Original URL: http://www.infosecuritymag.com/mar99/hackers.htm
SPECIAL FEATURE • PERIMETER/NETWORK SECURITY
Tools of the Trade
So you want to defend your enterprise against attack? Make sure you understand these popular hacker tools first. BY EDWARD SKOUDIS
Beep Beep Beep Beeeeeeeeeeep…. It’s 3:45 a.m., and your pager’s going off. You’re hoping it’s just a bad dream, but it’s not. You dial in and find out your network’s down. Then you discover you’ve been hacked. The attacker must have messed something up bad, since several servers are down. Then you find out he left Trojan Horse backdoors almost everywhere, allowing him to store pirated software and who knows what else on your systems. Worse yet, when you check your e-mail, you have several messages from other companies asking why you are attacking them. You’ve been used as a jumping-off point for the attacker to scan others’ networks.
Unfortunately, this nightmare has become a reality for an increasing number of IT professionals. To help you better understand the attacks occurring today, this article describes some of the most widely used hacker tools as well as tried-and-true defensive techniques for securing your network against them.
Caveats
The premise behind this article is simple: You cannot adequately defend against sophisticated attack tools unless you first understand how they work. In other words, the purpose of this article is not to teach you how to crack into systems. Rather, it is to describe what’s going on "in the wild" and outline ways of defending your organization against these sophisticated tools and techniques.
Because of the nature of these tools, their distributors and distribution methods, they may cause damage to your systems. Discussion of a tool in this article does not imply endorsement or recommendation. If you want to experiment with any of these tools, be very careful: review the source code to ensure that you understand what the tool is doing, and test them only on experimental systems that aren’t connected to your production network.
Password Crackers
Because of their extreme usefulness, password-cracking tools have been a mainstay of the hacker’s toolkit for more than a decade. In a password-cracking attack, the attacker first retrieves an encrypted password file from a victim machine. The vast majority of systems, including Windows NT and UNIX, store their passwords encrypted in the file system to authenticate users during login. Once the encrypted password file is stolen, the attacker feeds it into a password cracker, together with a dictionary. The password-cracking tool attempts to decipher the passwords by encrypting each entry in the dictionary and comparing it with the encrypted value. If the encrypted values match, the hacker knows the password. If the two values do not match, the tool continues through the entire dictionary, and can even attempt every combination of characters in a full brute-force attack. The limiting factor in how fast passwords can be cracked is how quickly guesses can be encrypted and compared. The faster the system running a password cracker, the more quickly passwords will be cracked.
L0phtCrack. Originally released in 1997, L0phtCrack (www.l0pht.com/l0phcrack) has continuously redefined the state-of-the-art in ease-of-use for password crackers. Written and distributed as shareware by the hacker group L0pht Heavy Industries, L0phtCrack deciphers Windows NT passwords. The tool has a slick and simple-to-use GUI, allowing even novice users to crack passwords with a simple point-and-click. L0phtCrack 2.5, released in January 1999, offers significant performance improvements. With its optimized DES encryption routines, L0phtCrack 2.5 is 450 percent faster than earlier versions, allowing it to crack all alphanumeric passwords in a single day with a 450 MHz Pentium II machine, according to the L0pht.
L0phtCrack can take an encrypted password file from numerous sources. The SAM database from a Windows NT system can be captured using a program included with L0phtCrack or from the system’s administrator back-up floppy disks. Alternatively, the latest version of L0phtCrack also includes a GUI for capturing encrypted Windows passwords off a network. When you log into an NT domain, your password is hashed and sent across the network. With L0phtCrack’s built-in sniffer, this encrypted value can be grabbed and cracked.
Because of the tool’s usefulness to infosecurity professionals, the L0pht began charging a registration fee for L0phtCrack 2.0 and later. The latest version is available for a free 15-day demo, with registration and use beyond this period costing $100. Numerous other cracking programs are available as well, both on a freeware and commercial basis, including the venerable and flexible Crack, a UNIX and NetWare password cracker.
L0phtCrack Defenses
The best defense against password cracking attacks is a strongly enforced password policy. Require users to devise passwords that are difficult to guess. Passwords should be at least eight characters long and include alphanumeric and special characters (such as !@#$%). Passwords should not include dictionary terms. For additional security, several automated tools are available that prevent users from setting their passwords to easy-to-guess values or dictionary terms.
