Chapter 13: Hacker Techniques 239 HISTORICAL HACKING TECHNIQUES This section is going to take a different perspective than most when we talk about the his - tory of hacking. The cases of the past have been well publicized and there are many re - sources that describe such cases and the individuals involved. Instead, this section will approach the history of hacking by discussing the evolution of techniques used by hack - ers. As you will be able to see, many cases of successful hacking could be avoided by proper system configuration and programming techniques. Open Sharing When the Internet was originally created, the intent was the open sharing of information and collaboration between research institutions. Therefore, most systems were config - ured to share information. In the case of Unix systems, the Network File System (NFS) was used. NFS allows one computer to mount the drives of another computer across a network. This can be done across the Internet just as it can be done across a Local Area Network (LAN). File sharing via NFS was used by some of the first hackers to gain access to informa- tion. They simply mounted the remote drive and read the information. NFS uses user ID numbers (UID) to mediate the access to the information on the drive. So if a file were lim- ited to user JOE, UID 104, on its home machine, user ALICE, UID 104, on a remote ma- chine would be able to read the file. This became more interesting when some systems were found to allow the sharing of the root file system (including all the configuration and password files). In this case, if a hacker could become root on a system and mount a remote root file system, he could change the configuration files of that remote system (see Figure 13-2). Open file sharing might be considered a serious configuration mistake instead of a vulnerability. This is especially true when you find out that many operating systems (in - cluding Sun OS) shipped with the root file system exportable to the world read/write (this means that anyone on any computer system that could reach the Sun system could mount the root file system and make any changes they wished to make). If the default configuration on these systems were not changed, anyone could mount the system’s root file system and change whatever they wanted to change. Unix systems are not the only systems to have file-sharing vulnerabilities. Windows NT, 95, and 98 also have these issues. Any of these operating systems can be configured to allow the remote mounting of their file systems. If a user determines the need to share files, it is very easy to mistakenly open the entire file system up to the world. In the same category as open sharing and bad configurations, we also have trusted re - mote access (in effect, we are sharing access among systems). The use of rlogin (remote login without a password) used to be common among system administrators and users. Rlogin allows users to access multiple systems without re-entering their password. The .rhost and host.equiv files control who can access a system without entering a password. If the files are used properly (one could argue that the use of the rlogin is not proper at all), the .rhost and host.equiv files specify the systems from which a user may rlogin with- out a password. Unfortunately, Unix allows for a plus sign (+) to be placed at the end of the file. This plus sign signifies that any system will be trusted to vouch for the user and thus, the user is not required to re-enter a password no matter which system the user is coming from. Obviously, hackers love to find this configuration error. All they need to do is to identify one user or administrator account on the system and they are in. Bad Passwords Perhaps the most common method used by hackers to get into systems is through weak passwords. Passwords are still the most common form of authentication in use. Since passwords are the default authentication method on most systems, using them does not incur additional cost. An additional benefit of using passwords is that users understand how to use them. Unfortunately, many users do not understand how to choose strong passwords. This leaves us with the situation that many passwords are short (less than four characters) or easy to guess. Short passwords allow a hacker to brute-force the password. In other words, the hacker keeps guessing at passwords until a successful guess is made. If the password is only two characters long, there are only 676 combinations (if just letters are used). You can compare that to 208 million combinations (if just letters are used) for an eight-character password. While both can be guessed if all the combinations are tried, it is much easier to guess a two-character password than an eight-character password. 240 Network Security: A Beginner’s Guide Figure 13-2. Use of NFS to access remote system files TEAMFLY Team-Fly ® Chapter 13: Hacker Techniques 241 The other type of weak password is one that is easy to guess. For instance, making the root password “toor” (“root” spelled backwards) allows a hacker to gain access to the system very quickly. Some password issues also fall into the bad configuration category. For instance, on older Digital Equipment Corporation VAX VMS systems the field service account was named “field” and the password was “field.” If the system administrator did not know enough to change this password, anyone could gain access to the system by us - ing this account. Other common password choices that make weak passwords are: wiz - ard, NCC1701, gandalf, and drwho. A good example of how weak passwords can be used to compromise systems is pro - vided by the Morris Worm. In 1988, a Cornell University student by the name of Robert Morris, released a program onto the Internet. This