Ed Skoudis, CISSP
Recent headlines demonstrate that the latest crop of hacker tools and techniques can be highly damaging to an organization’s sensitive information and reputation. With the rise of powerful, easy-to-use, and widely distributed hacker tools, many in the security industry have observed that today is the golden age of hacking. The purpose of this chapter is to describe the tools in widespread use today for compromising computer and network security. Additionally, for each tool and technique described, the chapter presents practical advice on defending against each type of attack.
The terminology applied to these tools and their users has caused some controversy, particularly in the computer underground. Traditionally, and particularly in the computer underground, the term “hacker” is a benign word, referring to an individual who is focused on determining how things work and devising innovative approaches to addressing computer problems. To differentiate these noble individuals from a nasty attacker, this school of thought labels malicious attackers as “crackers.” While hackers are out to make the world a better place, crackers want to cause damage and mayhem. To avoid the confusion often associated with these terms, in this chapter, the terms “system and security administrator” and “security practitioner” will be used to indicate an individual who has a legitimate and authorized purpose for running these tools. The term “attacker” will be used for those individuals who seek to cause damage to systems or who are not authorized to run such tools.
Many of the tools described in this chapter have dual personalities; they can be used for good or evil. When used by malicious individuals, the tools allow a motivated attacker to gain access to a network, mask the fact that a compromise occurred, or even bring down service, thereby impacting large masses of users. When used by security practitioners with proper authorization, some tools can be used to measure the security stance of their own organizations, by conducting “ethical hacking” tests to ?nd vulnerabilities before attackers do.
Caveat
The purpose of this chapter is to explain the various computer underground tools in use today, and to discuss defensive techniques for addressing each type of tool. This chapter is not designed to encourage attacks. Furthermore, the tools described below are for illustration purposes only, and mention in this chapter is not an endorsement. If readers feel compelled to experiment with these tools, they should do so at their own risk, realizing that such tools frequently have viruses or other undocumented features that could damage networks and information systems. Curious readers who want to use these tools should conduct a through review of the source code, or at least install the tools on a separate, air-gapped network to protect sensitive production systems.
General Trends in the Computer Underground
The Smart Get Smarter, and the Rise of the Script Kiddie
The best and brightest minds in the computer underground are conducting probing research and ?nding new vulnerabilities and powerful, novel attacks on a daily basis. The ideas and deep research done by super-smart attackers and security practitioners are being implemented in software programs and scripts. Months of research into how a particular operating system implements its password scheme is being rendered in code, so even a clueless attacker (often called a “script kiddie”) can conduct a highly sophisticated attack with just a point-and-click. Although the script kiddie may not understand the tools’ true function and nuances, most of the attack is automated.
In this environment, security practitioners must be careful not to underestimate their adversaries’ capabil-ities. Often, security and system administrators think of their potential attackers as mere teenage kids cruising the Internet looking for easy prey. While this assessment is sometimes accurate, it masks two major concerns. First, some of these teenage kids are amazingly intelligent, and can wreak havoc on a network. Second, attackers may not be just kids; organized crime, terrorists, and even foreign governments have taken to sponsoring cyberattacks.
Wide Distribution of High-Quality Tools
Another trend in the computing underground involves the widespread distribution of tools. In the past (a decade ago), powerful attack tools were limited to a core group of elites in the computer underground. Today, hundreds of Web sites are devoted to the sharing of tools for every attacker (and security practitioner) on the planet. FAQs abound describing how to penetrate any type of operating system. These overall trends converge in a world where smart attackers have detailed knowledge of undermining our systems, while the not-so-smart attackers grow more and more plentiful. To address this increasing threat, system administrators and security practitioners must understand these tools and how to defend against them. The remainder of this chapter describes many of these very powerful tools in widespread use today, together with practical defensive tips for protecting one’s network from each type of attack.
Network Mapping and Port Scanning
When launching an attack across a TCP/IP network (such as the Internet or a corporate intranet), an attacker needs to know what addresses are active, how the network topology is constructed, and which services are available. A network mapper identi?es systems that are connected to the target network. Given a network address range, the network mapper will send packets to each possible address to determine which addresses have machines.
By sending a simple Internet Control Message Protocol (ICMP) packet to a server (a “ping”), the mapping tool can discover if a server is connected to the network. For those networks that block incoming pings, many of the mapping tools available today can send a single SYN packet to attempt to open a connection to a server. If a server is listening, the SYN packet will trigger an ACK if the port is open, and potentially a “Port Unreachable” message if the port is closed. Regardless of whether the port is open or closed, the response indicates that the address has a machine listening. With this list of addresses, an attacker can re?ne the attack and focus on these listening systems.
A port scanner identi?es open ports on a system. There are 65,535 TCP ports and 65,535 UDP ports, some of which are open on a system, but most of which are closed. Common services are associated with certain ports. For example, TCP Port 80 is most often used by Web servers, TCP Port 23 is used by Telnet daemons, and TCP Port 25 is used for server-to-server mail exchange across the Internet. By conducting a port scan, an attacker will send packets to each and every port. Essentially, ports are rather like doors on a machine. At any one of the thousands of doors available, common services will be listening. A port scanning tool allows an attacker to knock on every one of those doors to see who answers.