Also, periodically auditing your company’s passwords by running a password cracking tool is usually a good idea. Of course, only security administrators or their duly authorized team members should be allowed to run cracking tools, and then only with explicit (written) management approval. You should also decide in advance what you will do with the cracked passwords. Will you send an e-mail to the user who chose a poor password? Will you visit the user to explain password policy? These questions should be answered before you begin assessing your passwords.
War Dialers
Many companies spend a lot of money and time securing their firewalls to prevent attacks. However, while this helps secure the front door to the network, unregistered modems on the internal network offer a convenient and attractive side door for intruders. Because war dialers are highly effective tools for locating these modems and breaking into networks, they are among intruders’ favorite tools.
Originally made famous by the movie War Games, war dialers take advantage of the proliferation of inexpensive modems. The concept behind war dialers is extremely simple: the tool dials a list of telephone numbers, in increasing or random order, looking for the familiar modem carrier tone. Once the tool generates a list of discovered modems, the attacker can dial those systems to find an unprotected login or easily guessed password. One of the most searched-for items in a war dial attack is "unpassworded" PC remote control software, typically installed by an end-user to gain remote access to company systems. These PC remote control programs are devastatingly vulnerable when used with a modem and not properly secured.
THC-Scan. One of the most feature-rich war dialing tools available today is The Hacker’s Choice (THC) Scanner (http:// r3wt.base.org), written by "van Hauser." THC-Scan Version 2.00 was released on Christmas Day, 1998. A look-alike cousin of the long-available and widely used ToneLoc war dialer, developed by "Minor Threat" and "Mucho Maas," THC-Scan brings some new and useful functions to the war dialing arena. Unlike simpler war dialing tools, THC-Scan automatically detects the speed, data bits, parity and stop bits of discovered modems. The tool also attempts to determine the OS type of the discovered machine. Further, it has the ability to recognize when subsequent dial tone is discovered, which makes it possible for the attacker to make free telephone calls through your PBX.
War Dialer Defenses
Of course, the most effective defense against war dialers is to eliminate unsecured modems. If there is not an absolute, explicitly defined business need for a modem, remove it. For modems with a defined need, require users to register them with the IT department. For registered modems requiring only outgoing use, configure the corporate PBX to allow outgoing calls only. Every company should have a strong modem policy describing the need for modem registration and PBX controls. Also, do not assume that because you have a PBX with digital lines that users cannot install modems. Handy, inexpensive digital-line modem adapters are widely available at stores like Radio Shack.
In addition, conduct periodic war dial penetration tests to locate illegal modems on your telephone exchanges. Use a good war dialer to find modems connected to the network, reconcile the discovered modems with the registration list, and investigate the discovered unregistered modems to either remove them or have them properly registered.
Netcat: An Oldie But a Goodie
Netcat is a general-purpose TCP and UDP connection tool, originally written for UNIX by "Hobbit" in 1995 (www.l0pht. com/users/10pht/nc110.tgz), and later adapted to NT by "Weld Pond" in 1997 (www.l0pht.com/users/10pht/nc11nt.zip). Although it’s been around for many years, Netcat is an amazingly useful tool for system administration, network debugging and, yes, breaking into networks.
Known as the Swiss army knife of hacker tools, Netcat is chock full of features. When combined with the powerful scripting capabilities of UNIX, Netcat acts as an effective building block for creating network tools. The basic program can run in either listener or client mode. When run in listener mode, Netcat acts as a server process waiting for connections on specified TCP or UDP ports. In client mode, Netcat will initiate a connection to any port specified by its user.
When used as a listener on one system and a client on another, Netcat can be deployed in many attack scenarios. It can provide a back-door login prompt using any port, including, for example, UDP port 53. From a network packet perspective, this login session will appear to be a series of DNS queries and responses, though it’s really a back-door login. Additionally, when used in client and listener mode on two systems, Netcat can create a quick, simple file transfer mechanism on any port.
In addition to these capabilities, Netcat can also source-route packets, thereby fostering IP spoofing attacks and supporting network debugging. When used in client mode, it also is a very effective UDP and TCP port scanner. Also, when open ports are discovered on a system, Netcat offers the ability to connect easily and cleanly to these ports to discover what is listening.
With this flexibility, Netcat can also be used in replay attacks against e-commerce applications. The interaction between client and server could be captured using a sniffer. Then, this client-to-server data can be viewed and altered to suit the attacker’s needs. The attacker could change account balances, account numbers or other data, or simply replay the same message again. Netcat is then used in client mode to transfer the replayed message to the legitimate server.
