Obtaining/Creating a Duplicate Environment It has been mentioned in this chapter, and will continue to be mentioned throughout this book, that you should try to replicate the environment you want to attack. Of course, that’s easier said than done. Even if you’re dealing with a free operating system that runs on commodity hardware, there will still usually be significant time and disruption involved in configuring your lab to match the target environment. Of course, if you find yourself trying to attack the features that are specific to say, a Sun Ultra Enterprise E10000, you probably won’t be able to afford to replicate that unless you’re seriously funded. (Some of the configurations of an E10000 can run hundreds of thousands of dollars, or even over a million.) Not to mention the lead time it takes to buy and install one of those. Wouldn’t Sun be disappointed to learn that you just planned to return it when you were done? How to Secure Against These Methodologies As we are discussing research methodologies, there really isn’t any form of protection against these types of attacks. All you can hope to do is make things as difficult as possible for the attacker, in an attempt to slow him down. Limit Information Given Away The main thing that an attacker is after when he is looking at a black or translucent box is leaked information. The less information you leak, the harder the attacker 118 Chapter 4 • Methodology www.syngress.com Tools? About now, you might be wondering whether these expensive tools are worth it. Should you invest in them? If you have to ask, the answer is probably no. I’m never one to turn away toys if my employer wants to drop them in my lap; how- ever, I won’t insist on buying tools that I can’t or won’t use. Most of these tools are expensive because the market is small; it takes a fairly skilled person to use them effectively. My advice is to do as much as you possibly can with the free or inexpensive tools before you even consider spending a lot of money on the “professional” tools. You may find that debugging/decompiling doesn’t suit you as a research method at all. You may find that the free stuff works just fine for you. Even if you do end up with one of the pro packages, you’ll have gathered enough experience to be able to pick the right one. For IT Professionals 95_hack_prod_04 7/13/00 10:29 AM Page 118 has to work (and perhaps make himself more conspicuous and easily spotted). For example, you want to work hard to make sure that failure conditions look the same as success conditions whenever possible. Of course, that won’t always be possible, because the error needs to be conveyed to a person. Consider the example of a server that accepts commands of some sort. If the attacker doesn’t have the level of privilege needed to execute a command, don’t tell him that. If he’s trying a command that doesn’t exist, don’t tell him that. A simple, uniform “error” will do in both cases, so that he cannot distinguish which situation he has run into. Another tactic to use is to limit the rate at which information is leaked. For example, if you’re suspicious that you have an attacker, but are unable or unwilling to completely block him, consider limiting the rate at which his attempts can reach your host. If he’s trying to brute force guess a password, then keep responding slower and slower. Or, you could just favor security as a primary goal in your development process, so that you aren’t vulnerable in the first place. Summary In this chapter, we consider three models of target: A black box, a translucent box, and a crystal box. Each of these boxes represents an attack goal, and how much control over it we have, as well as how much information we have about it. The black box is the hardest to attack, and we make every effort to break it open. Left with no choice, we try to make inferences by observing leaked information, and essentially apply a combination of brute force enumeration and intuitive guessing. The hacker community has much experience attacking translucent boxes, and there is much information out there on how to gain further advantage over such a problem. Essentially, it boils down to a reverse-engineering problem. By definition, we have some control over the translucent box, and are able to attack it at will, and in any way we like. Ultimately, the attacker has the machine code available to