Some scanning tools include TCP ?ngerprinting capabilities. While the Internet Engineering Task Force (IETF) has carefully speci?ed TCP and IP in various Requests for Comments (RFCs), not all packet options have standards associated with them. Without standards for how systems should respond to illegal packet formats, different vendors’ TCP/IP stacks respond differently to illegal packets. By sending various combina
tions of illegal packet options (such as initiating a connection with an RST packet, or combining other odd and illegal TCP code bits), an attacker can determine what type of operating system is running on the target machine. For example, by conducting a TCP ?ngerprinting scan, an attacker can determine if a machine is running Cisco IOS, Sun Solaris, or Microsoft Windows 2000. In some cases, even the particular version or service pack level can be determined using this technique.
After utilizing network mapping tools and port scanners, an attacker will know which addresses on the target network have listening machines, which ports are open on those machines (and therefore which services are running), and which operating system platforms are in use. This treasure trove of information is useful to the attacker in re?ning the attack. With this data, the attacker can search for vulnerabilities on the particular services and systems to attempt to gain access.
Nmap, written by Fyodor, is one of the most full-featured mapping and scanning tools available today. Nmap, which supports network mapping, port scanning, and TCP ?ngerprinting, can be found at http:// www.insecure. org/nmap.
Network Mapping and Port Scanning Defenses
To defend against network mapping and port scans, the administrator should remove all unnecessary systems and close all unused ports. To accomplish this, the administrator must disable and remove unneeded services from the machine. Only those services that have an absolute, de?ned business need should be running. A security administrator should also periodically scan the systems to determine if any unneeded ports are open. When discovered, these unneeded ports must be disabled.
Vulnerability Scanning
Once the target systems are identi?ed with a port scanner and network mapper, an attacker will search to determine if any vulnerabilities are present on the victim machines. Thousands of vulnerabilities have been discovered, allowing a remote attacker to gain a toehold on a machine or to take complete administrative control. An attacker could try each of these vulnerabilities on each system by entering individual commands to test for every vulnerability, but conducting an exhaustive search could take years. To speed up the process, attackers use automated scanning tools to quickly search for vulnerabilities on the target.
These automated vulnerability scanning tools are essentially databases of well-known vulnerabilities with an engine that can read the database, connect to a machine, and check to see if it is vulnerable to the exploit. The effectiveness of the tool in discovering vulnerabilities depends on the quality and thoroughness of its vulnerability database. For this reason, the best vulnerability scanners support the rapid release and update of the vulnerability database and the ability to create new checks using a scripting language.
High-quality commercial vulnerability scanning tools are widely available, and are often used by security practitioners and attackers to search for vulnerabilities. On the freeware front, SATAN (the Security Admin-istrator Tool for Analyzing Network) was one of the ?rst widely distributed automated vulnerability scanners, introduced in 1995. More recently, Nessus has been introduced as a free, open-source vulnerability scanner available at http://www.nessus.org. The Nessus project, which is led by Renaud Deraison, provides a full-featured scanner for identifying vulnerabilities on remote systems. It includes source code and a scripting language for writing new vulnerability checks, allowing it to be highly customized by security practitioners and attackers alike.
While Nessus is a general-purpose vulnerability scanner, looking for holes in numerous types of systems and platforms, some vulnerability scanners are much more focused on particular types of systems. For example, Whisker is a full-feature vulnerability scanning tool focusing on Web server CGI scripts. Written by Rain Forest Puppy, Whisker can be found at http://www.wiretrip.net/rfp.
Vulnerability Scanning Defenses
As described above, the administrator must close unused ports. Additionally, to eliminate the vast majority of system vulnerabilities, system patches must be applied in a timely fashion. All organizations using computers should have a de?ned change control procedure that speci?es when and how system patches will be kept up-to-date.
Security practitioners should also conduct periodic vulnerability scans of their own networks to ?nd vulnerabilities before attackers do. These scans should be conducted on a regular basis (such as quarterly or even monthly for sensitive networks), or when major network changes are implemented. The discovered vulnerabilities must be addressed in a timely fashion by updating system con?gurations or applying patches.
Wardialing
A cousin of the network mapper and scanner, a wardialing tool is used to discover target systems across a telephone network. Organizations often spend large amounts of money in securing their network from a full, frontal assault over the Internet by implementing a ?rewall, intrusion detection system, and secure DMZ. Unfortunately, many attackers avoid this route and instead look for other ways into the network. Modems left on users’ desktops or old, forgotten machines often provide the simplest way into a target network.
Wardialers, also known as “demon dialers,” dial a series of telephone numbers, attempting to locate modems on the victim network. An attacker will determine the telephone extensions associated with the target organi-zation. This information is often gleaned from a Web site listing telephone contacts, employee newsgroup postings with telephone contact information in the signature line, or even general employee e-mail. Armed with one or a series of telephone numbers, the attacker will enter into the wardialing tool ranges of numbers associated with the original number (for example, if an employee’s telephone number in a newsgroup posting is listed as 555-1212, the attacker will dial 555-XXXX). The wardialer will automatically dial each number, listen for the familiar wail of a modem carrier tone, and make a list of all telephone numbers with modems listening.
With the list of modems generated by the wardialer, the attacker will dial each discovered modem using a terminal program or other client. Upon connecting to the modem, the attacker will attempt to identify the system based on its banner information and see if a password is required. Often, no password is required, because the modem was put in place by a clueless user requiring after-hours access and not wanting to bother using approved methods. If a password is required, the attacker will attempt to guess passwords commonly associated with the platform or company.