The NT version of Netcat includes an especially interesting feature that allows it to bind to ports in front of processes already listening on those ports. This capability is particularly useful in an attack against a file server or a Web server. When bound in front of an active port, the attacker’s Netcat process will receive the connections, and then can decide what to do with them. Connections can be dropped in a denial-of-service (DoS) attack, or an attacker can write custom code to look for interesting items, such as sensitive data (passwords, bank accounts, etc.) before passing the request to the legitimate server process.
Netcat Defenses
The best defense against Netcat is the Principle of Least Privileges (affectionately pronounced "polyp"). That is to say, don’t let unneeded ports through your firewall. For those ports that you must let through, only allow connections to and from specific hosts. For example, for DNS queries through your firewall, open UDP port 53 only from systems requiring that service (usually, an internal DNS server that forwards requests out to the Internet). This will prevent an attacker from being able to transmit Netcat packets to any host on your internal network.
Additionally, for those systems that are externally accessible, defending against Netcat attacks involves knowing what processes are running on your machines. On publicly accessible machines, you should be able to identify the purpose of all processes running on your boxes. Unusual processes running on publicly accessible systems should be investigated, since they might be backdoor listeners. Periodic port scans will also reveal if a listener has been added to a machine.
To avoid replay attacks, all applications should timestamp and provide sequence numbers for all messages, including Web cookies, form elements or just raw data. All messages, their timestamps and their sequence numbers should utilize some sort of cryptographic integrity checks to ensure that they are not altered or replayed.
Session Hijacking Tools
A number of applications used for a command-line login to systems are insecure. In particular, programs such as telnet, rsh, rlogin and FTP are all subject to hijacking attacks. Of course, any run-of-the-mill sniffer will give an attacker the clear-text passwords when these protocols are in use. The problem is bigger than that, however. Any attacker that is connected to any network segment between the client and the server can use a session hijacking tool to take over a session.
When a legitimate user is logged into a command-line session, the hijacker can find the session, take over for the user and reset the client connection. The hijacker then has complete control of that login; all subsequent accesses, changes and deletions will be recorded as the legitimate user’s actions. The user will simply notice that the session has dropped and assume that the network messed up the link.
A large number of hijacking tools are available today within hacker/cracker communities. The latest is Hunt (www.root shell.com), written by "kra" and released in November 1998. Additionally, juggernaut, by "daemon9," provides basic session hijacking capabilities.
Session Hijacking Defenses
For sensitive session traffic (such as remote management of your firewall, PKI or other critical components), use a tool that provides strong, cryptographic authentication and encrypts the entire session. Secure Shell (SSH) offers these capabilities and is available as freeware or commercially supported software. Also, VPN products provide authentication and session encryption. Without the encryption keys used in SSH or VPN tools, an attacker won’t be able to hijack the session.
A Happy Ending?
Now back to our original attack scenario… three months later.
During your investigation of the initial attack, you discovered that the intruder used war dialing to locate an unprotected modem on a user’s desk. He took over that system, scanned the rest of the network and installed backdoors on machines throughout your network. From there, the attacker observed an admin logging into your public Web server. So he hijacked the session, took over the server and began attacking other Internet sites.
Because of this intrusion, security awareness was heightened in your organization. Management authorized you to implement a strong password and modem policy, begin periodic war dialing and password cracking tests, deploy strong session encryption tools for sysadmins and implement an automated intrusion detection system (IDS).
Even though you realize that no network is invulnerable, the security of your company has vastly improved with these new measures. With diligence in studying and implementing sound defensive strategies, you know you will be able to repel most attacks and quickly detect and respond to the rest. Hopefully, with this knowledge, you’ll sleep a lot better at night.
Edward Skoudis is a technical director at Global Integrity Corp., an SAIC company. He can be reached via [email protected].
With its point-and-click GUI, L0phtCrack is an easy-to-use password cracker—which makes it all the more dangerous should it fall into the wrong hands.
"BO" REPELLENT
Once an attacker finds an open modem and cracks some passwords, then what? Frequently, he’ll install backdoor routines on systems to let him back in later. Back Orifice or "BO" (www.cultdeadcow.com/ tools) is a high-profile example of a powerful backdoor that has caused a large number of problems on corporate networks.
