Home

Chapter Contents

Penetrating Security
Covering Tracks
Not Getting Caught

Chapter Index

1: Introduction to Hacking
2: Newbie Corner
3: Hacker History & Culture
4: The Hacker's Toolbox
5: First Principles
6: The Direct Approach
7: Hacking the Web
8: Tips for Specific Systems
9: Phone Phreaking
10: Viruses
11: MP3's & Warez
12: The Elements of Cracking
13: Maximising Security
14: Learning More

Computer Security Books

Advertisements

BLOG

Dr. K's Blog

Email

mailto:drk@!spam!hush.ai

Introduction

Welcome to the most "black hat" chapter in the book, devoted to exposing the black art of "cracking" computer security. Understanding how crackers work is vital to any systems administrator, as they need to understand that before a cracker starts trying to breach the system security of remote systems, the cracker already understands *why* they want to gain access. Once the cracker knows why they need to gain access to a site, then this determines how long they will spend trying to gain access, and will prevent them from wasting time cracking a site that has no value. Note that experienced crackers pick their targets for good reasons, rather than trying to randomly attack everything in sight, and once they have their target, they will go through everything persistently and methodically, and almost certainly gain access.

With this in mind, systems administrators who need to know more about system cracking should find this chapter particularly useful, as knowing how crackers operate will help keep systems secure.

Of course, anybody who has read this far doesn't need to be reminded that "black hat" hacker actions may lead them into difficulties with the legal system, so if anyone is thinking of cracking systems against the owner's wishes, then don't do it. However, just knowing how to do something illegal isn't against the law, otherwise Agatha Christie would have been jailed for multiple homicide, so if you need to understand how crackers operate when they crack into systems, read on.



Penetrating Security

There are several ways to penetrate system security, and a good cracker would know as many of them as possible. Remote hosts with half decent security should be able to block 90% of this stuff, but the real trick of gaining access is that crackers are persistent. Crackers know that any long term attack is going to show up in the logs and alert any sensible systems administrator that something is up, so they will spread their attacks across a number of different originating remote sites and across time, so that they minimise any changes of detection.

Password Attacks

One of the oldest ways to gain access is to get access to the password file and use a tool like CRACK to get the plaintext passwords. It used to be that a cracker could lift the password file from the majority of boxes on the Internet by using Trivial File Transfer Protocol, but everyone turns it off these days. If the target is running Sun's Network Information Service (NIS), then the cracker can get hold of a tool like YPX and try guessing the NIS domain. Get it right and they'll get the password file for the whole domain. Password attacks on "shadowed" password files are harder, as they need to get an un-shadowing tool from the net, but the cracker really needs to be inside already to run it. The old trick of writing an attack program which repeatedly try userid password combinations on the login prompt is also dead, most systems now disconnect after three failed attempts, and log repeated failed login attempts. However, it should be pointed out that the majority of password schemes used on websites *do not* disconnect after every failed attempt, so this technique hasn't lost all its uses. For this reason systems administrators are highly recommended to check the systems logs whenever possible, and also try and ensure that web developers write code to log failed log attempts on their web services.

System "Backdoors".

System "backdoors" were discussed in more detail in Chapter 7: "Hacking the Web", so there is very little to be said about them here. Suffice it to say that a cracker's understanding of IP network protocols, odd switches on user and system commands and knowledge of underlying design features in the target operating system greatly increase their chances of gaining access. System backdoors can be found in a variety of ways, crackers often read the average security book and see what it recommends is done to *secure* a site, then they work out *why* this is necessary. For example, if they learn that the "r" commands should be disabled, and that "rdist" should be removed, the cracker will immediately try to find out as much as possible about how these commands work, reading RFCS, man pages, books on writing TCP/IP code and anything else they can get their hands on.

Ultra-Hacker Stuff

One of the ways of breaking system security is to use a deep knowledge of the fundamental way that networks and systems work such that the cracker can access the internals of a computer using normal tools. A very good hacker once commented to me that "the boundaries between being logged in and not being logged in were blurred" because "he didn't need a password to gain access to remote systems". What he meant by this was the deep hacker magic that allows remote users to penetrate system security and spawn shells, even beyond firewalls, and that allowed the hacker to enter commands to the computer as though he had logged in using the normal Access Control procedures. Here are a few examples of "ultra-hacker" activity, but it is impossible to define this sort of thing because something new comes up all the time.