Some wardialing tools also support the capability of locating a repeat dial-tone, in addition to the ability to detect modems. The repeat dial-tone is a great ?nd for the attacker, as it could allow for unrestricted dialing from a victim’s PBX system to anywhere in the world. If an attacker ?nds a line on PBX supporting repeat dial-tone in the same local dialing exchange, the attacker can conduct international wardialing, with all phone bills paid for by the victim with the miscon?gured PBX.
The most fully functional wardialing tool available today is distributed by The Hacker’s Choice (THC) group. Known as THC-Scan, the tool was written by Van Hauser and can be found at http://inferno.tuscu-lum.edu/thc. THC-Scan 2.0 supports many advanced features, including sequential or randomized dialing, dialing through a network out-dial, modem carrier and repeat dial-tone detection, and rudimentary detection avoidance capabilities.
Wardialing Defenses
The best defense against wardialing attacks is a strong modem policy that prohibits the use of modems and incoming lines without a de?ned business need. The policy should also require the registration of all modems with a business need in a centralized database only accessible by a security or system administrator.
Additionally, security personnel should conduct periodic wardialing exercises of their own networks to ?nd the modems before the attackers do. When a phone number with an unregistered modem is discovered, the physical device must be located and deactivated. While ?nding such devices can be dif?cult, network defenses depend on ?nding these renegade modems before an attacker does.
Network Exploits: Snif?ng, Spoo?ng, and Session Hijacking
TCP/IP, the underlying protocol suite that makes up the Internet, was not originally designed to provide security services. Likewise, the most common data-link type used with TCP/IP, Ethernet, is fundamentally unsecure. A whole series of attacks are possible given these vulnerabilities of the underlying protocols. The
most widely used and potentially damaging attacks based on these network vulnerabilities are snif?ng, spoo?ng, and session hijacking.
Snif?ng
Sniffers are extremely useful tools for an attacker and are therefore a fundamental element of an attacker’s toolchest. Sniffers allow an attacker to monitor data passing across a network. Given their capability to monitor network traf?c, sniffers are also useful for security practitioners and network administrators in troubleshooting networks and conducting investigations. Sniffers exploit characteristics of several data-link technologies, including Token Ring and especially Ethernet.
Ethernet, the most common LAN technology, is essentially a broadcast technology. When Ethernet LANs are constructed using hubs, all machines connected to the LAN can monitor all data on the LAN segment. If userIDs, passwords, or other sensitive information are sent from one machine (e.g., a client) to another machine (e.g., a server or router) on the same LAN, all other systems connected to the LAN could monitor the data. A sniffer is a hardware or software tool that gathers all data on a LAN segment. When a sniffer is running on a machine gathering all network traf?c that passes by the system, the Ethernet interface and the machine itself are said to be in “promiscuous mode.”
Many commonly used applications, such as Telnet, FTP, POP (the Post Of?ce Protocol used for e-mail), and even some Web applications, transmit their passwords and sensitive data without any encryption. Any attacker on a broadcast Ethernet segment can use a sniffer to gather these passwords and data.
Attackers who take over a system often install a software sniffer on the compromised machine. This sniffer acts as a sentinel for the attacker, gathering sensitive data that moves by the compromised system. The sniffer gathers this data, including passwords, and stores it in a local ?le or transmits it to the attacker. The attacker then uses this information to compromise more and more systems. The attack methodology of installing a sniffer on one compromised machine, gathering data passing that machine, and using the sniffed information to take over other systems is referred to as an island-hopping attack.
Numerous snif?ng tools are available across the Internet. The most fully functional snif?ng tools include snif?t (by Brecht Claerhout, available at http://reptile.rug.ac.be/~coder/snif?t/snif?t.html) and Snort (by Mar-tin Roesch, available at http://www.clark.net/~roesch/security.html). Some operating systems ship with their own sniffers installed by default, notably Solaris (with the snoop tool) and some varieties of Linux (which ship with tcpdump). Other commercial sniffers are also available from a variety of vendors.
Snif?ng Defenses
The best defense against snif?ng attacks is to encrypt the data in transit. Instead of sending passwords or other sensitive data in cleartext, the application or network should encrypt the data (SSH, secure Telnet, etc.).
Another defense against sniffers is to eliminate the broadcast nature of Ethernet. By utilizing a switch instead of a hub to create a LAN, the damage that can be done with a sniffer is limited. A switch can be con?gured so that only the required source and destination ports on the switch carry the traf?c. Although they are on the same LAN, all other ports on the switch (and the machines connected to those ports) do not see this data. Therefore, if one system is compromised on a LAN, a sniffer installed on this machine will not be capable of seeing data exchanged between other machines on the LAN. Switches are therefore useful in improving security by minimizing the data a sniffer can gather, and also help to improve network performance.
IP Spoo?ng
Another network-based attack involves altering the source address of a computer to disguise the attacker and exploit weak authentication methods. IP address spoo?ng allows an attacker to use the IP address of another machine to conduct an attack. If the target machines rely on the IP address to authenticate, IP spoo?ng can give an attacker access to the systems. Additionally, IP spoo?ng can make it very dif?cult to apprehend an attacker, because logs will contain decoy addresses and not the real source of the attack. Many of the tools described in other sections of this chapter rely on IP spoo?ng to hide the true origin of the attack.
