The Hacker’s Handbook The Strategy behind Breaking into and Defending Networks © 2004 by CRC Press LLC OTHER AUERBACH PUBLICATIONS The ABCs of IP Addressing Gilbert Held ISBN: 0-8493-1144-6 The ABCs of LDAP Reinhard Voglmaier ISBN: 0-8493-1346-5 Information Security Policies, Procedures, and Standards: Guidelines for Effective Information Security Management Thomas R Peltier ISBN: 0-8493-1137-3 Information Security Risk Analysis Thomas R Peltier ISBN: 0-8493-0880-1 The ABCs of TCP/IP Gilbert Held ISBN: 0-8493-1463-1 Building an Information Security Awareness Program Mark B Desman ISBN: 0-8493-0116-5 Building a Wireless Office Gilbert Held ISBN: 0-8493-1271-X The Complete Book of Middleware Judith Myerson ISBN: 0-8493-1272-8 Computer Telephony Integration, 2nd Edition William A Yarberry, Jr ISBN: 0-8493-1438-0 Electronic Bill Presentment and Payment Kornel Terplan ISBN: 0-8493-1452-6 Information Security Architecture Jan Killmeyer Tudor ISBN: 0-8493-9988-2 Information Security Management Handbook, 4th Edition, Volume Harold F Tipton and Micki Krause, Editors ISBN: 0-8493-9829-0 Information Security Management Handbook, 4th Edition, Volume Harold F Tipton and Micki Krause, Editors ISBN: 0-8493-0800-3 Information Security Management Handbook, 4th Edition, Volume Harold F Tipton and Micki Krause, Editors ISBN: 0-8493-1127-6 Information Security Management Handbook, 4th Edition, Volume Harold F Tipton and Micki Krause, Editors ISBN: 0-8493-1518-2 Interpreting the CMMI: A Process Improvement Approach Margaret Kulpa and Kurt Johnson ISBN: 0-8493-1654-5 IS Management Handbook, 8th Edition Carol V Brown and Heikki Topi ISBN: 0-8493-1595-6 Managing a Network Vulnerability Assessment Thomas R Peltier and Justin Peltier ISBN: 0-8493-1270-1 A Practical Guide to Security Engineering and Information Assurance Debra Herrmann ISBN: 0-8493-1163-2 The Privacy Papers: Managing Technology and Consumers, Employee, and Legislative Action Rebecca Herold ISBN: 0-8493-1248-5 Securing and Controlling Cisco Routers Peter T Davis ISBN: 0-8493-1290-6 Six Sigma Software Development Christine B Tayntor ISBN: 0-8493-1193-4 Software Engineering Measurement John Munson ISBN: 0-8493-1502-6 A Technical Guide to IPSec Virtual Private Networks James S Tiller ISBN: 0-8493-0876-3 Telecommunications Cost Management Brian DiMarsico, Thomas Phelps IV, and William A Yarberry, Jr ISBN: 0-8493-1101-2 AUERBACH PUBLICATIONS www.auerbach-publications.com To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401 © 2004 by CRC Press LLC E-mail: orders@crcpress.com The Hacker’s Handbook The Strategy behind Breaking into and Defending Networks SUSAN YOUNG AND DAVE AITEL AUERBACH PUBLICATIONS A CRC Press Company Boca Raton London New York Washington, D.C © 2004 by CRC Press LLC AU0888_C00.fm Page iv Wednesday, October 1, 2003 5:41 AM Library of Congress Cataloging-in-Publication Data Young, Susan (Susan Elizabeth), 1968– The hacker’s handbook : the strategy behind breaking into and defending Networks / Susan Young, Dave Aitel p cm Includes bibliographical references and index ISBN 0-8493-0888-7 (alk paper) Computer networks—Security measures Computer networks—Access control Computer hackers I Aitel, Dave II Title TK5105.59.Y68 2003 005.8—dc22 2003055391 CIP This book contains information obtained from authentic and highly regarded sources Reprinted material is quoted with permission, and sources are indicated A wide variety of references are listed Reasonable efforts have been made to publish reliable data and information, but the authors and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher All rights reserved Authorization to photocopy items for internal or personal use, or the personal or internal use of specific clients, may be granted by CRC Press LLC, provided that $1.50 per page photocopied is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923 USA The fee code for users of the Transactional Reporting Service is ISBN 0-8493-0888-7/04/$0.00+$1.50 The fee is subject to change without notice For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged The consent of CRC Press LLC does not extend to copying for general distribution, for promotion, for creating new works, or for resale Specific permission must be obtained in writing from CRC Press LLC for such copying Direct all inquiries to CRC Press LLC, 2000 N.W Corporate Blvd., Boca Raton, Florida 33431 Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation, without intent to infringe Visit the Auerbach Publications Web site at www.auerbach-publications.com © 2004 by CRC Press LLC Auerbach is an imprint of CRC Press LLC No claim to original U.S Government works International Standard Book Number 0-8493-0888-7 Library of Congress Card Number 2003055391 Printed in the United States of America Printed on acid-free paper © 2004 by CRC Press LLC AU0888_C00.fm Page v Wednesday, October 1, 2003 5:41 AM Acknowledgments Every book, as they say, has a story This book’s history has been a long and varied one Along the way, numerous individuals have contributed their time, focus, energy, technical acumen, or moral support to seeing The Hacker’s Handbook through to its conclusion The authors would like to thank the following individuals for their contributions and support: • Rich O’Hanley and the production staff at Auerbach Press for their tireless support of this book, in spite of its long (and somewhat nefarious) history • Our contributing authors — Felix Lindner, Jim Barrett, Scott Brown, and John Zuena — for taking the time and care to write several excellent chapters on the hacking community, malware, directory services, and network hardware that contain some truly