Released in August 1998 by the hacker group Cult of the Dead Cow (cDc), Back Orifice (a play on Microsoft’s Back Office) includes a server component to be installed on a victim’s Windows 95 machine as well as client software that runs on the attacker’s system. Its primary purpose is to remotely control a victim Win95 system across a network. The attacker enters commands into the BO GUI client, and the BO server on the victim machine follows those commands.
The tool is amazingly feature-rich and sports very tightly written code. The server (installed on the victim machine) is in a tiny package of only 121 Kb, allowing for quick and easy installation. The client communicates with the server using UDP packets, configurable to any port, with a default of UDP 31337 ("Elite," in hacker parlance). Rudimentary password protection and encryption is also included.
Back Orifice has a multitude of features:
BO is very easy to install. The user of the system must execute a simple program, which installs all BO components quickly and easily. Victims must be tricked into executing the installation program, possibly through e-mail attachments or Web sites.
Other Back Orifice-related tools include wrappers to incorporate BO with an innocuous program. For example, BO could be wrapped around a word processor or a simple game distributed on a network. The attacker could attach BO to game.exe and e-mail the resulting file to users telling them to upgrade. When the executable is run, it will first install BO, and then run the wrapped application. The users only see the game application run, and are unaware of their new status as BO victims. Finally, the tool can be installed through the Web via unsigned Java applets or ActiveX controls.
Defenses
Despite its efforts to hide itself (by not appearing in a task list), Back Orifice is fairly easy to detect. For manual Back Orifice detection, look for a 122 Kb .exe file in the c:\windows\system directory. Also, in the Windows Registry, the HKLM\SOFT WARE\Microsoft\Windows\CurrentVersion\RunServices\Default key will have an executable name associated with it. Note that the file and key names are configurable by the attacker, but default to ".exe." Finally, a file called "windll.dll" is added to the c:\windows\system directory.
While this manual analysis is useful for a small number of machines, several antivirus vendors have included BO detection capabilities in their latest releases for widespread scans. Of course, to benefit from the BO detector in your virus tool, you must download and install the latest virus definitions.
At the time of this writing, BO targets only Windows 95 (however, the BO client will run on both Windows and UNIX). Lest you assume you’re safe because your desktop standard is NT, keep in mind that NetBus, a tool written by Carl-Fredrik Neikter, has very similar capabilities to Back Orifice, but targets NT clients and servers. The NetBus 2.0 beta was released in January 1999.
Compact and tightly written, Back Orifice is a powerful, easy-to-use backdoor access tool. It’s also easy to detect, if you know what to look for.
OTHER ATTACK TOOLS
ROOT EXPLOITS
Description Root exploits allow an attacker with a user-level account on a UNIX system to gain superuser access, thereby taking over the machine. There are countless ways for an attacker to escalate their privileges on a UNIX system. By exploiting race conditions, improperly written SUID programs and other poor operating system coding, the hacker community discovers and widely distributes several new root exploits every week.
Defense Security personnel and system administrators should monitor security mailing lists such as Carnegie Mellon’s CERT (www.cert.org) and bugtraq (subscribe: list [email protected]) for information about new exploits. When a new attack is resolved, you should quickly and systematically test and deploy vendor patches to all affected machines. For particularly sensitive systems—publicly accessible Web servers, DNS systems, firewalls, etc.—host-based security monitoring software can be used to detect users trying to gain root.
DENIAL-OF-SERVICE (DoS) ATTACKS
Description These attacks cause a system to crash or slow down to the point of not being usable. Over the past two years, a very large number of these attacks have been discovered, targeting many types of operating systems, routers and even laser printers. With fanciful names like Ping O’ Death, Land, Smurf, Bonk, Boink and Latierra, these attacks are mostly a nuisance. However, a crashed system can cost your company significant money in employee downtime or lost transactions.
Defense Again, keeping up with the latest attacks and patching your systems is the best method of defending yourself against DoS attacks. Also, consider placing antispoof filters at external routers and select intranet routers.
REMOTE EXPLORER
Description This new and potentially very damaging NT virus installs itself as a service on an NT system. When an administrator logs into the system, the virus automatically propagates through an NT network by using the admin’s privileges to infect all NT machines in the domain. On affected systems, Remote Explorer randomly encrypts files, denying legitimate access to the data.
Defense A strong virus policy and an effective virus defense tool stop Remote Explorer in its tracks. Make sure you’re using the latest virus definition files.