program used several vulnerabilities to gain access to computer systems and replicate itself. One of the vulnerabilities it used was weak passwords. Along with using a short list of common passwords to guess, the program also tried a null password, the account name, that account name concatenated with itself, the user’s first name, the user’s last name, and the account name reversed. This worm compromised enough systems to effectively bring down the Internet. Unwise Programming Hackers have taken advantage of unwise programming many times. Unwise program- ming includes such things as leaving a back door in a program for later access to the sys- tem. Early versions of Sendmail had such back doors. The most common was the WIZ command. If a connection was made to the Sendmail program (by telneting to port 25) and the command WIZ was entered, Sendmail would provide a root shell into the sys- tem. This feature was originally included in Sendmail for use while debugging the pro- gram. For that purpose, it was a great tool. However, such features left in programs released to the public provide hackers with instant access to systems that use the pro- gram. There are many examples of such back doors in programs. Hackers have identified most of the known back doors and, in turn, programmers have fixed them. Unfortu - nately, some of these back doors still exist because the software in question has not been updated on systems where it is running. More recently, the boom in Web site programming has created a new category of un - wise programming. This new category has to do with online shopping. In some Web sites, information on what you are buying is kept in the URL string itself. This information can include the item number, the quantity, and even the price. The information in the URL is used by the Web site when you check out to determine how much your credit card should be charged. It turns out that many of these sites do not verify the information (such as the price of the item) when the item is ordered. The site just takes what is in the URL as the cor - rect price. If a hacker chooses to modify the URL before checking out, he may be able to get the item for nothing. In fact, there are cases in which the hacker set the price to a negative number and was able to get the Web site to provide a credit to the credit card instead of be - ing charged for the item. Clearly it is not wise to leave this type of information in a location (such as the URL string) that can be modified by the customer and then to not check the in - formation on the back end. While this particular vulnerability does not allow a hacker to gain access to the system, it does provide a big a risk to the site. 242 Network Security: A Beginner’s Guide Social Engineering Strictly speaking, social engineering is the use of non-technical means to gain unauthorized access to information or systems. Instead of using vulnerabilities and exploit scripts, the hacker uses human nature. The most powerful weapons for a hacker wishing to perform social engineering is a kind voice and the ability to lie. The hacker may use the telephone to call an employee of a company, act as a representative of technical support, and request a password to “fix a small problem on the employee’s system.” In many cases, the hacker will hang up the phone with the employee’s password. In some cases, the hacker will pretend to be the employee and call technical support to see what information can be acquired. If the hacker knew the name of the employee, he might say that he’d forgotten his password in an attempt to have technical support tell him the password or have it changed to a password of the hacker’s choice. Given that most technical support organizations are trained to be helpful, it is likely that the hacker will gain access to at least one account using this technique. These are examples of a hacker attempting to gain information and access to a system using a single phone call. In other cases, the hacker will use a string of phone calls to learn about a target and then gain information or access. For instance, the hacker might start by learning names of executives by checking the company’s Web site. The hacker might then use the name of an executive to learn how to get in touch with technical support from an- other employee. This new employee’s name could be used to call technical support and gain information about account names and access granting procedures. Another call might identify how remote access is granted and what system is used. Finally, the hacker might use the name of a real employee and the name of the executive to create a story about an im- portant meeting at a client site where the employee in question cannot get into his account via remote access. A helpful technical support person confronted with someone who seems to know what is going on and who is using the name of an executive with the company is more than likely to provide the required access and not think twice about it. Other forms of social engineering include the examination of a company’s trash and recycling (dumpster diving), the use of public information (such as Web sites, SEC filings, and advertising), outright theft, or impersonation. The theft of a laptop or a set of tools can be useful to a hacker who wishes to learn more about a company. Tools can make good props for impersonating service people or employees of the company. Social engineering provides the potential for the most complete penetration of a tar - get but it does take time and talent. Generally, it is only used by hackers who are targeting a specific organization. Buffer Overflows Buffer overflows were the last technical vulnerability to be exploited by hackers (see the next section for more detail on