unique and interesting material • Our technical reviewers, including Jim Tiller, Anton Chuvakin, Sean Cemm, Ben Rothke, and Ted Shagory, for their insights and for dedicating their time and energy to helping to shape a better book We are confident that this review process will continue as this text goes to publication, and want — in advance — to thank our readers and reviewers for their attention to the ongoing quality of this book In addition, Dave Aitel would like to thank Justine Bone for her support and encouragement and Susan Young would like to thank the following individuals: the Darklord (Thomas McGinn) for keeping his personal commitment to support the effort that went into this book in spite of many months of spent deadlines, missed weekends, and fatigue (thanks, T2B); Trevor Young, for lending his genuine talent, enthusiasm, time, and care to crafting the illustrations throughout this book; Gemma Young, and her parents, Sylvia and Neil, for their interest, support, and advice through two years of long distance phone calls; and International Network Services (and particularly Steven Marandola, Bob Breingan, and Shaun Meaney) for making available time and support for the completion of this book v © 2004 by CRC Press LLC AU0888_C00.fm Page vi Wednesday, October 1, 2003 5:41 AM Authors Dave Aitel is the founder of Immunity, Inc (www.immunitysec.com), with prior experience at both private industry security consulting companies and the National Security Agency His tools, SPIKE and SPIKE Proxy, are widely regarded as the best black box application assessment tools available Susan Young has worked in the security field for the past seven years, four of which have been spent in the security consulting arena, helping clients design and implement secure networks, training on security technologies, and conducting security assessments and penetration tests of client system or network defenses (so-called ethical hacking) Her experience has included consulting work in the defense sector and the financial industry, as well as time spent evaluating and deconstructing various security products She currently works as a senior security consultant in the Boston area security practice of International Network Services (INS) © 2004 by CRC Press LLC AU0888_C00.fm Page vii Wednesday, October 1, 2003 5:41 AM Contributors Jim Barrett (CISA, CISSP, MCSE, CCNP) is a principal consultant for the Boston office of International Network Services (INS) He currently serves as the national Microsoft practice leader for INS and has been working with Microsoft technologies for longer than he can remember Prior to INS, Jim spent several years as a member of the information systems audit and security practice of Ernst & Young LLP, where he co-authored the firm’s audit methodology for Novell NetWare 4.1 and was an instructor at the Ernst & Young National Education Center His areas of expertise include network operating systems and information systems security Scott Brown (CISSP, GCIA, GCIH) is a senior security consultant for International Network Services, with more than 13 years experience in the information technologies field He is a Certified Information Systems Security Professional (CISSP), and holds both SANS GCIA and GCIH certifications Scott is also a private pilot with a rating in single engine aircraft John Zuena (CISSP, CCNA, CCDA, NNCSE) is a senior consultant for International Network Services, with more than 14 years experience in the information technologies field He is a Certified Information Systems Security Professional (CISSP) and holds both Cisco and Nortel internetworking certifications He is also a private pilot with ratings in both single engine airplanes and helicopters © 2004 by CRC Press LLC AU0888_C00.fm Page viii Wednesday, October 1, 2003 5:41 AM Illustrator Trevor Young has been drawing, painting, creating, and generally exercising his artistic imagination for a very long time Young attended Camberwell College of Art in London, studying graphic design and illustration, and has gone on to a successful career in the film special effects industry in London, first working for the Film Factory and currently as a digital compositor for Hypnosis VFX Ltd You will find him in the IMDb at http://us.imdb.com/Name?Young,+Trevor He has continued to work in illustration from time to time and generously contributed his time to create a set of illustrations for this book that have become truly integral to the book and the subject matter viii © 2004 by CRC Press LLC AU0888_C00.fm Page ix Wednesday, October 1, 2003 5:41 AM List of Abbreviations ACK ARIN ASCII ASN ASP BSDI CANVAS CAST CDE CHAM CIFS CPAN CRC CVE CVS DDoS DID DIT DNS DNSSEC DoS DSA EFS EIGRP EIP ESMTP EVT FIFO FX GCC GCIA GCIH Acknowledge American Registry for Internet Numbers ASCII Character Set (ASCII) Autonomous System Number Active Server Pages or Application Service Provider Berkeley Software Design (BSD) Operating System Internet Server Edition Immunity Security’s CANVAS Vulnerability Scanner Computer Aided Software Testing Common Desktop Environment Common Hacking Attack Methods Common Internet File Sharing Comprehensive Perl Archive Network Cyclic Redundancy Check Common Vulnerabilities and Exposures (List) Concurrent Versions System Source Code Control System Distributed Denial-of-Service Direct Inward Dialing Directory Information Tree Domain Name System Domain Name System Security Denial-of-Service Digital Signature Algorithm Encrypting File System (Microsoft) Enhanced Interior Gateway Routing Protocol Extended Instruction Pointer Extended Simple Mail Transfer (Protocol) Event (Microsoft) First In First Out is an