him. Should he be willing to spend the time and effort to decompile the target, all will be revealed to him. A crystal box is attacked in a very different way. The attacker is no longer applying tools to break the box open. He has available to him everything he needs to see how this box works. All that remains is to spot flaws in the design. Just as there aren’t any purely black or white hats, as mentioned in Chapter 1, “Politics,” there are no truly black or crystal boxes. Everything is translucent to some degree; it just mostly depends on your ability to perceive the workings. Additional Resources Documentation for gdb: ftp://ftp.gnu.org/pub/gnu/Manuals/gdb/html_chapter/gdb_toc.html Methodology • Chapter 4 119 www.syngress.com 95_hack_prod_04 7/13/00 10:29 AM Page 119 An extensive collection of information about Java reverse engineering: www.meurrens.org/ip-Links/Java/codeEngineering/decomp.html Home page for the REC decompiler: www.backerstreet.com/rec/rec.htm The Decompilation Page; an excellent resource for decompiling information. Includes links to lots of tools. www.it.uq.edu.au/csm/decompilation/home.html FAQs Q: Is decompiling and other reverse engineering legal? A: It always has been, but recent legislation may change that, at least in the United States. The UCITA (Uniform Computer Information Transactions Act) recently passed into law in the United States has a provision that takes effect in October of 2000 that will make it illegal to reverse engineer security mechanisms or copy protection mechanisms. It would be a separate charge on top of violating the shrink-wrap license. Of course, that’s if it isn’t struck down as being unconstitu- tional. Unfortunately, if the law does stick here in the United States, other coun- tries would likely follow. Q: Do the same decompilation techniques apply to all languages? A: No. Each language tends to do things slightly differently. They will call functions differently, handle libraries differently, and put variables in different order, etc., so the decompilers tend to be very language specific. So, if you find yourself trying to decompile something written in an obscure language (and assuming it doesn’t turn into C code as one of the compilation steps), then you may need to track down a special-purpose decompiler. Q: If I decompile a program into assembly, make a slight change, and then run it through an assembler, will it work? A: Unfortunately, probably not. The decompilers aren’t perfect. They tend to pro- duce code that doesn’t reassemble properly, even before you make changes. Unless the program was very small, or it had the debugging code still with it, then you’ll probably have to do extensive cleanup before it will assemble again. Q: How do I find out what security holes look like, so I can read the source code looking for them? A: Read any of the documents on secure programming, or look into the work that the OpenBSD team has done to try to eliminate bugs in their source code tree for their OS. That’s one of the central themes to this book: You learn to attack by securing. You learn to secure by attacking. 120 Chapter 4 • Methodology www.syngress.com 95_hack_prod_04 7/13/00 10:29 AM Page 120 Part II Local Attacks part2_prech05 7/13/00 7:00 PM Page 1 part2_prech05 7/13/00 7:00 PM Page 2 Diffing Solutions in this chapter: ■ What is diffing? ■ How is it used for hacking? ■ What tools are used? Chapter 5 121 95_hack_prod_05 7/13/00 8:38 AM Page 121 Introduction Probably the simplest hacking technique is what we call “diffing,” so it is pre- sented first. This technique is deceptively simple, but is used over and over again, perhaps to the point where the person using it no longer gives it much consideration because it just becomes second nature. What Is Diffing? Simply put, diffing is the practice of comparing two things for differences, especially after some change has been made. The two things in question could be files, Registry entries, memory contents, packets, e-mails—almost anything. The general principle is that you take some sort of snapshot of the item in question (for example, if it’s a file, save a copy of the file), perform the action you think will cause a change, and then compare the snapshot with the cur- rent item, and see what changed. Any number of objects could be compared for differences. For the purposes of this chapter, we’ll limit our