental or purposeful intrusion? You say you’ve applied the latest service packs and security-related “hot-fixes”? Got a firewall installed and configured? Feeling pretty smug, are you? Hackers can’t penetrate your defenses. No way. Not at all. Not one bit.

You could simply be the emperor with no clothes, naked in front of the world and thinking you’re showing off your finery. Unlike the emperor’s subjects, there are quite a few people out there ready to take advantage of your exposure to poke and prod your system. By peeking at your most intimate and private parts, they may discover your weaknesses, share their knowledge, block legitimate access to your information, destroy (accidentally or willfully) your data, or merely—like peeking Toms—make you nervous about leaving the blinds up.

Check out this quote that I found embedded in a C program I downloaded from one of the numerous hacker sites I’ve recently visited:

“I live in a world of paradox…My willingness to destroy is your chance for improvement, my hate is your fate…my failure is your victory, a victory that won’t last.”

I don’t think any of us can afford to ignore that threat. So it seems only rational that you should employ the very tools used against your network to strengthen it. After all, if you discover a security flaw, you can correct it. Each tool you use to scan, penetrate, disrupt, or attack your systems becomes one less that can be used against you by “unfriendly” folks.

Come with me then as we embark upon a journey into the not-so-shadowy world of hackers and crackers and examine these tools. A word of advice before we begin. Obtain permission before using these tools on any network. Most are freely (or at minimal cost) available for download on the Internet. While as far as I know they’re not illegal to possess, the use of these tools against a network could be illegal or certainly against corporate policy. If caught, you could be arrested, fined, fired, imprisoned, or—if you live in some countries—beheaded. (Two Chinese hackers recently lost their lives when they were convicted of hacking a bank in China.)

Finding the Jewels

Some of these tools are graphical and run from Windows 95 or Windows NT. Others are C or Perl script programs that you need to compile (and maybe debug).

But script weenies and hacker-wannabes, beware: The best hacker tools aren’t point and click! To use these tools, you need programming skills to understand exactly what the program is doing and how to use it. Many of these programs are written by hackers for illicit purposes and a) they assume you know what you’re doing; and b) they don’t have time to spend, nor proclivity to spend it, generating help files.

I’ll give you download sites for these tools, but realize that some sites are here today, gone tomorrow. Remember that any search engine will turn up hundreds of references to the word “hacker,” as well as multiple hits for almost any tool named here.

And be careful with your downloads. Who’s to say that what you’re downloading is what it says it is? Test your tool in isolation before letting it run rampant on your network. While many tools were originally developed to use against Unix systems, some are now available to run on and against NT and other operating systems. If a tool requires Unix to run, it may be well worth your while to obtain a copy of Linux or Trinux (a floppy-bootable Unix that you can obtain at ftp.trinux.org/pub/trinux).

These tools—or what you and hackers wanting to see your network might call, “assault weapons”—generally fall into categories: war dialers, scanners, password crackers, disruptive and destructive devices, and sniffers.

None is a shortcut to breaking into another system, nor does any offer information on the degree to which the other system recognizes your activity. We’re assuming you’ll be using these tools to invade your own network legitimately. Be aware that none automatically covers its tracks. That is, it will generally be possible to determine that someone was there and possibly who.

You should also know that not all of these tools are Windows tools that run on some version of Windows and probe only Windows networks. Some run on Unix and only Unix. They’re included because they can be used to probe our networks and because many of our networks contain Unix in addition to NT. Other tools run on Windows 95 or NT and may gain us useful vulnerability information about our entire network, not just NT. Still others are only able to attack a particular vulnerability of NT. Much of the hacker hype sites dedicate themselves to explaining the penetration of the Unix OS.

War Dialers

This software dials a specified range of telephone numbers and records those that offer computer responses—in other words, the phone numbers of computers for user access. The information returned may identify the type of system, such as a fax machine, speed of modem, and the like. Tools of this type are generally written to run on a Unix system; however, they clearly expose dial-up numbers for any computer.

Administrative uses are twofold:

  • To convince yourself how easy it is to find your dial-up servers and back-doors through modems on PCs.
  • To find modems in your network you didn’t know existed and remove them or protect them behind a security layer.

An early war dialer, ToneLoc, is available with other war dialers at www.hackers.co.za/archive/hacking/wardialers.  

Scanners

Scanners detect security weaknesses in remote networks. They probe TCP/IP ports and record responses. For example, they may query the FTP port and report that anonymous users can log in.

Administratively, scanners are developed for use by security personnel to help administrators probe for weaknesses; however, the unsolicited use of scanners to obtain information about others’ networks may be punishable under state or federal “computer trespass” laws. The information scanners return must be interpreted. More expensive, commercial scanners may do that for you.