approach to handling queue or stack requests where the oldest requests are prioritized Handle for Felix Lindner GNU C Compiler GIAC Certified Intrusion Analyst GIAC Certified Incident Handler © 2004 by CRC Press LLC AU0888_C18.fm Page 810 Wednesday, October 1, 2003 6:18 AM THE STRATEGY BEHIND BREAKING INTO AND DEFENDING NETWORKS INTERNET DNS Domains: dalmedica.com, dalmedica.net Public IP Range: 204.70.10.0/24 R IDS? 246 Load Balancer? RAS? FW DB Servers IDS? 208 Web Web Servers 204.70.10.161, 162 (Oracle/SQL) Partner Website 204.70.10.194 204.70.10.229 (Apache/OpenSSL) 210 Application Proxy Firewall (Primary/Public DNS) FW (Database Replication) 222 SMTP GW 211 Web Scanning GW (File Transfer) R (Router ACLs) Partner Net 192.168.10.0 IDS? (Replication) DNS Server FW Mgt Client UNIX Dev Sys Source Code (Development) (Windows) Mail Server DB Servers UNIX Dev Sys Syslog Server AD Domain Exhibit 11 Load-Balancing Device Managing Connections to All Three Web Servers source code control system (Perhaps its purpose was as a quality assurance [QA]/test system or source repository?) Nirvana … Nathan started to formulate a plan If he could capture source code off of Dalmedica’s development server, he might be able to derail the launch of the new product If this fact was publicized in some way, Dalmedica’s stock and public reputation would take a pounding If he could achieve this, he should cease activity on their network — it was only a matter of time before his presence was detected … it was time to start planning his exit Nathan could leverage the Linux system to access the Source Code Control System (SCCS), but he needed privileges to the source code tree and the SCCS His opportunity came weeks later in the form of an e-mail from human resources (HR) to information technology (IT) (delivered to 810 © 2004 by CRC Press LLC AU0888_C18.fm Page 811 Wednesday, October 1, 2003 6:18 AM Conclusion one of the client systems he had trojanized and discovered while he was parsing a pst file) that indicated that one of the development engineers was leaving the company and had been let go early because of the sensitivity of current development projects Nathan monitored the /etc/passwd file on the SCCS for about seven days before deciding to make his move; using the administrative rights he had acquired via the SSH/management client (the client had “sudo” rights to make passwd/shadow file changes), he was able to change the password on the inactive account The account had CVS access rights He needed to move quickly now He had access to a file transfer program that could be used to mirror source code trees or Web site data; he did not want to risk transferring files directly off of the SCCS, which was presumably well monitored, but felt that transferring select areas of the code tree to the Linux system (those relating to the Medicabase project) was a reasonable risk To effect the transfer he needed to install a file transfer program that started two processes — cvsft and cvsftctl5 — used to effect the file transfer He did not have the rights he needed with the current engineering account, although he could check source code using the account and had file system rights to the source tree However, with the client admin account he could create an account with sufficient privileges to be able to install the file transfer program Having effected the installation using the new account, Nathan started the file transfer service using the engineering account: $/usr/bin/cvsft -d $/usr/bin/cvsftctl -d Nathan contemplated the amount of time it might take to stage the transfer of source code off of the system — it was worth the time investment involved in installing a trojanized version of “ps” to disguise the two executing file transfer processes Nathan installed the Trojan “ps” binary, executed the Trojan ps, and checked /proc to determine whether the processes were successfully executing, but hidden (see Exhibit 12) The Trojan ps required some library manipulation that Nathan fumbled his way through He compiled the code on the server (using the engineering account) and then deleted the temporary source directory The stage was set — still, the file transfer was going to take some time Nathan pondered the question of how to conceal his presence, and any associated performance degradation, while he transferred the source code off the Linux system He could stage the transfer, mimicking normal activity to the Linux/test system; however, the transfer might still trip an IDS or attract undue attention He needed a distraction “What makes a good distraction?” said Nathan, thinking out loud He did not have the time to plan and execute a complex attack “DNS? — 811 © 2004 by CRC Press LLC AU0888_C18.fm Page 812 Wednesday, October 1, 2003 6:18 AM THE STRATEGY BEHIND BREAKING INTO AND DEFENDING NETWORKS Exhibit 12 Checking /proc for Successful Execution and Hidden Files UID PID PPID C STIME TTY TIME CMD root 0 18:13:37 ? 0:03 sched root 0 18:13:38 ? 0:00 /etc/init root 0 18:13:38 ? 0:00 pageout root 0 18:13:38 ? 0:00 fsflush root 266 18:14:15 ? 0:00 /usr/lib/saf/sac -t 300 root 120 18:13:57 ? 0:00 /usr/sbin/rpcbind root 158 18:13:58 ? 0:00 /usr/sbin/inetd -s root 200 18:14:04 ? 0:00 /usr/lib/lpsched root 159 18:13:58 ? 0:00 /usr/lib/nfs/lockd root 163 18:13:59 ? 0:00 /usr/lib/autofs/ automountd root 178 18:14:00 ? 0:00 /usr/sbin/cron root 189 18:14:01 ? 0:00 /usr/sbin/nscd daemon 160 18:13:58 ? 0:00 /usr/lib/nfs/statd root 177 18:14:00 ? 0:00 /usr/sbin/syslogd root 221 18:14:05 ? 0:00 /usr/lib/utmpd root 228 18:14:05 ? 0:00 /usr/sbin/vold root 273 252 18:14:19 ? 0:00 /usr/dt/bin/dtlogin –daemon root 291 273 18:16:32 ? 