discussion to files (including special files, such as the Windows Registry) and memory. Why is it useful to be able to see the differences in a file or memory before and after a particular action? One reason is to determine the portion of the file or the memory location of the item of interest. For example, if you have a file that you think contains a form of the password to an application, but the file appears to be in a binary format, you’d like to know what part of the file repre- sents the password. To make this determination, you’d save a copy of the file for comparison, change the password, and then compare the two files. One of the differences between the two files (as there may be several) represents the password. This information is useful when you want to make changes to the file directly without going through the application. We’ll look at an example of this in this chapter. For cases like this, the goal is to be able to make changes to the storage directly. In other cases, we may be interested largely in decoding information rather than changing it. The steps are the same, causing actions while monitoring for changes. The difference is that rather than trying to gain the ability to make changes directly, we want to be able to determine when a change occurs, and possibly infer the action that caused it. The differences between the two cases are minor, and the problems are very interrelated. The technique is basically the same in both cases. To examine the rough equivalent of diffing concerning information that crosses a network, check out the “Sniffing” (Chapter 9) and “Session Hijacking” (Chapter 10) chapters of this book. 122 Chapter 5 • Diffing www.syngress.com 95_hack_prod_05 7/13/00 8:38 AM Page 122 Files I first ran across the idea of directly manipulating data files in order to affect an application when I was about 13 years old. At the time, I had an Apple ][+ computer, and enjoyed games quite a bit. By that point, I had completed some- where between one and two years of junior high programming classes. One of my favorite games was Ultima 2. Ultima is a fantasy role-playing game that put you in the typical role of hero, with a variety of weapons, monsters to kill, and gold to be had. As is typical of games of this genre, the goal is to gain experience and gold, and solve the occasional quest. The more experience you have, the better you can kill monsters; and the more gold you have, the better weapons and armor you can buy. I wanted to cheat. I was tired of getting killed by daemons, and at that age, I had little concept of cheating spoiling my game. The obvious cheat would be to give my character a lot more gold. I knew the information was written to a diskette each time I saved my game, and it occurred to me that if I could find where on the disk the amount of gold I had was stored, I might be able to change it. The technique I used at that time is a little different from what we’ll pre- sent in this chapter, largely because the tools I had at my disposal were much more primitive. What I did was to note how much gold I had, save my game, and exit. I had available to me some sort of sector editor, which is a program used to edit individual disk sectors straight on the disk, usually in hexadec- imal. The sector editor had a search feature, so I had it search the disk for the name of my character to give me an approximate location on the disk to examine in detail. In short order, I found a pair of numbers that corresponded to the amount of gold I had when I saved my game. I made an increase and saved the changes to the sector. When I loaded my game back up, I had much more gold. Eureka! My first hack. Little did I know at the time that I had stumbled onto a technique that would serve me for many years to come. I was able to expand my small bit of research, and built myself an Ultima 2 character editor that would allow me to modify most of the character attributes, such as strength, intelligence, number of each type of weapons, armor, etc. Of course, that was more years ago than I care to admit. (To give you an idea, Ultima IX was recently released, and they only make one every couple of years on average.) Today, I play different games, such as Heroes of Might and Magic II. This is a fantasy role-playing game in which you play a character who tries to gather gold and experience through killing