Spoo?ng Defenses
Systems should not use IP addresses for authentication. Any functions or applications that rely solely on IP address for authentication should be disabled or replaced. In UNIX, the “r-commands” (rlogin, rsh, rexec,
and rcp) are notoriously subject to IP spoo?ng attacks. UNIX trust relationships allow an administrator to manage systems using the r-commands without providing a password. Instead of a password, the IP address of the system is used for authentication. This major weakness should be avoided by replacing the r-commands with administration tools that utilize strong authentication. One such tool, secure shell (ssh), uses strong cryptography to replace the weak authentication of the r-commands. Similarly, all other applications that rely on IP addresses for critical security and administration functions should be replaced.
Additionally, an organization should deploy anti-spoof ?lters on its perimeter networks that connect the organization to the Internet and business partners. Anti-spoof ?lters drop all traf?c coming from outside the network claiming to come from the inside. With this capability, such ?lters can prevent some types of spoo?ng attacks, and should be implemented on all perimeter network routers.
Session Hijacking
While snif?ng allows an attacker to view data associated with network connections, a session hijack tool allows an attacker to take over network connections, kicking off the legitimate user or sharing a login. Session hijacking tools are used against services with persistent login sessions, such as Telnet, rlogin, or FTP. For any of these services, an attacker can hijack a session and cause a great deal of damage.
A common scenario illustrating session hijacking involves a machine, Alice, with a user logged in to remotely administer another system, Bob, using Telnet. Eve, the attacker, sits on a network segment between Alice and Bob (either Alice’s LAN, Bob’s LAN, or between any of the routers between Alice’s and Bob’s LANs). Exhibit
10.1 illustrates this scenario in more detail. Using a session hijacking tool, Eve can do any of the following:
-
Monitor Alice’s session. Most session hijacking tools allow attackers to monitor all connections available on the network and select which connections they want to hijack.
-
Insert commands into the session. An attacker may just need to add one or two commands into the stream to recon?gure Bob. In this type of hijack, the attacker never takes full control of the session. Instead, Alice’s login session to Bob has a small number of commands inserted, which will be executed on Bob as though Alice had typed them.
-
Steal the session. This feature of most session hijacking tools allows an attacker to grab the session from Alice, and directly control it. Essentially, the Telnet client control is shifted from Alice to Eve, without Bob’s knowing.
-
Give the session back. Some session hijacking tools allow the attacker to steal a session, interact with the server, and then smoothly give the session back to the user. While the session is stolen, Alice is put on hold while Eve controls the session. With Alice on hold, all commands typed by Alice are displayed on Eve’s screen, but not transmitted to Bob. When Eve is ?nished making modi?cations on Bob, Eve transfers control back to Alice.
For a successful hijack to occur, the attacker must be on a LAN segment between Alice and Bob. A session hijacking tool monitors the connection using an integrate sniffer, observing the TCP sequence numbers of the packets going each direction. Each packet sent from Alice to Bob has a unique TCP sequence number used by Bob to verify that all packets are received and put in proper order. Likewise, all packets going back from Bob to Alice have sequence numbers. A session hijacking tool sniffs the packets to determine these sequence numbers. When a session is hijacked (through command insertion or session stealing), the hijacking tool automatically uses the appropriate sequence numbers and spoofs Alice’s address, taking over the conversation with Bob where Alice left off.
One of the most fully functional session hijacking tool available today is Hunt, written by Kra and available at http://www.cri.cz/kra/index.html. Hunt allows an attacker to monitor and steal sessions, insert single com-mands, and even give a session back to the user.
Session Hijacking Defenses
The best defense against session hijacking is to avoid the use of insecure protocols and applications for sensitive sessions. Instead of using the easy-to-hijack (and easy-to-sniff) Telnet application, a more secure, encrypted session tool should be used. Because the attacker does not have the session encryption keys, an encrypted session cannot be hijacked. The attacker will simply see encrypted gibberish using Hunt, and will only be able to reset the connection, not take it over or insert commands.
Secure shell (ssh) offers strong authentication and encrypted sessions, providing a highly secure alternative to Telnet and rlogin. Furthermore, ssh includes a secure ?le transfer capability (scp) to replace traditional FTP. Other alternatives are available, including secure, encrypted Telnet or a virtual private network (VPN) estab-lished between the source and destination.
Denial-of-Service Attacks
Denial-of-service attacks are among the most common exploits available today. As their name implies, a denial-of-service attack prevents legitimate users from being able to access a system. With E-commerce applications constituting the lifeblood of many organizations and a growing piece of the world economy, a well-timed denial-of-service attack can cause a great deal of damage. By bringing down servers that control sensitive machinery or other functions, these attacks could also present a real physical threat to life and limb. An attacker could cause the service denial by ?ooding a system with bogus traf?c, or even purposely causing the server to crash. Countless denial-of-service attacks are in widespread use today, and can be found at http://packet-storm.securify.com/exploits/DoS. The most often used network-based denial-of-service attacks fall into two categories: malformed packet attacks and packet ?oods.
Malformed Packet Attacks
This type of attack usually involves one or two packets that are formatted in an unexpected way. Many vendor product implementations do not take into account all variations of user entries or packet types. If the software handles such errors poorly, the system may crash when it receives such packets. A classic example of this type of attack involves sending IP fragments to a system that overlap with each other (the fragment offset values are incorrectly set). Some unpatched Windows and Linux systems will crash when they encounter such packets. The teardrop attack is an example of a tool that exploits this IP fragmentation handling vulnerability. Other malformed packet attacks that exploit other weaknesses in TCP/IP implementations include the colorfully named WinNuke, Land, LaTierra, NewTear, Bonk, Boink, etc.