how buffer overflows work). The reason for that is simple: they are harder to find than bad passwords or major configuration mistakes. Buffer over - flows require quite a bit of expertise to find and exploit. Unfortunately, the individuals who find them seem to publish their findings. The published findings usually include an exploit script or program that anyone with a computer can run. Buffer overflows are especially nasty simply because they tend to allow hackers to run any command they wish on the target system. Most buffer overflow scripts allow hackers to create another means of accessing the target system. Recently, the method of entry was to use a buffer overflow to add a line to the inetd.conf file (on a Unix system this file con - trols the services that inetd provides, such as telnet and ftp) that added a new service on port 1524 (ingress lock). This service would allow an intruder access to a root shell. It should be noted that buffer overflows are not restricted to accessing remote sys - tems. There are several buffer overflows that allow users on a system to upgrade their ac - cess level. The local vulnerabilities are just as dangerous (if not more so) than the remote vulnerabilities. What Is a Buffer Overflow? So what is a buffer overflow? A buffer overflow is very simply an attempt to stuff too much information into a space in a computer’s memory. For instance, if I create a variable that is eight characters long and I try to stuff nine bytes into it, what happens to the ninth byte? The answer is that it is placed in memory immediately following the eighth byte. If I try to stuff a lot of extra data into that variable, eventually I will run into some memory that is important to the operation of the system. In the case of buffer overflows, the part of memory that I am interested in is called the stack and in particular, the return address of the function to be executed next. The stack controls switching between programs and tells the computer what code to execute when one part of a program (or function) has competed its task. The stack also stores variables that are local to a function. When a buffer overflow is exploited, the hacker places instructions in a local variable that is then stored on the stack. The informa- tion placed in the local variable is large enough to place an instruction on the stack and overwrite the return address to point at this new instruction (see Figure 13-3). These in- structions may cause a shell program to run (providing interactive access), or they may cause another application to start, or they may change a configuration file (such as inetd.conf) and allow the hacker to gain access via the new configuration. Why Do Buffer Overflows Exist? Buffer overflows come up very often as the flaw in an application that copies user data into another variable without checking the amount of data being copied. More and more programs seem to suffer from this type of problem. Yet the problem seems to be able to be fixed rather quickly (once it is identified and brought to the vendor’s attention). If buffer overflows are so easy to fix, why are they there in the first place? If the programmer checked the size of the user data before placing it in the predefined variable, the buffer overflow could be prevented. NOTE: It should be noted that many of the common string copying functions in the C programming language do not perform size checking either. Functions such as strcat(), strcpy(), sprintf(), vsprintf(), scanf(), and gets() are commonly used functions that do not check sizes prior to copying the data. Chapter 13: Hacker Techniques 243 244 Network Security: A Beginner’s Guide Buffer overflows can be found by examining the source code for a program. While this sounds pretty simple, it can be a long and arduous process. It is much easier to fix the buffer overflows while the program is being written than to go back and find them later. Denial of Service Denial-of-service (DoS) attacks are simply malicious acts to deny access to a system, net - work, application, or information to a legitimate user. DoS attacks can take many forms and can be launched from single systems or from multiple systems. As a class of attacks, DoS attacks cannot be completely prevented nor can they be completely stopped without the identification of the source system (or systems). DoS at - tacks do not only exist in the cyber world. A pair of wire cutters makes for an easy-to-use DoS tool—just walk over to the LAN wire and cut it. For this discussion, we will ignore the physical DoS attacks and concentrate on the system- or network-oriented attacks. You Figure 13-3. How a buffer overflow works should be aware, however, that physical DoS attacks do exist and can be as devastating, if not more so, than cyber DoS attacks. Another point to make about most DoS attacks: since the attacker is not trying to gain access to the target system, most DoS attacks originate from spoofed (or fake) addresses. The IP protocol has a failing in its addresses scheme—it does not verify the source ad - dress when the packet is created. Therefore, it is possible for a hacker to modify the source address of the packet to hide his location. Most of the DoS attacks described next do not require any traffic to return to the hacker’s home system to be effective. Single-Source Denial-of-Service Attacks The first types of DoS attacks were single-source attacks, meaning that a single system was used to attack another system and cause something on that system to fail. Perhaps the most widely known DoS attack is called the Syn flood (see Figure 13-4). In this attack, Chapter 13: Hacker Techniques 245 Figure 13-4. Syn flood DoS attack 246 Network Security: A Beginner’s Guide the source system sends a large number of