0:00 /bin/ksh/usr/dt/bin /Xsession root 180 18:16:32 ? 0:00 /usr/sbin/cvssrcmgr $ ptreea 120 /usr/sbin/rpcbind 158 /usr/sbin/inetd -s 180 /usr/sbin/cvssrcmgr 191 /usr/sbin/cvsft 192 /usr/sbin/cvsftctl 159 /usr/lib/nfs/lockd 160 /usr/lib/nfs/statd 163 /usr/lib/autofs/automountd 178 /usr/sbin/cron 177 /usr/sbin/syslogd 189 /usr/sbin/nscd 221 /usr/lib/utmpd 228 /usr/sbin/vold a Of course, ptree could be “trojanned” too, in which case the attacker/administrator would have to resort to manually listing (ls) and parsing the /proc directory 812 © 2004 by CRC Press LLC AU0888_C18.fm Page 813 Wednesday, October 1, 2003 6:18 AM Conclusion Exhibit 13 Recursive Query to Firewall $ nslookup Default Server: ns1.localdnsserver.com Address: 1.1.1.1 > server ns1.dalmedica.com Server: ns1.dalmedica.com Address: 204.70.10.209 > www.internetsite.com Non-authoritative answer: Name: www.internetsite.com Address: 131.20.16.44 > sure fire way of disrupting Internet connectivity and perhaps inbound Web connectivity.” Nathan wondered if the Application Proxy firewall/Primary DNS server supported recursive DNS queries He fired off a recursive query to the firewall (see Exhibit 13) Success But a DNS denial-of-service might not take an administrator very long to identify and quash and would impact the speed with which he could transfer source code to a remote system He needed a second distraction Impacting client Internet access via DNS, via a separate exploit, would buy additional time and was sufficiently close to the first distraction (recursive DNS denial-of-service) to be considered associated by an administrator To effect this, he needed a way to make inroads to the internal DNS server Checking the local resolver configuration on one of the compromised clients, Nathan identified its IP “But how to get access?” One of the Usenet postings had already identified that Dalmedica operated an Active Directory environment — Nathan poked around with some Active Directory exploits, but could not identify any truly useful account reconnaissance attacks (AD was not a specialty of his) Besides, he had a solid presence on Dalmedica’s network, at this point, that he did not want to jeopardize Nathan pondered some more — he had a presence on Dalmedica’s Internet Web servers that he had not leveraged yet … perhaps it was time to put this to good use? Nathan was not expecting the Internet Web servers to cough up any useful account reconnaissance but felt that it might be possible to coax account information out of one of the back-end database servers or the LDAP server Dalmedica was experimenting with to authenticate partner 813 © 2004 by CRC Press LLC AU0888_C18.fm Page 814 Wednesday, October 1, 2003 6:18 AM THE STRATEGY BEHIND BREAKING INTO AND DEFENDING NETWORKS connections The Usenet posting had hinted at the fact that the LDAP server was to be AD-integrated; if Dalmedica did not appropriately partition account information, this meant that the LDAP server might have access to administrative account data for the LDAP domain This was perhaps especially likely if the server was still in the process of being tested and configured Nathan began canvassing for LDAP reconnaissance attack information Using the tool ldp.exe and drawing on reconnaissance data he had collected from the Web servers, Nathan issued the LDAP query from the compromised Internet Web server (see Exhibit 14) Having successfully attached to the LDAP server using ldp, Nathan issued a query to determine the user accounts that were members of the Administrators group, as indicated on the LDAP server, followed by some general LDAP queries to determine the number and scope of the accounts configured on the LDAP server There did not appear to be a representative number of accounts on the LDAP server for an organization of Dalmedica’s size — it appeared that Dalmedica was still in the process of testing and deploying the LDAP server Nathan decided to turn his attention to the database servers in the DMZ environment Using the presence he had established on Dalmedica’s Web servers, he leveraged a well-known buffer overflow in a user authentication component of Microsoft (MS) SQL Server (the “SQL hello” buffer overflow) to obtain “root” access to one of the DMZ SQL Servers Two aspects of this compromise surprised him — (1) that Dalmedica had not patched against this vulnerability, and (2) that exploitation of this vulnerability did not trip any kind of IDS or detective control A further surprise was that Nathan was able to use the exact same vulnerability to gain root on the LAN Database servers and then execute pwdump2 (using the root account context) to retrieve password hashes from the system Using the reconnaissance gathered from the LDAP server as a guide, he successfully cracked and hijacked an account that had both local and domain administrator privileges Having obtained an AD account with administrative privileges, Nathan turned his attention to the internal DNS server He needed an exploit that would effectively deny all internal clients Internet access for a period of time but would not affect his ability to perform a file transfer It seemed to make sense to him that editing the root name server hints file would work, providing he populated the file with a likely looking set of Internet Root name servers He formulated the file shown in Exhibit 15 At the very least, Nathan speculated that focusing Dalmedica’s attention on the DNS server, coupled with a recursive query packet flooding attack against its public DNS server (impeding access to the Internet Web sites) would distract everyone’s focus away from the SCCS system The stage was set for the heist 