Packet Flood Attacks
Packet ?ood denial-of-service tools send a deluge of traf?c to a system on the network, overwhelming its capability to respond to legitimate users. Attackers have devised numerous techniques for creating such ?oods, with the most popular being SYN ?oods, directed broadcast attacks, and distributed denial-of-service tools.
SYN ?ood tools initiate a large number of half-open connections with a system by sending a series of SYN packets. When any TCP connection is established, a three-way handshake occurs. The initiating system (usually the client) sends a SYN packet to the destination to establish a sequence number for all packets going from source to destination in that session. The destination responds with a SYN-ACK packet, which acknowledges the sequence number for packets going from source to destination, and establishes an initial sequence number for packets going the opposite direction. The source completes the three-way handshake by sending an ACK to the destination. The three-way handshake is completed, and communication (actual data transfer) can occur.
SYN ?oods take advantage of a weakness in TCP’s three-way handshake. By sending only spoofed SYN packets and never responding to the SYN-ACK, an attacker can exhaust a server’s ability to maintain state of all the initiated sessions. With a huge number of so-called half-open connections, a server cannot handle any new, legitimate traf?c. Rather than ?lling up all of the pipe bandwidth to a server, only the server’s capacity to handle session initiations needs to be overwhelmed (in most network con?gurations, a server’s ability to handle SYNs is lower than the total bandwidth to the site). For this reason, SYN ?ooding is the most popular packet ?ood attack. Other tools are also available that ?ood systems with ICMP and UDP packets, but they merely consume bandwidth, so an attacker would require a bigger connection than the victim to cut off all service.
Another type of packet ?ood that allows attackers to amplify their bandwidth is the directed broadcast attack. Often called a smurf attack, named after the ?rst tool to exploit this technique, directed broadcast attacks utilize a third-party’s network as an ampli?er for the packet ?ood. In a smurf attack, the attacker locates a network on the Internet that will respond to a broadcast ICMP message (essentially a ping to the network’s broadcast address). If the network is con?gured to allow broadcast requests and responses, all machines on the network will send a response to the ping. By spoo?ng the ICMP request, the attacker can have all machines on the third-party network send responses to the victim. For example, if an organization has 30 hosts on a single DMZ network connected to the Internet, an attacker can send a spoofed network broadcast ping to the DMZ. All 30 hosts will send a response to the spoofed address, which would be the ultimate victim. By sending repeated messages to the broadcast network, the attacker has ampli?ed bandwidth by a factor of 30. Even an attacker with only a 56-kbps dial-up line could ?ll up a T1 line (1.54 Mbps) with that level of ampli?cation. Other directed broadcast attack tools include Fraggle and Papasmurf.
A ?nal type of denial-of-service that has received considerable press is the distributed denial-of-service attack. Essentially based on standard packet ?ood concepts, distributed denial-of-service attacks were used to cripple many major Internet sites in February 2000. Tools such as Trin00, Tribe Flood Network 2000 (TFN2K), and Stacheldraht all support this type of attack. To conduct a distributed denial-of-service attack, an attacker must ?nd numerous vulnerable systems on the Internet. Usually, a remote buffer over?ow attack (described below) is used to take over a dozen, a hundred, or even thousands of machines. Simple daemon processes, called zombies, are installed on these machines taken over by the attacker. The attacker communicates with this network of zombies using a control program. The control program is used to send commands to the hundreds or thousands of zombies, requesting them to take uniform action simultaneously.
The most common action to be taken is to simultaneously launch a packet ?ood against a target. While a traditional SYN ?ood would deluge a target with packets from one host, a distributed denial-of-service attack would send packets from large numbers of zombies, rapidly exhausting the capacity of even very high-bandwidth, well-designed sites. Many distributed denial-of-service attack tools support SYN, UDP, and ICMP ?ooding, smurf attacks, as well as some malformed packet attacks. Any one or all of these options can be selected by the attacker using the control program.
Denial-of-Service Attack Defenses
To defend against malformed packet attacks, system patches and security ?xes must be regularly applied. Vendors frequently update their systems with patches to handle a new ?avor of denial-of-service attack. An organization must have a program for monitoring vendor and industry security bulletins for security ?xes, and a controlled method for implementing these ?xes soon after they are announced and tested.
For packet ?ood attacks, critical systems should have underlying network architectures with multiple, redundant paths, eliminating a single point of failure. Furthermore, adequate bandwidth is a must. Also, some routers and ?rewalls support traf?c ?ow control to help ease the burden of a SYN ?ood.
Finally, by con?guring an Internet-accessible network appropriately, an organization can minimize the possibility that it will be used as a jumping-off point for smurf and distributed denial-of-service attacks. To prevent the possibility of being used as a smurf ampli?er, the external router or ?rewall should be con?gured to drop all directed broadcast requests from the Internet. To lower the chance of being used in a distributed denial-of-service attack, an organization should implement anti-spoof ?lters on external routers and ?rewalls to make sure that all outgoing traf?c has a source IP address of the site. This egress ?ltering prevents an attacker from sending spoofed packets from a zombie or other denial-of-service tool located on the network. Antispoof ingress ?lters, which drop all packets from the Internet claiming to come from one’s internal network, are also useful in preventing some denial-of-service attacks.