monsters… you get the idea. Figure 5.1 shows the start of a typical game. In particular, notice the amount of gold I have, 7500 pieces. First thing I do is save the game, calling it hack1. Next, I make a change to the amount of gold I have. The easiest way is to buy something; in my case, I went to the castle Diffing • Chapter 5 123 www.syngress.com 95_hack_prod_05 7/13/00 8:38 AM Page 123 and bought one skeleton, one of the lowest-priced things to buy. It’s important to have the change(s) be as small as possible, which we’ll discuss shortly. After the purchase of the skeleton, I now have 7425 gold pieces. I save the game again, calling it hack2. I drop to a DOS prompt and run the file compare (fc) command as shown in the following example: C:\Program Files\Heroes2\GAMES>dir hack* Volume in drive C has no label Volume Serial Number is 3C3B-11E3 Directory of C:\Program Files\Heroes2\GAMES HACK1 GM1 108,635 06-03-00 11:32p hack1.GM1 HACK2 GM1 108,635 06-03-00 11:39p hack2.GM1 2 file(s) 217,270 bytes 0 dir(s) 10,801.64 MB free C:\Program Files\Heroes2\GAMES>fc /b hack1.gm1 hack2.gm1 Comparing files hack1.GM1 and hack2.gm1 124 Chapter 5 • Diffing www.syngress.com Figure 5.1 Beginning of a Heroes of Might and Magic II game. 95_hack_prod_05 7/13/00 8:38 AM Page 124 000002A2: 31 32 000002C3: 32 FF 00000306: FF 03 00000368: 4C 01 00003ACE: FF 2F 00003AD3: 00 01 00003AE4: 08 07 C:\Program Files\Heroes2\GAMES> The fc command will compare two files, byte for byte if you give it the /b switch, and report the differences in hex. So, my next stop is the Windows cal- culator to see what 7500 and 7425 are in hex. If you pick “scientific” under the View menu in the calculator, you will then have some conversion options, including decimal to hex, which is what we want. With “Dec” selected, punch in 7500, and then click on “Hex.” You’ll get back 1D4C. Repeat the process for 7425, and you’ll get 1D01. Now, looking at the results of the fc command above, the difference at address 368 (hex) looks promising. It was 4C and is now 01, which matches our calculations exactly. We can also probably infer what some of the other numbers mean as well. There were eight skeletons available in our castle, and we bought one, leaving seven. That would seem to indicate the byte at 3AE4. The byte at 3AD3 might indicate one skeleton in our garrison at the castle, where there were none before. For now, though, we’re just interested in the gold amount. So, I fire up a hex editor (similar to a sector editor, but intended to be used on files rather than a raw disk) and load up hack2.gm1. I go to offset 368, and there are our values 1D 01. Notice that they appear to be reversed, as we Latin-language based humans see it. That’s most likely because Intel processors store the least significant byte first (in the lower memory location). There’s only one way to find out if we have the right byte: change it. I change the 1D (the most sig- nificant byte, because I want the biggest effect) to FF (the biggest value that fits in one byte, expressed in hex.) Figure 5.2 shows the result of loading hack2.gm1 into the game. Take a look at the amount of gold, which is now 65281. A quick check with calc confirms that 65281 in decimal is FF01 in hex. We now have a significant advantage in the game, and can crush our simulated enemies with ease. Should we have wanted even more gold, which is entirely possible to have in this game, then we could have tried increasing the next byte to the right of the 1D as well, which was 0 when I looked at it. At worst, a couple tries at the adjacent bytes in the file with the hex editor will reveal which byte is needed to hand yourself millions of gold pieces. Of course, the purpose of this book isn’t really to teach you how to cheat at games; there are more efficient means to do so. For this game in particular, there is a saved-game editor someone has written, likely starting with the exact Diffing • Chapter 5 125 www.syngress.com 95_hack_prod_05 7/13/00 8:38 AM Page 125 [...]