814 © 2004 by CRC Press LLC AU0888_C18.fm Page 815 Wednesday, October 1, 2003 6:18 AM Conclusion Exhibit 14 LDAP Query from the Compromised Internet Web Server o = Dalmedica cn = Schema, dc = Partnernet, dc = PRTN1 ld = ldap_open("204.70.10.196,” 389); Established connection to 204.70.10.196 Retrieving base DSA information… Result : (null) Matched DNs: Getting entries: >> Dn: 1> currentTime: 7/6/2003 20:28:55 Eastern Standard Time Eastern Daylight Time; 1> subschemaSubentry: CN = Aggregate,CN = Schema,DC = Partnernet; 1> dsServiceName: CN = NTDS Settings,CN = PRTNRNET,CN = Servers,CN = Default-First-Site-Name,CN = Sites,CN = Configuration,DC = Partnernet; 3> namingContexts: CN = Schema,CN = Configuration,DC = Partnernet, DC = PRTN1; CN = Configuration,DC = Partnernet, DC = PRTN1; 1> defaultNamingContext: DC = Partnernet; 1> schemaNamingContext: CN = Schema,CN = Configuration,DC = Partnernet, DC = PRTN1; 1> configurationNamingContext: CN = Configuration,DC = Partnernet,DC = PRTN1; 1> rootDomainNamingContext: DC = Partnernet,DC = PRTN1; 2> supportedLDAPVersion: 3; 2; 12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxActiveQueries; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; 1> highestCommittedUSN: 3478; 2> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; 1> dnsHostName: PRTN1.partnernet.dalmedica; 1> ldapServiceName: partnernet:PRTN1$@partnernet.dalmedica; 1> serverName: CN = PRTN1,CN = Servers,CN = Default-FirstSite-Name,CN = Sites,CN = Configuration,DC = partnernet,DC = PRTN1; 1> isSynchronized: TRUE; 1> isGlobalCatalogReady: TRUE; 815 © 2004 by CRC Press LLC AU0888_C18.fm Page 816 Wednesday, October 1, 2003 6:18 AM THE STRATEGY BEHIND BREAKING INTO AND DEFENDING NETWORKS Exhibit 15 Set of Internet Root Name Servers ; This file holds the information on root name servers needed to ; initialize the cache of Internet domain name servers ; ; This file is made available by InterNIC registration services ; under anonymous FTP as ; file /domain/named.root ; on server FTP.RS.INTERNIC.NET ; -OR- under Gopher at RS.INTERNIC.NET ; under menu InterNIC Registration Services (NSI) ; submenu InterNIC Registration Archives ; file named.root ; ; last update: Aug 22, 1999 ; related version of root zone: 1999082200 ; ; ; formerly NS.INTERNIC.NET ; 3600000 IN A.ROOT-SERVERS.NET 3600000 A 3600000 NS B.ROOT-SERVERS.NET 3600000 A 3600000 NS C.ROOT-SERVERS.NET 3600000 A NS A.ROOT-SERVERS.NET 5.6.7.8 ; ; formerly NS1.ISI.EDU ; B.ROOT-SERVERS.NET 7.8.9.0 ; ; formerly C.PSI.NET ; ; ; formerly TERP.UMD.EDU ; 816 © 2004 by CRC Press LLC C.ROOT-SERVERS.NET 192.234.4.56 AU0888_C18.fm Page 817 Wednesday, October 1, 2003 6:18 AM Conclusion Exhibit 15 (continued) Set of Internet Root Name Servers 3600000 NS D.ROOT-SERVERS.NET D.ROOT-SERVERS.NET 3600000 A 3600000 NS E.ROOT-SERVERS.NET 3600000 A 3600000 NS F.ROOT-SERVERS.NET 3600000 A 3600000 NS G.ROOT-SERVERS.NET 3600000 A 128.99.11.90 ; ; formerly NS.NASA.GOV ; E.ROOT-SERVERS.NET 193.223.241.12 ; ; formerly NS.ISC.ORG ; F.ROOT-SERVERS.NET 199.6.17.222 ; ; formerly NS.NIC.DDN.MIL ; G.ROOT-SERVERS.NET 195.111.63.8 ; ; formerly AOS.ARL.ARMY.MIL ; Dalmedica’s Perspective A month after the initial incident, Bill Freidman laid out for the rest of the Dalmedica team what he believed had happened “We think the attacker was able to obtain the source code through the following process, which I’ve detailed in the handout (see Exhibit 16) This is marked strictly confidential — I want to ensure that everyone on this select team understands the importance of keeping this information to themselves We’ll be collecting the handouts at the end of the meeting.” “The rough process and chronology — with a few twists and turns — was as follows:” Access Points From analysis of log files and other time-stamped data, we think the attacker was first able to gain a presence on Devmed’s network via an 817 © 2004 by CRC Press LLC AU0888_C18.fm Page 818 Wednesday, October 1, 2003 6:18 AM THE STRATEGY BEHIND BREAKING INTO AND DEFENDING NETWORKS INTERNET Compromised via a Maintenance Password PHP Exploit, yielding access Installation of netcat backdoor ISP-Managed Router 246 Load Balancing Device 204.70.10.160/ 241 28 (Publicly Addressed IP Network) DB Exploit, yielding account data IDS 245 204.70.10.240/29 (Publicly Addressed IP Network) 224 244 204.70.10.224/28 (Publicly Addressed IP Network) Stateful Packet Filtering Firewall 208 RAS Server Partner Extranet IDS 192 Email (Trojan) VPN Server Internet DMZ Web Farm 228, 229, 230 RWWWShell LDAP Server Extranet DMZ 194, 195 204.70.10.192/28 (Publicly Addressed IP Network) Web-referenced Database Servers 204.70.10.208/28 (Publicly Addressed IP Network) 222 Content Mgt DMZ (172.30.1.0/29) 209 Partner Network Connection (Router ACLs) File Transfer Partner Net Application Proxy Firewall (Primary (Public) DNS Server) SMTP Gateway 172.30.0.1 (Anti-Virus and Content Filtering) IDS Web Content Filtering Gateway Compromised via WinNT exploit, while located on DMZ (Packet Sniffer installed) LAN (172.30.0.0/16) RWWWShell File Transfer Corporate LAN (Switched to the Desktop) Linux QA/Test Abuse of Trust Relationship File Transfer Email (Trojan) QA/Development LAN (Fully Switched) Abuse of Trust Relationship DNS Server(s) (Primary and Secondary) Syslog Server Email (Trojan) IDS Clients, Printers, etc (500 nodes) SCCS Server Network (Fully Switched) Clients Development Servers (UNIX/NT) Abuse of UNIX "R" Trust relationships to gain access to Linux QA/Test System SSH Client Compromised with RWWWshell Compromised via abuse of Trust Relationship, Root NS hints file updated Database Servers Corporate Mail Server Active Directory/ Domain