  • Any technique that uses knowledge of TCP/IP to launch Denial of Service (DoS) attacks against hosts in concert with IP spoofing or other penetration technique. An example of this would be the use of SYN/ACK DoS attacks against a "trusted" host, followed by IP spoofing using TCP number prediction to gain a one-way connection to the target host. I would also include attacks launched via LANs that manipulate the ARP table, or any attack that manipulates any other routing protocol to spoof host identity, or uses DoS attacks against nameservers to subvert the normal trust relationships and allow IP spoofing to occur.
  • Any techniques which use system backdoors or buffer overflow attacks to bind a shell to a higher port or install code that allows commands to be "tunneled" through a firewall using source routed packets or ICMP commands.
  • Any "buffer overflow" attack which the hacker has discovered and coded the exploit for themselves. A buffer or stack overflow attack is one in which the original programmer has failed to check that input is not going to overflow the allocated space. If they fail to check the input, then it is possible to append arbitrary code at the overflow and get the program to execute it. The only buffer overflow exploits I have any respect for are when they have been discovered and coded by the cracker, not just downloaded off the web, compiled and run by some script kiddy who doesn't understand it. Learning how to code buffer overflows isn't hard *if* if the cracker understands ASSEMBLER and low-level compiler internals and *if* they work hard at it.
  • Any low level spoofing attack that uses knowledge of low level protocols such as ARP. Any low level attack that uses knowledge of TCP/IP internals i.e. ICMP_REDIRECTS. Any higher level attack that subverts the targets view of the Internet by e.g. subverting the normal DNS name service.

Getting Privileges

So the cracker is in, what next? Unless they are just going to sit around reading dumb user's email or using the normal user facilities, then they will need to get some form of system privileges to make it all worth while. If they don't care about getting caught, they might not bother with this stuff, but most crackers want to be able to cover their tracks when the time comes to get out. A systems administrator must be aware of how the cracker mind works, and why they are so keen to get root, admin or supervisor status depending on the system they are hacking.

There are several good reasons why they might want to get admin privileges, and they mostly depend on why the remote host is a target in the first place. A cracker would always know *why* they are picking on the remote target prior to starting, and that determines *why* they are trying to get system privileges. Here's a few good reasons why a cracker might want to get privved up. This is not an exhaustive list, just a few that spring to mind, and the cracker's imagination is the only limit to the possible reasons to hack system privs.


  • To install Internet services that run on a low, privileged port.
  • To install bogus users to make getting back in easier.
  • To place one or more ethernet interfaces into promiscuous mode.
  • To be able to hide their presence on the system by manipulating system tables.
  • To make any adjustments to the system that only privileged users can do. This could be installing any software needed for personal use, right through to re-compiling the kernel with new options included.
  • To be able to edit the computer logs prior to exit and cover their break-in (see below).

There are numerous ways of getting system privileges, depending on the system that the cracker is using, and they normally fall into one or more of these categories. In many systems there are a hierarchy of system privileges with the lowly user at the bottom and the systems administrator at the top, but in between there can be other privilege levels that are also worth investigating as they can form a ladder to the top of the tree.
  • Crashing or killing processes that run with privileges that leave temporary or coredump files e.g. internal sendmail and internal ftp exploits.
  • Internal subversion of the access control system using system tools that have been poorly written with regards to system security e.g. using "rdist" to create SUID shells.
  • Internal subversion of the file access control system using knowledge of the internal representation of the file system to write low-level access programs to read files otherwise protected by the operating system.
  • Using a Trojan, sniffer or password attack to gain the system administrator's password.
  • Any form of social engineering that lead to system privileges.
  • Abusing trust relationships between two hosts to move from host C to host B by apparently being a privileged user on host A who has similar rights on host B.
  • Abusing "group" permissions with respect to file ownership in order to access or change files or programs.
  • Where systems have Dynamic Load or Link Libraries to keep down the size of binary files, the internal loading process of the library can be spoofed by path redirection to force the program to run the cracker's version of the library routines instead of the system routines.