Stack-Based Buffer Over?ows
Stack-based buffer over?ow attacks are commonly used by an attacker to take over a system remotely across a network. Additionally, buffer over?ows can be employed by local malicious users to elevate their privileges and gain superuser access to a system. Stack-based buffer over?ow attacks exploit the way many operating systems handle their stack, an internal data structure used by running programs to store data temporarily. When a function call is made, the current state of the executing program and variables to be passed to the function are pushed on the stack. New local variables used by the function are also allocated space on the stack. Additionally, the stack stores the return address of the code calling the function. This return address will be accessed from the stack once the function call is complete. The system uses this address to resume execution of the calling program at the appropriate place. Exhibit 10.2 shows how a stack is constructed.
Most UNIX and all Windows systems have a stack that can hold data and executable code. Because local variables are stored on the stack when a function is called, poor code can be exploited to overrun the boundaries of these variables on the stack. If user input length is not examined by the code, a particular variable on the stack may exceed the memory allocated to it on the stack, overwriting all variables and even the return address for where execution should resume after the function is complete. This operation, called “smashing” the stack, allows an attacker to over?ow the local variables to insert executable code and another return address on the stack. Exhibit 10.2 also shows a stack that has been smashed with a buffer over?ow.
The attacker will over?ow the buffer on the stack with machine-speci?c bytecodes that consist of executable commands (usually a shell routine), and a return pointer to begin execution of these inserted commands. Therefore, with very carefully constructed binary code, the attacker can actually enter information as a user into a program that consists of executable code and a new return address. The buggy program will not analyze the length of this input, but will place it on the stack, and actually begin to execute the attacker’s code. Such vulnerabilities allow an attacker to break out of the application code, and access any system components with the permissions of the broken program. If the broken program is running with superuser privileges (e.g., SUID root on a UNIX system), the attacker has taken over the machine with a buffer over?ow.
Stack-Based Buffer Over?ow Defenses
The most thorough defenses against buffer over?ow attacks is to properly code software so that it cannot be used to smash the stack. All programs should validate all input from users and other programs, ensuring that it ?ts into allocated memory structures. Each variable should be checked (including user input, variables from other functions, input from other programs, and even environment variables) to ensure that allocated buffers are adequate to hold the data. Unfortunately, this ultimate solution is only available to individuals who write the programs and those with source code.
Additionally, security practitioners and system administrators should carefully control and minimize the number of SUID programs on a system that users can run and have permissions of other users (such as root). Only SUID programs with an explicit business need should be installed on sensitive systems.
Finally, many stack-based buffer over?ow attacks can be avoided by con?guring the systems to not execute code from the stack. Notably, Solaris and Linux offer this option. For example, to secure a Solaris system against stack-based buffer over?ows, the following lines should be added:
/etc/system:
set noexec_user_stack=1
set noexec_user_stack_log=1
The ?rst line will prevent execution on a stack, and the second line will log any attempt to do so. Unfortunately, some programs legitimately try to run code off the stack. Such programs will crash if this option is implemented. Generally, if the system is single purpose and needs to be secure (e.g., a Web server), this option should be used to prevent stack-based buffer over?ow.
The Art and Science of Password Cracking
The vast majority of systems today authenticate users with a static password. When a user logs in, the password is transmitted to the system, which checks the password to make the decision whether to let the user log in. To make this decision, the system must have a mechanism to compare the user’s input with the actual password. Of course, the system could just store all of the passwords locally and compare from this ?le. Such a ?le of cleartext passwords, however, would provide a very juicy target for an attacker. To make the target less useful for attackers, most modern operating systems use a one-way hash or encryption mechanism to protect the stored passswords. When a user types in a password, the system hashes the user’s entry and compares it to the stored hash. If the two hashes match, the password is correct and the user can login.
Password cracking tools are used to attack this method of password protection. An attacker will use some exploit (often a buffer over?ow) to gather the encrypted or hashed password ?le from a system (on a UNIX system without password shadowing, any user can read the hashed password ?le). After downloading the hashed password ?le, the attacker uses a password cracking tool to determine users’ passwords. The cracking tool operates using a loop: it guesses a password, hashes or encrypts the password, and compares it to the hashed password from the stolen ?le. If the hashes match, the attacker has the password. If the hashes do not match, the loop begins again with another password guess.
Password cracking tools base their password guesses on a dictionary or a complete brute-force attack, attempting every possible password. Dozens of dictionaries are available online, in a multitude of languages, including English, French, German, Klingon, etc.
Numerous password-cracking tools are available. The most popular and full-functional password crackers include:
-
-
• John-the-Ripper, by Solar Designer, focuses on cracking UNIX passwords, and is available at http://
-
www.openwall.com/john/.
-
-
L0phtCrack, used to crack Windows NT passwords, is available at http://www.l0pht.com.
Password Cracking Defenses
The ?rst defense against password cracking is to minimize the exposure of the encrypted/hashed password ?le. On UNIX systems, shadow password ?les should be used, which allow only the superuser to read the password ?le. On Windows NT systems, the SYSKEY feature available in NT 4.0 SP 3 and later should be installed and enabled. Furthermore, all backups and system recovery disks should be stored in physically secured locations and possibly even encrypted.
A strong password policy is a crucial element in ensuring a secure network. A password policy should require password lengths greater than eight characters, require the use of alphanumeric and special characters in every password, and force users to have passwords with mixed-case letters. Users must be aware of the issue of weak passwords and be trained in creating memorable, yet dif?cult-to-guess passwords.