Controller (and Backup Domain Controllers) Exhibit 16 Handout SMTP (Sendmail 8.12.1) vulnerability From there, the attacker was able to “walk” Devmed’s network, conduct some reconnaissance, and ultimately gain a presence on Dalmedica’s DMZ The attacker was also able to exploit a backdoor password (maintenance account) to the RAS Controller/dial-up server to gain direct dial-up access to the DMZ, providing another point of access on Dalmedica’s 818 © 2004 by CRC Press LLC AU0888_C18.fm Page 819 Wednesday, October 1, 2003 6:18 AM Conclusion network This was uncovered during an investigation of the logs on the dial-up server, which revealed initial use of the maintenance account and then the creation of an ongoing account The attacker ultimately lost access to the RAS Controller when it was dismantled and replaced by a virtual private network (VPN) server From there, the sequence of events indicates that the attacker utilized e-mail as a means of gaining ingress to the internal network by mailing a Trojan backdoor to several key administrative systems on the network This provided a bastion presence on several client systems that could be leveraged to gain access to the SCCS system and associated development platforms Finally, the attacker was also able to gain ingress through one of the Internet Web servers and established a presence on that system This was achieved through a PHP/logging exploit that had not been patched on one of the systems and yielded privileged access to the operating system The system was subsequently patched (upgraded) when it was discovered that a CGI script issue was tripping the Internet DMZ IDS, but not before the attacker had installed a netcat listener on the system to shore up his or her access The netcat listener was discovered via a manual audit of the system Bastion Hosts Throughout the duration of the attack, the attacker was able to establish a “bastion” presence on a number of Devmed and Dalmedica systems These systems were not necessarily the target of the attack activity, but they facilitated access and reconnaissance gathering, getting the attacker one step closer to the SCCS system These systems included: • Devmed Sendmail server The attacker was able to exploit a Sendmail 8.12.1 vulnerability to establish a presence on the Sendmail server as “root.” Having achieved this, we presume the attacker conducted some IP and port probes to identify other systems that might have trust relationships with Dalmedica hosts • Devmed Linux FTP server The attacker appropriated a Linux FTP server on the Devmed network and installed a packet sniffer that provided insight into activity between the Dalmedica and Devmed networks We believe this packet sniffer yielded information on activity into the Dalmedica/Devmed gateway and led the attacker into the Dalmedica DMZ • DMZ content scanning server The content scanning server was a test server deployed by Dalmedica on a 30-day evaluation license The attacker was able to gain access to this server through an operating system (NT) vulnerability and installed a packet sniffer on the system (a pretty bold move) This yielded visibility into traffic to and from the Application Proxy firewall, bypassing Dalmedica’s two-tier firewall architecture, and gave the attacker a presence on the DMZ.6 819 © 2004 by CRC Press LLC AU0888_C18.fm Page 820 Wednesday, October 1, 2003 6:18 AM THE STRATEGY BEHIND BREAKING INTO AND DEFENDING NETWORKS • Corporate LAN clients Leveraging an e-mail exploit that disseminated a Trojan (RWWWshell) to several client systems on Dalmedica’s Corporate LAN, the attacker was able to establish a presence on several clients Three clients were discovered to have been infected, (1) one desktop client, (2) a client used to perform firewall management and SSH management of various systems, and (3) a Web development client Keystroke loggers were installed on all three systems • Internet Web server As mentioned previously, the attacker obtained a presence on the Internet DMZ via a PHP/logging exploit mounted against one of the load-balanced Web servers The exploit yielded privileged access to the Web server that culminated in the installation of a netcat listener on the system This system was ultimately leveraged to gain access to the DMZ database servers • DMZ database servers We believe the attacker was able to gain access to the DMZ database environment by exploiting an SQL Server buffer overflow vulnerability (this is still being confirmed through log and file system analysis) Once this was attained, it is presumed this access was leveraged to achieve a presence on the DMZ, and possibly, the Corporate LAN • Development Linux system A QA/test Linux system that had a trust relationship (via a rhosts file) with the Development Source Code Control System (SCCS) was used to establish a “bastion” that provided access to systems on the Development network and the SCCS This system was already used to check out source code from the SCCS for QA/test purposes and was ultimately leveraged by the attacker to stage the transfer of source code off of the SCCS system under the guise of QA/test activity Reconnaissance Activity The following types of tools and systems were leveraged to gather system and network reconnaissance for the attacks: • Keystroke loggers Keystroke loggers were discovered on the Corporate LAN clients that were infected with the RWWWshell Trojan These are believed to have been used to gather account reconnaissance for ingress into the Linux development server, and ultimately, by association, the SCCS system • Packet sniffers Packet sniffers were installed on the Devmed Linux FTP server and Dalmedica