TCP SYN packets to the target system. The SYN packets are used to begin a new TCP connection. When the target receives a SYN packet, it replies with a TCP SYN ACK packet, which acknowledges the SYN packet and sends connection setup information back to the source of the SYN. The target also places the new connection information into a pending connection buffer. For a real TCP connec - tion, the source would send a final TCP ACK packet when it receives the SYN ACK. How - ever, for this attack, the source ignores the SYN ACK and continues to send SYN packets. Eventually, the target’s pending connection buffer fills up and it can no longer respond to new connection requests. Obviously, if the Syn flood comes from a legitimate IP address, it is relatively easy to identify the source and stop the attack. But what if the source address were a non-routable address such as 192.168.x.x? It becomes much more difficult if the source addresses are spoofed in this manner. If the Syn flood is done properly, there is no defense and it is almost impossible to identify the source of the attack. Several solutions have been proposed to protect systems from a Syn attack. The easi - est is to put a timer on all pending connections and have them expire after some amount of time. However, if the attack is done properly, the timer would have to be set so low as to make the system almost unusable. Several network devices have the capability to iden- tify Syn floods and block them. These systems are prone to false positives as they look for some number of pending connections in a given period of time. If the attack is conducted from multiple source addresses, it becomes difficult to accurately identify the attack. Since the Syn flood attack, other attacks have been identified that are just as serious although easier to prevent. The Ping of Death attack caused a ping packet (ICMP Echo-Request) to be sent to a target system. Normally, a ping packet does not contain any data. The Ping of Death packet contained a large amount of data. When this data was read by the target, the target system would crash due to a buffer overflow in the protocol stack (the original programmers of the stack did not anticipate anyone sending a large amount of data in a ping packet and therefore did not check the amount of data they were putting into a small buffer). This problem was quickly patched after it was identified and few systems are vulnerable today. The Ping of Death is representative of a number of DoS attacks. These attacks target a specific vulnerability in a system or application and cause the system or application to stop functioning when the attack is attempted. Such attacks are devastating initially and quickly become useless as systems are patched. Distributed Denial-of-Service Attacks Distributed DoS attacks (DDoS) are simply DoS attacks that originate from a large number of systems. DDoS attacks are usually controlled from a single master system and a single hacker. Such attacks can be as simple as a hacker sending a ping packet to the broadcast ad - dress of a large network while spoofing the source address to direct all responses at a target (see Figure 13-5). This particular attack is called a Smurf attack. If the intermediate network has a large number of systems, the number of response packets going to the target will be large and may cause the link to the target to become unusable due to volume. DDoS attacks have gotten significantly more sophisticated since the Smurf attack. New attack tools such as Trinoo, Tribal Flood Network, and Stacheldraht allow a hacker to coordinate the efforts of many systems in a DoS attack against a single target. These tools have a three-tiered architecture. A hacker talks to a Master or Server process that has been placed on a compromised system. The Master talks to Slave or Client processes that have been installed on other compromised systems. The Slave systems (sometimes also called Zombies) actually perform the attack against the target system (see Figure 13-6). The commands to the Master and between the Master and Slaves may be encrypted and may travel over UDP or ICMP, depending on the tool in use. The actual attack may be a flood of UDP packets, a TCP SYN flood, or ICMP traffic. Some of the tools randomize the source address of the attack packets, making them extremely hard to find. Chapter 13: Hacker Techniques 247 Figure 13-5. How a Smurf attack works The key issue with DDoS tools is the fact that so many systems can be coordinated in an attack against a single target. No matter how large a connection a site has to the Internet or how many systems are used to handle the traffic at the site, such attacks can overwhelm the site if enough Slave systems are used. 248 Network Security: A Beginner’s Guide Figure 13-6. The architecture of DDoS attack tools [...]...Chapter 13: Hacker Techniques METHODS OF THE UNTARGETED HACKER Untargeted hackers are individuals who are not looking for access to particular information or organizations but instead are looking for any system that they can compromise The skill level of such individuals varies from completely unskilled to very skilled The motivation . operation of the system. In the case of buffer overflows, the part of memory that I am interested in is called the stack and in particular, the return address of the function to be executed next. The. props for impersonating service people or employees of the company. Social engineering provides the potential for the most complete penetration of a tar - get but it does take time and talent. Generally,. be modified by the customer and then to not check the in - formation on the back end. While this particular vulnerability does not allow a hacker to gain access to the system, it does provide a