To ensure that passwords are secure and to identify weak passwords, security practitioners should check system passwords on a periodic basis using password cracking tools. When weak passwords are discovered, the security group should have a de?ned procedure for interacting with users whose passwords can be easily guessed.
Finally, several software packages are available that prevent users from setting their passwords to easily guessed values. When a user establishes a new password, these ?ltering programs check the password to make sure that it is suf?ciently complex and is not just a variation of the user name or a dictionary word. With this kind of tool, users are simply unable to create passwords that are easily guessed, eliminating a signi?cant security issue. For ?ltering software to be effective, it must be installed on all servers where users establish passwords, including UNIX servers, Windows NT Primary and Back-up Domain Controllers, and Novell servers.
Backdoors
Backdoors are programs that bypass traditional security checks on a system, allowing an attacker to gain access to a machine without providing a system password and getting logged. Attackers install backdoors on a machine (or dupe a user into installing one for them) to ensure they will be able to gain access to the system at a later time. Once installed, most backdoors listen on special ports for incoming connections from the attacker across the network. When the attacker connects to the backdoor listener, the traditional userID and password or other forms of authentication are bypassed. Instead, the attacker can gain access to the system without providing a password, or by using a special password used only to enter the backdoor.
Netcat is an incredibly ?exible tool written for UNIX by Hobbit and for Windows NT by Weld Pond (both versions are available at http://www. l0pht.com/~weld/netcat/). Among its numerous other uses, Netcat can be used to create a backdoor listener with a superuser-level shell on any TCP or UDP port. For Windows systems, an enormous number of backdoor applications are available, including Back Ori?ce 2000 (called BO2K for short, and available at http://www.bo2k.com) and hack-a-tack (available at http://www.hack-a-tack.com).
Backdoor Defenses
The best defense against backdoor programs is for system and security administrators to know what is running on their machines, particularly sensitive systems storing critical information or processing high-value trans-actions. If a process suddenly appears running as the superuser listening on a port, the administrator needs to investigate. Backdoors listening on various ports can be discovered using the netstat –na command on UNIX and Windows NT systems.
Additionally, many backdoor programs (such as BO2K) can be discovered by an anti-virus program, which should be installed on all users’ desktops, as well as on servers throughout an organization.
Trojan Horses and RootKits
Another fundamental element of an attacker’s toolchest is the Trojan horse program. Like the Trojan horse of ancient Greece, these new Trojan horses appear to have some useful function, but in reality are just disguising some malicious activity. For example, a user may receive an executable birthday card program in electronic mail. When the unsuspecting user activates the birthday card program and watches birthday cakes dance across the screen, the program secretly installs a backdoor or perhaps deletes the users’ hard drive. As illustrated in this example, Trojan horses rely on deception — they trick a user or system administrator into running them for their (apparent) usefulness, but their true purpose is to attack the user’s machine.
Traditional Trojan Horses
A traditional Trojan horse is simply an independent program that can be run by a user or administrator. Numerous traditional Trojan horse programs have been devised, including:
-
The familiar birthday card or holiday greeting e-mail attachment described above.
-
A software program that claims to be able to turn CD-ROM readers into CD writing devices. Although this feat is impossible to accomplish in software, many users have been duped into downloading this “tool,” which promptly deletes their hard drives upon activation.
-
A security vulnerability scanner, WinSATAN. This tool claims to provide a convenient security vulner-ability scan for system and security administrators using a Windows NT system. Unfortunately, an unsuspecting user running this program will also have a deleted hard drive.
Countless other examples exist. While conceptually unglamorous, traditional Trojan horses can be a major problem if users are not careful and run untrusted programs on their machines.
RootKits
A RootKit takes the concept of a Trojan horse to a much more powerful level. Although the name implies otherwise, RootKits do not allow an attacker to gain “root” (superuser) access to a system. Instead, RootKits allow an attacker who already has superuser access to keep that access by foiling all attempts of an administrator to detect the invasion. RootKits consist of an entire suite of Trojan horse programs that replace or patch critical system programs. The various tools used by administrators to detect attackers on their machines are routinely undermined with RootKits.
Most RootKits include a Trojan horse backdoor program (in UNIX, the /bin/login routine). The attacker will install a new Trojan horse version of /bin/login, overwriting the previous version. The RootKit /bin/login routine includes a special backdoor userID and password so that the attacker can access the system at later times.
Additionally, RootKits include a sniffer and a program to hide the sniffer. An administrator can detect a sniffer on a system by running the ifcon?g command. If a sniffer is running, the ifcon?g output will contain the PROMISC ?ag, an indication that the Ethernet card is in promiscuous mode and therefore is snif?ng. RootKit contains a Trojan horse version of ifcon?g that does not display the PROMISC ?ag, allowing an attacker to avoid detection.
UNIX-based RootKits also replace other critical system executables, including ps and du. The ps command, emloyed by users and administrators to determine which processes are running, is modi?ed so that an attacker can hide processes. The du command, which shows disk utilization, is altered so that the ?le space taken up by RootKit and the attacker’s other programs can be masked.
By replacing programs like /bin/login, ifcon?g, ps, du, and numerous others, these RootKit tools become part of the operating system itself. Therefore, RootKits are used to cover the eyes and ears of an administrator. They create a virtual world on the computer that appears benign to the system administrator, when in actuality, an attacker can log in and move around the system with impunity. RootKits have been developed for most major UNIX systems and Windows NT. A whole variety of UNIX RootKits can be found at http://packet-storm.securify.com/UNIX/penetration/rootkits, while an NT RootKit is available at http://www.rootkit.com.