Once they have the necessary system privileges they can then take control of the computer and do whatever they need to do. Needless to say most crackers would never destroy data on a cracked computer, as it gets all hackers a bad name. The only people who disagree with this are some "ethical" crackers, who on discovering a "kiddy porn" site, do their best to destroy it. This is not just for the obvious moral reasons, but also because some people think that "kiddy porn" should be obliterated from the Internet before it forces governments to introduce controls and censorship to kill the freedom of the Internet once and for all.

Exploiting Trust Relationships

Because the Internet was designed with cooperative computing in mind, many of the early TCP/IP tools were a security nightmare. Many of these tools have been designed to allow remote access and remote execution of program code they are ideal attack points for any cracker who is inside the network already. If a trust relationship exists between host A and host B then a cracker on host C posing as host A can gain access to services on host B. Here are some of the more common system services that open up systems to crackers willing to exploit insecurities inherent in trust relationships.


  • Network Filing Systems

One of the commonest services offered on any LAN is Network Filing Service which allow access to files stored remotely on a server as though those files were available locally. Network Filing Services work by mapping a network connection containing "file handles" to the actual physical filing system on the server. When a user needs a file on the server, their computer makes a connection to the program providing network filing services via the LAN, the server then calls operating system routines to provide access to the local file which it then sends back to the client via another connection.

Because network filing systems do disk access on the server, they are often written to run in a privileged mode, so any subversion of the network filing system protocol can lead to access to files or even programs on the server. Vulnerabilities exist in most network filing systems, and by using a packet sniffer it is possible to determine file handles of data being read from a server and then re-use those file handles to spoof access. Some network filing systems suffer from buffer overflows in command handling, just like other services, and these can be exploited to run remote code on the target. Not all implementations of the same network filing system services are alike, and a good understanding of how the remote hosts calls the server to provide file access can be used to manipulate the filing system on the server if the remote service supports undocumented or low-level filing routines.
  • Remote Printing & Spooling Services

The second commonest service provided by servers in a client-server environment are remote printing and spooling services which allow users at remote hosts to direct printing to a centralized spooling system, and redirect output to remote printers. Once again these printing services tend to run in privileged mode on the server, and call operating system routines to manipulate and redirect print jobs in the print queue.

Remote printing and spooling services are open to the same sorts of attack as remote filing services, and several buffer overflows have been found in these services. In addition, a new spin on things has come about due to printers coming with their own ethernet card enabling them to be assigned an IP address and connected to the LAN, opening up a whole new world of possible spoofing activities using the remote printers IP address.


  • Remote Procedure Calls (RPC)

Many computer systems designed for networking, such as UNIX, provide a mechanism for users on remote hosts to execute commands on a server. These Remote Procedure Calls (RPC) can be abused if the correct precautions are not taken by the systems administrator. We have already seen network filing services and remote printing services, and these services are often offered as an RPC service on the remote server. These are not the only services offered via RPC however, and a cracker will often ascertain which services are also running using the "rpcinfo" command.


redhat6% rpcinfo  -p slack
program vers proto   port
100000    2   tcp    111  portmapper
100000    2   udp    111  portmapper
100005    1   udp    674  mountd
100005    1   tcp    676  mountd
100003    2   udp   2049  nfs
100003    2   tcp   2049  nfs

Table 12.1: Using rpcinfo to see what RPC services are offered


Many software vendors use RPC to code remote routines on the server because the server overhead is lower than using conventional TCP/IP services, making server response time quicker. Crackers will investigate any unusual services which they find running on a remote host and learn about what they do and how they are meant to control access. Finding that the target runs PC/NFS, a service that allows client PCs to use network file system, means that the cracker can exploit the differences between PC and UNIX file systems to do things that wouldn't be normally possible. Likewise, any service that provides RPC access to a relational database is a likely candidate for further exploration, as the RPC service providing the interface will almost certainly be running in a privileged mode in order to allow queries, updates and deletion of the records in the database.

Password Databases.