Content Management System Both packet sniffers were installed to poorly monitored systems and then used to gather network service reconnaissance and topology data • Port probes/port scanning The investigation team did not uncover any evidence of port scanning or port probes in IDS, firewall, or system logs, but this activity is assumed as part of the initial Internet DMZ, Devmed network, and DMZ network discovery 820 © 2004 by CRC Press LLC AU0888_C18.fm Page 821 Wednesday, October 1, 2003 6:18 AM Conclusion Target Systems The following systems appear to have been the targets of the attacker’s activity on Dalmedica’s network: • Application Proxy firewall (primary DNS server) Dalmedica’s Application Proxy firewall was attacked via a DNS-based denial-of-service The denial-of-service was a distributed denial-of-service (DDoS) attack launched from several points on the Internet; EnterISP has been cooperating with the investigation team to try to track back through some of the intermediate hosts leveraged in the attack and identify the source host The attack leveraged the fact that the Application firewall was configured to respond to recursive DNS queries for any Internet DNS record Flooding the firewall with recursive DNS requests resulted in performance degradation at the firewall and impacted outside users’ ability to access Dalmedica’s Internet Web sites This was compounded by the fact that EnterISP’s DNS secondary for the dalmedica.com domain was misconfigured and inaccessible The DNS denial-of-service was leveraged by the attacker as a “distraction.” • Internal DNS server Dalmedica’s internal/private DNS server was also subject to a denial-of-service that was based on updates to the Root Name Server hints file on the system The Root Name Server hints file was updated to include a set of counterfeit Root Name Server (NS) IP references This resulted in the denial of Internet access to Dalmedica’s Corporate LAN client and server systems The activity on the internal DNS server was verified through the examination of system log files and the recovery of deleted files on the system (containing the original cache file) • Linux QA/test system The Linux QA/test system that was leveraged for the source code transfer was accessed by exploiting a trust relationship (UNIX rhosts file) with one of the compromised Dalmedica clients The system contained some source code and was used to migrate source code from the SCCS system for QA/test purposes This system had a significant amount of disk space and was ultimately used by the attacker as a source code repository and to stage the transfer of source code off of the SCCS A file transfer program was installed to the system that yielded two processes in the process table This program had the ability to spawn multiple child processes to speed file transfer Investigation of the system using an external (CD-based) set of operating system (OS) binaries revealed the presence of the processes The attacker had installed a Trojan version of the “ps” command to both this system and the SCCS system to mask the presence of the file transfer application in the system process table 821 © 2004 by CRC Press LLC AU0888_C18.fm Page 822 Wednesday, October 1, 2003 6:18 AM THE STRATEGY BEHIND BREAKING INTO AND DEFENDING NETWORKS • Source Code Control System The attacker was able to leverage trust relationships with the Linux QA/test system and an old engineering account to access the source code tree and CVS Code Control software on the SCCS system As with the Linux QA/test system, account rights on the SCCS system were manipulated to install a file transfer program on the SCCS This file transfer program yielded the same two processes discovered on the QA/test system and was hidden with a trojanized version of “ps.” The file transfer program was used to “mirror” areas of the source code tree to the QA/test system over a period of a couple of weeks — at the time the DNS denial-of-service was effected, the source code was transferred off the QA/test system via the partner network to a remote client system Once again, the attacker used connection-laundering techniques to mask the true source of the file transfer In the course of compiling the file transfer program on the SCCS system, the attacker corrupted some libraries on the system A “manual” investigation of the system file system confirmed the presence of foreign source code and some associated deletion activity in library and /tmp directories “It is the conclusion of this team that inconsistent security process and inadequate security monitoring aided the attacker or attackers in their attack Dalmedica’s IDS systems did pick up some of the attack activity, but this was clouded by the DNS denial-of-service attacks and inadequate IDS monitoring procedures The attacker deliberately leveraged some systems he or she considered a reasonable risk for the absence of host/network monitoring The changes that Dalmedica has made to its network over the past three to six months have addressed some of the vulnerabilities indicated.” Conclusion (Final Thoughts) Fantastical? Maybe The only aspect of the case study that could perhaps be considered uncharacteristic or improbable is that there was a greater degree of established exploit code used to effect the attacks — many sophisticated attackers will leverage “0-day” exploits in targeting a vulnerable network and networked systems However, the case study does dramatically illustrate the potency of some of the hacking exploits and attacks outlined in this text One of the key security challenges Dalmedica faced was keeping pace with changes to its network and staying on