... www.securityfocus.com Q: Can diffing be used on network communications? A: In a broad sense, yes However, it’s not very practical The problem is that the information on a network is very transitive; it doesn’t stick around on the wire for a long time Chapters 9 through 11 of this book address the network equivalents of diffing www.syngress.com 143 95 _hack_ prod_05 144 7/13/00 8:38 AM Page 144 Chapter 5 • Diffing Q: What... usual way; see Chapter 15 for more information on publishing holes www.syngress.com 95 _hack_ prod_06 7/13/00 4: 21 PM Page 145 Chapter 6 Cryptography Solutions in this chapter: s An overview of cryptography s Problems with cryptography s Brute force s Real cryptanalysis 145 95 _hack_ prod_06 146 7/13/00 4: 21 PM Page 146 Chapter 6 • Cryptography Introduction As you read through the other chapters of this... part of Network Associates There is a free version available for noncommercial use as well as a commercial version For those readers in the United States and Canada, you can retrieve the free version from the following location: http://web.mit.edu /network/ pgp.html www.syngress.com 95 _hack_ prod_06 7/13/00 4: 21 PM Page 149 Cryptography • Chapter 6 The commercial version can be purchased from Network. .. is, how much creativity does the position your employee holds require? Is it valuable to you to have an employee who can think outside the box when it’s required? Would it be useful to you if your employee could come up with creative solutions to problems? If yes, then you should probably make a little time for, or tolerate, a little hacking—legal hacking on your own systems, of course, and not necessarily... the key being used A couple of problems immediately come to mind when you are using symmetric key encryption as the sole means of cryptography First, how do you www.syngress.com 147 95 _hack_ prod_06 148 7/13/00 4: 21 PM Page 148 Chapter 6 • Cryptography make sure the sender and receiver each have the same key? You must use some sort of courier service, or another protected transportation mechanism must... drive C has no label Volume Serial Number is 3C3B-11E3 Directory of C:\date HEX-EDIT EXE HEXEDI~1 GZ HEXEDIT EXE www.syngress.com 58,592 165,110 158,208 03- 14- 95 9:51p Hex-edit.exe 06-05-00 11 :44 p hexedit-0_9_7_tar.gz 06-06-00 12:04a hexedit.exe 95 _hack_ prod_05 7/13/00 8:38 AM Page 135 Diffing • Chapter 5 3 file(s) 2 dir(s) 06-16-00 12:18a 06-16-00 12:18a 381,910 bytes 10,238.03 MB free In... 5.3 Figure 5.3 The Hackman user interface www.syngress.com 129 95 _hack_ prod_05 130 7/13/00 8:38 AM Page 130 Chapter 5 • Diffing Hackman even includes a rudimentary command line, which is visible at the bottom of Figure 5.3 As a simple hex editor, it performs as advertised It is not completely bug free, but the version tested was a beta version, so that is not unexpected It appears that Hackman is under... and Magic III have been out for some time That’s because Heroes of Might and Magic III appears to compress its data files I make this assumption based on the facts www.syngress.com 141 95 _hack_ prod_05 142 7/13/00 8:38 AM Page 142 Chapter 5 • Diffing that the file is unintelligible (I’m not seeing any English words in it), nearly the whole file changes every save, even if I do nothing in the game between saves,... is to use ls –alt (shown in the following example piped through the more command): [ryan@rh test]$ ls -alt | more total 22 24 drwxrwxrwt 9 root root drwxrwxr-x 2 ryan ryan -rw-r—r— 1 ryan ryan -rw-r—r— 1 ryan ryan -rw-r—r— 1 ryan ryan -rw-r—r— 1 ryan ryan 10 24 7168 31 541 7295 2589 46 20 Jun Jun Jun Jun Jun Jun 16 16 16 16 16 16 01:56 01:56 01:56 01:55 01:55 01:55 fs.h a.out.h acct.h adfs_fs.h … and so... edit to accomplish your task, as we did in our game example earlier in the chapter There is a wide variety of hex editors available, ranging from freeware to commercial They are available for most, if not all, operating systems The quality and usefulness of these range all over the board, just like any other software category Let’s take a look at a few Hackman Let’s start with Hackman Hackman is a free . 06-03-00 11:39p hack2 .GM1 2 file(s) 217,270 bytes 0 dir(s) 10,801. 64 MB free C:Program FilesHeroes2GAMES>fc /b hack1 .gm1 hack2 .gm1 Comparing files hack1 .GM1 and hack2 .gm1 1 24 Chapter 5 • Diffing www.syngress.com Figure. 58,592 03- 14- 95 9:51p Hex-edit.exe HEXEDI~1 GZ 165,110 06-05-00 11 :44 p hexedit-0_9_7_tar.gz HEXEDIT EXE 158,208 06-06-00 12:04a hexedit.exe 1 34 Chapter 5 • Diffing www.syngress.com 95 _hack_ prod_05. Might and Magic II game. 95 _hack_ prod_05 7/13/00 8:38 AM Page 1 24 000002A2: 31 32 000002C3: 32 FF 00000306: FF 03 00000368: 4C 01 00003ACE: FF 2F 00003AD3: 00 01 00003AE4: 08 07 C:Program FilesHeroes2GAMES> The