Because of the problem of getting users to remember many different passwords, there have been several attempts at creating "single sign on" systems where one password is needed for many machines on a LAN. While this makes life easier for users, and cuts down the amount of "forgotten password" requests to systems administrators, any centralization of password databases means that a password attack can compromise an entire LAN.

Once example of a password database system is Sun Microsystems "Network Information Service" (NIS), which centralizes service of passwords via NIS servers. When a password request comes over from the local host, instead of looking it up in the password file, the host queries the NIS server for the password instead. To cope with large networks NIS partitions areas into NIS "domains", and has servers for each of these domains. However, due to the way that NIS works, anyone with the valid NIS domain name can request NIS database files, including the password file, and have them sent to the remote computer, even though the remote computer is not in the NIS domain. Tools such as YPX and YPSNARF demonstrate this vulnerability by allowing crackers to guess the domain name and retrieve any of the files in the NIS database. A NIS passwords file for a large LAN with many hosts and users can contain upwards of 10,000 password entries, and a short run with the cracker's favourite password cracker will soon crack many of these.

Commands for Remote Access

Apart from RPC mentioned above, there is another class of programs designed to facilitate remote access called the "r" commands, because they all start with "r" to designate remote access versions of common system commands. These commands are designed to allow users working on one host to access another host which they also have a valid userid for, but because of the way that access is granted or denied, the use of "r" commands in a LAN seriously compromises security.


Command Description
rlogin Remote login to hosts.
Rcp Remote copy files from host to host.
Rsh Remote shell passes commands to host for execution.
rdist Remote distribution of files to other hosts.
rwho Remote "who" - get info on logged in users.
rusers Find information about who is logged in across network.
rwall Write message to all remote users.

Table 12.2: List of some "r" commands


The access control procedures for "r" commands follows a simple pattern, when the user on the local host A executes an "r" command on remote host B, the remote server then determines whether (a) the host that the command is coming from is the main "trusted hosts" list e.g. /etc/hosts.equiv, and then (b) consults the home directory for the given userid to see if a file called ".rhosts" exists and contains trust information for the remote host. Finally, if both of these fail, the server will ask for a password in the normal way. The problem with the "r" commands is that any user can compromise security by enabling a host as "trusted" by placing an .rhosts file into their home directory. Worse still, if a cracker gets through the system and creates an .rhosts file at the top of the directory tree containing "+ +", it will allow any host access as root, without asking for a password. It is for this reason that many sites remove "r" commands completely, and sweep the file system daily for unwanted .rhosts files which could act as backdoors into the system.



Covering Tracks

Once a cracker has got inside a remote system they will need to try and hide themselves from systems administrators while inside, and remove all traces of their entry when they leave. This is yet another reason why a cracker needs to know why they are cracking the target before starting, and to do some basic homework to find out how they could be tracked on the target system, and where this information is stored.

If they are cracking a common system, such as a Solaris or LINUX variant, then there are pre-packaged toolsets, called "rootkits", which contain virtually everything a cracker could need. A rootkit will contain software to be compiled on the target system that will perform many of the routine tasks needed to cover a cracker's tracks.

An experienced cracker knows that using a rootkit without understanding how it works, and without ensuring that there aren't other logs on the system will inevitably lead to detection. Like everything else, the tools are only as good as the cracker's brain behind them, so they need to make sure that they stay on top of the latest counter-intrusion packages and make sure that they know where the package running on the target stores the logfiles.

A typical rootkit will contain one or more of the following programs, or programs that perform similar functions, depending on the system being cracked. This rootkit is for a UNIX/LINUX based system, but similar packages have also been created for other systems. Once inside the system the idea is to compile or patch system binaries and "Trojan" them so they no longest work the way that the system administrator thinks that they work.