top of emerging security vulnerabilities Throughout the text, at the end of each chapter, we have detailed a list of Internet and text references that are intended to provide information relevant to the chapter material, and a list of “spaces to watch” for future developments To conclude this chapter, we have detailed a set of references and ongoing “themes” — below — that we hope are useful in providing a way forward for continuing to grow your knowledge of this complex field Enjoy 822 © 2004 by CRC Press LLC AU0888_C18.fm Page 823 Wednesday, October 1, 2003 6:18 AM Conclusion References Areas of Focus As might be expected, new and developing areas of interest in the hacking and security arena closely align with new technologies and new developments in information systems and information technology The references provided in each section detail sources of further and future information for each technology indicated Note: Some of these sites should be approached with some caution Always appropriately harden your Web browser and system before connecting to any unknown site General Hacking and Security Resources 2600 Hacker Quarterly, http://www.2600.com Astalavista, http://www.astalavista.com Black Hat Briefings, http://www.blackhat.com/html/bh-link/briefings.html Church of the Swimming Elephant, http://www.cotse.com/home.html Computer Operations, Audit, and Security Technology, http://www.cerias.purdue.edu/coast/ coast.html Computer Emergency Response Team (CERT), http://www.cert.org Computer Security Resource, http://www.secureroot.com/ Cryptogram (Counterpane Internet Security), http://www.counterpane.com/crypto-gram.html DefCon, http://www.defcon.org/ Neohapsis, http://www.neohapsis.com/ Network Security Library, http://secinf.net/ NTBugTraq, http://www.ntbugtraq.com/ PacketStorm, http://packetstormsecurity.org Phrack Magazine, http://www.phrack.org SecurityFocus, http://www.securityfocus.com SecuriTeam, http://www.securiteam.com/ SysAdmin, Audit, Network, Security (SANS) Organization, http://www.sans.org Authentication Technologies Biometrics Catalog, http://www.biometricscatalog.org/ Biometric Consortium, http://www.biometrics.org/ Biometric Resource Center, http://www.biomet.org/ PKI Forum, http://www.pkiforum.org/ Public Key Infrastructure Page, http://www.pki-page.org/ Smart Card Alliance, http://www.smartcardalliance.org/ Smart Card Basics, http://www.smartcardbasics.com/ Smart Cards Online, http://www.smartcardclub.co.uk/ Cryptography Cryptogram (Counterpane Internet Security), http://www.counterpane.com/crypto-gram.html Information on Cryptography, http://http.cs.berkeley.edu/~daw/crypto.html North American Cryptography Archives, http://www.cryptography.org OpenSSH Project, http://www.openssh.org/ OpenSSL Project, http://www.openssl.org/ RSA Laboratories Cryptography FAQ, http://www.rsasecurity.com/rsalabs/faq/ 823 © 2004 by CRC Press LLC AU0888_C18.fm Page 824 Wednesday, October 1, 2003 6:18 AM THE STRATEGY BEHIND BREAKING INTO AND DEFENDING NETWORKS DNS and Directory Services BIND-users: (bind-users-request@isc.org), http://www.isc.org/ml-archives/comp.protocols dns.bind DNS Extensions Working Group (IETF), http://www.ietf.org/html.charters/dnsext-charter.html Implementing Directory Services, http://www.directoryservice.com/ LDAP Zone, http://www.ldapzone.com/ Microsoft Directory Services, http://www.microsoft.com/windows2000/technologies/directory/ default.asp Namedroppers: (IETF DNS Ext Working Group), ftp://rs.internic.net/archives/namedroppers/ OpenLDAP, http://www.openldap.org/ Network Management OpenNMS, http://www.opennms.org/ The Simple Web, http://www.simpleweb.org/ SNMPLink, http://www.snmplink.org/ SNMPv3, http://www.ibr.cs.tu-bs.de/projects/snmpv3/ Route/Switch Infrastructures IETF Routing Working Groups, http://www.ietf.org/html.charters/wg-dir.html#Routing%20Area; http://www.rtg.ietf.org/ Routing Technologies, http://www.cisco.com/en/US/tech/index.html Storage Networking Enterprise Storage Forum, http://www.enterprisestorageforum.com/ Storage Network Industry Association, http://www.snia.org/home Voice over IP Voice and Fax over IP, http://www.iptelephony.org Voice over IP Forum, http://www.voipcalculator.com/forum/voip/ Wireless Networks 802.11 Planet, http://www.80211-planet.com Airsnort, http://airsnort.shmoo.com/ Wireless LAN/MAN Standards, http://www.ieee802.org/ Notes See the chapter “Consolidating Gains” (Ch 16) for a description of null sessions Again, reference “Consolidating Gains” (Ch 16) for information on the sechole exploit Reference @Stake Security Advisory, http://www.atstake.com/research/advisories/ 2000/a101200-1.txt, Securiteam, http://www.securiteam.com/unixfocus/ 6N00S0K03U.html Unrelated, but this drew the administrator’s attention to the disparity in the versions of PHP running on the three Apache servers Fictional … nevertheless, they demonstrate a point! The attacker ultimately lost access to the Content Scanning server when the system was reloaded and migrated to a DMZ behind the Application Proxy firewall © 2004 by CRC Press LLC .. .The Hacker’s Handbook The Strategy behind Breaking into and Defending Networks © 2004 by CRC Press LLC OTHER AUERBACH PUBLICATIONS The ABCs of IP Addressing Gilbert Held ISBN: 0-8493-1144-6 The. .. 2004 by CRC Press LLC E-mail: orders@crcpress.com The Hacker’s Handbook The Strategy behind Breaking into and Defending Networks SUSAN YOUNG AND DAVE AITEL AUERBACH PUBLICATIONS A CRC Press Company... (Susan Elizabeth), 1968– The hacker’s handbook : the strategy behind breaking into and defending Networks / Susan Young, Dave Aitel p cm Includes bibliographical references and index ISBN 0-8493-0888-7