A recent development in this arena is the release of kernel-level RootKits. These RootKits act at the most fundamental levels of an operating system. Rather than replacing application programs such as /bin/login and ifcon?g, kernel-level RootKits actually patch the kernel to provide very low-level access to the system. These tools rely on the loadable kernel modules that many new UNIX variants support, including Linux and Solaris. Loadable kernel modules let an administrator add functionality to the kernel on-the-?y, without even rebooting the system. An attacker with superuser access can install a kernel-level RootKit that will allow for the remapping of execution of programs.
When an administrator tries to run a program, the Trojanized kernel will remap the execution request to the attacker’s program, which could be a backdoor offering access or other Trojan horse. Because the kernel does the remapping of execution requests, this type of activity is very dif?cult to detect. If the administrator attempts to look at the remapped ?le or check its integrity, the program will appear unaltered, because the program’s image is unaltered. However, when executed, the unaltered program is skipped, and a malicious program is substituted by the kernel. Knark, written by Creed, is a kernel-level RootKit that can be found at
http://packetstorm.securify.com/UNIX/penetration/rootkits.
Trojan Horses and RootKit Defenses
To protect against traditional Trojan horses, user awareness is key. Users must understand the risks associated with downloading untrusted programs and running them. They must also be made aware of the problems of running executable attachments in e-mail from untrusted sources.
Additionally, some traditional Trojan horses can be detected and eliminated by anti-virus programs. Every end-user computer system (and even servers) should have an effective and up-to-date anti-virus program installed.
To defend against RootKits, system and security administrators must use integrity checking programs for critical system ?les. Numerous tools are available, including the venerable Tripwire, that generate a hash of the executables commonly altered when a RootKit is installed. The administrator should store these hashes on a protected medium (such as a write-protected ?oppy disk) and periodically check the veracity of the programs on the machine with the protected hashes. Commonly, this type of check is done at least weekly, depending on the sensitivity of the machine. The administrator must reconcile any changes discovered in these critical system ?les with recent patches. If system ?les have been altered, and no patches were installed by the administrator, a malicious user or outside attacker may have installed a RootKit. If a RootKit is detected, the safest way to ensure its complete removal is to rebuild the entire operating system and even critical applications.
Unfortunately, kernel-level RootKits cannot be detected with integrity check programs because the integrity checker relies on the underlying kernel to do its work. If the kernel lies to the integrity checker, the results will not show the RootKit installation. The best defense against the kernel-level RootKit is a monolithic kernel that does not support loadable kernel modules. On critical systems (such as ?rewalls, Internet Web servers, DNS servers, mail servers, etc.), administrators should build the systems with complete kernels without support for loadable kernel modules. With this con?guration, the system will prevent an attacker from gaining root-level access and patching the kernel in real-time.
Overall Defenses: Intrusion Detection and Incident Response Procedures
Each of the defensive strategies described in this chapter deals with particular tools and attacks. In addition to employing each of those strategies, organizations must also be capable of detecting and responding to an attack. These capabilities are realized through the deployment of intrusion detection systems (IDSs) and the implementation of incident response procedures.
IDSs act as burglar alarms on the network. With a database of known attack signatures, IDSs can determine when an attack is underway and alert security and system administration personnel. Acting as early warning systems, IDSs allow an organization to detect an attack in its early stages and minimize the damage that may be caused.
Perhaps even more important than IDSs, documented incident response procedures are among the most critical elements of an effective security program. Unfortunately, even with industry-best defenses, a suf?ciently motivated attacker can penetrate the network. To address this possibility, an organization must have procedures de?ned in advance describing how the organization will react to the attack. These incident response procedures should specify the roles of individuals in the organization during an attack. The chain of command and escalation procedures should be spelled out in advance. Creating these items during a crisis will lead to costly mistakes.
Truly effective incident response procedures should also be multidisciplinary, not focusing only on infor-mation technology. Instead, the roles, responsibilities, and communication channels for the Legal, Human Resources, Media Relations, Information Technology, and Security organizations should all be documented and communicated. Speci?c members of these organizations should be identi?ed as the core of a Security Incident Response Team (SIRT), to be called together to address an incident when one occurs. Additionally, the SIRT should conduct periodic exercises of the incident response capability to ensure that team members are effective in their roles.
Additionally, with a large number of organizations outsourcing their information technology infrastructure by utilizing Web hosting, desktop management, e-mail, data storage, and other services, the extension of the incident response procedures to these outside organizations can be critical. The contract established with the outsourcing company should carefully state the obligations of the service provider in intrusion detection, incident noti?cation, and participation in incident response. A speci?c service-level agreement for handling security incidents and the time needed to pull together members of the service company’s staff in a SIRT should also be agreed upon.
Conclusions
While the number and power of these attack tools continues to escalate, system administrators and security personnel should not give up the ?ght. All of the defensive strategies discussed throughout this chapter boil down to doing a thorough and professional job of administering systems: know what is running on the system, keep it patched, ensure appropriate bandwidth is available, utilize IDSs, and prepare a Security Incident Response Team. Although these activities are not easy and can involve a great deal of effort, through diligence, an organization can keep its systems secured and minimize the chance of an attack. By employing intrusion detection systems and sound incident response procedures, even those highly sophisticated attacks that do get through can be discovered and contained, minimizing the impact on the organization. By creating an effective security program with sound defensive strategies, critical systems and information can be protected.