Program Purpose
Zap hides logins by removing entries in system logs
Fix fake checksum on file after being "modified"
Ifconfig "modified" to remove PROMISC flag
Ps "modified" to not show certain processes
Ls "modified" to not list certain files
du "modified" to incorrectly report disk usage
Netstat "modified" to not list certain connections
Login "modified" to accept backdoor password

Table 12.3: A "rootkit" contains useful software to hide a cracker


In addition to these a cracker might wish to add or use any of these other tools once they have gained control of the machine. Note that this is not an exhaustive list, as once a cracker gains control over the remote target they are in a position to store anything and everything there. However these are the most useful to have around if a cracker intends using the target to "crack on" through the network and on to other targets on the Internet. Systems administrators should be aware that these tools exist, and should sweep through any of their systems periodically searching for users who have these tools in their file space.

Program Purpose
CRACK etc. Password cracker and dictionary.
YPX etc. Exploits holes in NIS, get more passwords.
SNIFFERS Any ethernet sniffer that will run on the target.
PGP etc. Encrypt the files the cracker leaves on the target.
EXPLOITS All exploits that are needed for that target/network.
MISC TOOLS Tools to unshadow passwords, low level TCP/IP tools, port scanners etc.

Table 12.4: A handy DIY "cracker's" toolbox needs many tools

If people spend a lot of time cracking, they will soon build up an armory of preferred tools and techniques, but these tools and techniques build a profile a of the cracker, just as much as a criminal leaves a trail through his "modus operandi" (MO). A cracker's MO can fingerprint them as surely as criminal forensics can pinpoint murderers. If a cracker sticks to the same routines, always uses the same tools, and concentrate on operating systems they prefer, then they will eventually be traced and caught, no matter how hard they hide their tracks. Crackers who evade detection longest act like chameleons, changing techniques and recombining tools to find new combinations and methods of system penetration.



Not Getting Caught

When people decide to go cracking then there is a good chance that they will get caught eventually, but that can be forestalled if they take a few precautions. The cracking scene has a level of paranoia and mistrust that few other hackers can match, as crackers have everything to lose and nothing to gain by exposure. Here is a list of common tips given by crackers to avoid getting caught, although I wouldn't put very much reliance on them. The only way not to get caught is not to start cracking in the first place, and when crackers get caught, the rest of the hackers lose out because we all get tarred with the same brush.

Despite these tips being aimed at crackers, legal white hat hackers who wish to remain anonymous to prevent themselves becoming a target for black hats might find many of these tips useful also. White hat hackers can become a target for black hat hackers who see them as "sell outs", so even a white hat hacker needs to be careful when using the Internet.

  • Trust no-one, share information anonymously.
  • Never go on IRC with a realname or real nickname.
  • Never connect to IRC using your normal IP address.
  • Chain together anonymous proxies to hide yourself.
  • Use Secure Shell to telnet to shell accounts.
  • Never tell anyone a real name, address or phone number.
  • Never hack or scan exchanges from a home phone.
  • Never hack or port scan from a legitimate ISP.
  • Never use a hacked ISP account from home.
  • Encrypt everything incriminating on a harddrive.
  • Beware of "hacker wargames", not all of them are what they seem.
  • Never use the same passwords for hacked and legitimate accounts.
  • Never use hack/phreak BBSs with a real name or handle.
  • Trust no-one, even those good ol' hackers at 2600 meetings.

Table 12.5: System crackers try and be careful not to expose themselves.


Of course, even using these guidelines can never guarantee that crackers won't get caught, but if they start from the very beginning by being very careful, they often last long enough to become a skilled and experienced cracker, which is only one step away from being a highly paid security consultant. Of course most crackers are "script kiddies", the Internet version of phone box vandals or graffiti artists, and they soon lose interest or get caught. But a few crackers are highly skilled computer enthusiasts who just happen to specialise in breaking system security, and if they survive long enough they soon become productive members of the computing fraternity and make their own contributions to the vast global system that is the Internet.



Conclusion

This chapter has looked at the illegal "art" of cracking system security, exploring some of the ways in which black hat hackers frequently break system security on the Internet. Systems administrators should be aware of these techniques, both as a form of prevention by monitoring system activity logs for these types of actions, and also as a prophylactic by enabling systems administrators to crack their own systems before the crackers get there first. Anyone who wishes to find out more information about system security and preventing computer breakins should consult chapter 14 "Maximising Security".

Prev 01 02 03 04 05 06 07 08 09 10 11 12 13 14 Next
Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 2.5 License.