Scanners can find machines or networks, determine the services being run on the host, and test these services for known holes. “Known holes” is the key here. A known hole may be a default login that is sometimes left on the system, a weakness in certain TCP/IP protocol stacks, etc. Usually a known hole exists in a certain OS or protocol stack version. To utilize this hole, I need to find machines running this OS or protocol stack. A good scanner returns the addresses of machines that use the given OS or stacks and even makes the first attempt at probing it for this weakness. An example of this might be identifying computers running Microsoft Internet Information Server by attempting logons with the IUSR_computername once the host name was known. Once identified, attempts could begin at probing for known NT or IIS weaknesses. A well-written scanner will do all of this without user intervention.

Incidentally, while they don’t offer the far-reaching utility of scanner programs, some Unix network utilities assist administrators in obtaining information about the host system. Some are installed on Windows NT when the entire TCP/IP protocol stack is installed. Examples include Rusers and finger, which can be used to identify a user. Finger can be used to obtain information on services such as lpd. (lpd is the line printer service. On Windows NT it’s the TCP/IP printing services.) Use these utilities to probe your network servers for vulnerabilities!

Some Unix-based scanners are:

  • NSS, Network Security Scanner.
  • Strobe, Super Optimized TCP Port Surveyor.
  • SATAN, Security Administrators Tool for Analyzing Networks.
  • ISS, Internet Security Scanner (a forerunner of the commercial SAFEsuite tool).

Check out www.giga.or.at/pub/hacker/unix and www.fish.com (the latter is managed by Dan Farmer, the author of SATAN, COPS, and most recently TITAN).

GUI tools include:

Password Crackers

Most password crackers don’t decrypt anything. Most encrypt word lists with the same algorithm that the passwords are encrypted in and then run a comparison of the passwords against the file looking for matches. Although they can be programmed to try random combinations of letters and characters, their success is usually due to human stupidity and laziness. We all typically choose passwords that are words or word combinations. Most people are rarely advised on what constitutes strong passwords and even more rarely required to use them.

To use a password cracker, you must have three things: the password cracking utility, a good set of wordlists, and access to or a copy of the password file or list.

You can find wordlists at:

Password cracking is CPU and memory-intensive. You can do distributed cracking by running the cracking program in parallel, using many processors, either on the same computer or on multiple machines. The password file is broken into pieces and run on separate processors.

A prime administrative use for password crackers is to determine whether your password policy is being followed. The results can also help you determine if you need a stronger password policy. Nothing like presenting the boss with his or her password to assist you in strengthening your security structure.

Password cracking tools are going to be OS- and application-relevant, so look for those that will work on your system.

  • The following Unix password cracking tools—crack, CrackerJack, PaceCrack95, Claymore—are available from http://tms.netrom.com/~cassidy.
  • A POP3 password cracker (for Unix-based POP3 servers) is pop3hack.c available from www.paultec.com/alliance/xploitz.
  • Of course, the now infamous L0phtcrack, for cracking NT passwords, is available from www.L0pht.com. (That’s a zero, not the letter O.)
  • Visit www.undergroundarchive.com/tools.htm for password cracking tools for Windows 95 pwl files (glide.zip, w95pass.zip, ucfjohn2.zip), decoding AMI bios passwords (AMIDecode.zip), and Excelcrack.zip for cracking Excel passwords.

Sniffers

Sniffers grab information traveling across a network. Typically, packets that aren’t broadcasts or directed to the specific host are ignored by it. A sniffer allows the network interface card to capture all of the communications and records them. It may be a combination of hardware and software; however, many software-only products can be effective and far less costly. Sniffers have the potential to capture password, confidential, or proprietary information, and therefore compromise the security of networks.

To prevent sniffer attacks, you can check for the presence of a promiscuous device driver that allows the sniffer to be installed.

NT 4.0 comes with Network Monitor, a software-based sniffer covered extensively in last month’s issue by Michael Chacon and Paul Cernick. [Paul’s article appeared exclusively online.—Ed.] This product, however, is limited to capturing packets that originate with or are sent to the host (directed, multi-cast, or broadcast). A full-blown product is available for purchase with SMS. Use these products to:

  • Test programs on your system that may be passing passwords in the clear.
  • Watch for suspicious activity, such as probing of ports.
  • Test your topology design. (A good topology design—one that segments the network to localize packets and limits Internet exposure—can limit your exposure to sniffers.)

Other sniffers, such as gobbler, NetMan, and esniff, are available at http://agape.kuntrynet.com/hack/network-sniffers.  

Trojan and other Disruptive and Destructive Devices

These programs create havoc by destroying data or through sheer annoyance caused by denial-of-service attacks, email bombs, and viruses.

Like soldiers in the belly of the famed wooden horse at the gates of Troy, “Trojaned” programs hide malicious code. The program that hides this code appears harmless but, when executed, releases the hidden code and performs an unexpected and undesired task. This may be a function that returns information to its programmers about a system (passwords or services) or holes in that system, or it may reveal privileged information (files and contents) or compromise or damage a system (like reformatting a hard disk).

Two renowned Trojans are the PCCYBORG program, which advertised AIDS information but then hid directories and encrypted file names, and the AOLGOLD Trojan, which advertised itself as an upgrade to AOL software but in reality deleted critical directories.

Trojans have been planted by developers on a project. Their exploits have included the placement of user names, allowing a user to become root. You only have to look to the current exploits of the Cult of the Dead Cow and its BackOrifice program or NetBus to see current examples of this type of tool. While it’s impossible to protect against every possible Trojan—by definition, they’re hidden within known good code—most administrators think they can recognize the existence of a Trojan and therefore remove it from the system. Unfortunately, many hackers have equal understanding of the same tools used by administrators (file integrity checkers, which identify known .DLL changes and object reconciliators, which compare time stamps and object size). Modern Trojans can fake the file size and time stamps and escape detection. Some new object reconciliators calculate the digital fingerprint or signature for each file. This is the most reliable method. A product that does this for Unix systems is Tripwire, available at ftp://coast.cs.purcue.edu/pub/tools/unix/TripWire.

The same programs that you purchase for virus protection can detect known Trojans. You may wish to download known Trojans to test virus protection on your network. (Limit its use to an isolated machine in case your virus protection doesn’t work.) However, perhaps your best use of this hacker tool type is to create a harmless Trojan, say, one that emails you if someone on your network runs the Trojaned executable. (It could also flash a warning on users’ screens to let them know they’ve violated security.) Here, you test the most vulnerable part of your network: its users. Trained and forewarned, users establish a reasonable defense; that said, you should always test your defenses.

A specialized kind of Trojan, email bombs, such as UpYours, KaBOom, Avalanche (multiple messages to every address on a list), and Unabomber (which sends the same message over and over) create havoc for users and mail system administrators. They’re difficult to protect against and some are tough to eliminate. Most are unsophisticated and easily disabled through removal of the original message and the files they produce. Others may require contact to the postmaster of the source. Obtain copies to understand how they work.

IRC Flash bombs are used on Internet Relay Chat to force users from a channel (crash.irc), or fill a channel with garbage so no one can chat. Botkilll2.irc allows the scripting of bots or automated scripts that run in the IRC environment.

Denial of Service Tools

These tools effectively shut down servers and prevent legitimate access. They don’t usually destroy data or allow access to the network. A reboot usually solves the problem. Among these DoS (Denial of Service) tools are:

  • Ping of Death, which sends abnormally large ping packets. When the target receives it, it dies and blue screens.
  • Syn_flooder, which floods machines with half open connection requests.
  • DNSKiller, which kills the DNS server.
  • Arnudp100.c, which forges addresses of UDP packets and denial of service on UDP ports 7, 13, 19, and 37.
  • Winnuke, which crashes a connection under Windows 95.
  • OOB BUG, which sends an Out Of Band exception message to port 129, a standard listening port on Windows.
  • smurf, which sends a spoofed icmp echo request to each of multiple broadcast lists; multiple computers respond to the request, thus resulting in an attack on the spoofed source address.
  • snork, which sets up bad RCP packets that can set up an endless loop between servers.

Use these programs to test your server’s defense. Load relevant service packs and patches first. Or you may wish to identify servers that haven’t been updated. Obviously, you’ll pick a non-critical time to run your tests, right?

  • Cisco has information and strategies to help protect against UDP denial of service attacks. Visit http://cio.cisco.com/warp/public/707/3.html.
  • Microsoft has patches, service packs (3, 4, and 5), and articles describing and fixing common DoS attacks. A good starting place is www.microsoft.com/security.
  • Winnewk.c and other DoS programs (boink.c, pepsi.c, syndrop.c, and snork.c) are available from www.paultec.com/alliance/xploitz.html.

The Two Most Important Tools

This month’s column has been an attempt to introduce you to some of the tools that hackers may use against your network. I’ve left the two most important tools they use until last.

  • Intelligence. No, this is no fancy GUI or downloadable c program. It’s just what it says it is. The crème-de-la-crème of hackers, the uebercrackers, don’t rely on some grab-bag of tools that any columnist can locate on the Internet. They study the OS, the networking protocols, the ways of people and business—and use their weaknesses against them. They may do that by adapting readily available programs or writing their own. As Dan Farmer says on his site at www.fish.com/security/admin-guide-to-cracking.html, to “improve the security of your site by breaking into it,” you must do this too.
  • Community. Check out hacker sites. A good starting place is www.2600.com. Pick up its magazine, 2600 Magazine. The site lists where it’s sold and when—Borders and Barnes and Nobles carry it. Go to a meeting in a city near you on Friday evenings from 5 to 8 p.m. (check out locations at the same site). Read Phrack and ask to be put on the mailing list [email protected] . Diligently search the Internet. Many so-called “hacker” sites are put up by script weenies (people who run scripts or programs others write without really understanding what they’re doing) and hacker wannabes (who want to be hackers but lack the intelligence or sophistication). Some sites are nothing more than links to viruses or other sites that no longer exist. Don’t be fooled by their seeming lack of polish; assume all hacker sites are the same.

I’ll leave you with this thought: “The security of the Internet is not a static thing. New Holes are discovered at the rate of one per day.” Maximum Security by anonymous, Sams.net Publishing, 1997.

Featured