Before
you can start to hack systems you need a platform to work from. This
platform must be stable and not easily traceable. How does one become
anonymous on the Internet? It's is not that easy. Let us look at the
different options (BTW if this chapter does not seem relevant you might
want to skip it):
The problem with these connections is that it needs to be installed by
your local Telecom at a premise where you are physically located. Most
ISPs wants you to sign a contract when you install a permanent line, and
ask for identification papers. So, unless you can produce false
identification papers, company papers etc., and have access to a
building that cannot be directly tied to your name, this is not a good
idea.
Many ISPs provides "free dial-up" accounts. The problem is that logs are
kept either at the ISP, or at Telecom of calls that were made. At the
ISP side this is normally done using RADIUS or TACACS. The RADIUS server
will record the time that you dialed in, the connection speed, the
reason for disconnecting, the time that you disconnected and the userID
that you used. Armed with his information the Telecom can usually
provide the source number of the call (YOUR number). For the Telecom to
pinpoint the source of the call they need the destination number (the
number you called), the time the call was placed and the duration of the
call. In many cases, the Telecom need not be involved at all, as the ISP
records the source number themselves via Caller Line Identification
(CLI).
Let us assume that we find the DNS name "c1-pta-25.dial-up.net" in our
logs and we want to trace the attacker. We also assume that the ISP does
not support caller line identification, and the attacker was using a
compromised account. We contact the ISP to find out what the destination
number would be with a DNS name like that. The ISP provides the number -
e.g. +27 12 664 5555. It's a hunting line - meaning that there is one
number with many phone lines connected to it. We also tell the ISP the
time and date the attack took place (from our logs files). Let us assume
the attack took place 2000/8/2 at 17h17. The RADIUS server tells us what
userID was used, as well as the time it was connected: (these are the
typical logs)
These logs tell us that user "demo1" was connected from 17h05 to 17h25
on the date the attack took place. It was dialing in at a speed of
52kbps, it send 87369 bytes, and received 617378 bytes. We now have the
start time of the call, the destination number and the duration of the
call (20 minutes). Telecom will supply us with source number as well as
account details - e.g. physical location. As you can see, phoning from
your house to an ISP (even using a compromised or free ID) is not making
any sense.
Maybe using a GSM mobile phone will help? What can the GSM mobile
service providers extract from their logs? What is logged? A lot it
seems. GSM switches send raw logging information to systems that crunch
the data into what is called Call Data Records (CDRs). More systems
crush CDRs in SCDRs (Simple CDR). The SCDRs is sent to the various
providers for billing. How does a CDR look like? Hereby an example of a
broken down CDR:
Maybe using a GSM mobile phone will help? What can the GSM mobile
service providers extract from their logs? What is logged? A lot it
seems. GSM switches send raw logging information to systems that crunch
the data into what is called Call Data Records (CDRs). More systems
crush CDRs in SCDRs (Simple CDR). The SCDRs is sent to the various
providers for billing. How does a CDR look like? Hereby an example of a
broken down CDR:
This tells us that date and time the call was placed (1st string), the
source number (+27 83 448 6997), the destination number (834544204),
that it was made from a mobile phone, the duration of the call (1 minute
24 seconds), the cellID (20377), the three letter code for the service
provider (MTL = Mtel in this case), and the unique mobile device number
(IMEI number) 420121414652470. Another database can quickly identify the
location (long/lat) of the cell. This database typically looks like
this:
From this database we can see that the exact longitude and latitude of
the cell (in this case in the middle of Sandton, Johannesburg) and the
description of the cell. The call was thus placed from the Dimension
Data Oval in Sandton. Other databases provide the account information
for the specific source number. It is important to note that the IMEI
number is also logged - using your phone to phone your mother, switching
SIM cards, moving to a different location and hacking the NSA is not a
good idea using the same device is not bright - the IMEI number stays
the same, and links you to all other calls that you have made. Building
a profile is very easy and you'll be nailed in no time.
Using time advances and additional tracking cells, it is theoretically
possible to track you up to a resolution of 100 meters, but as the
switches only keep these logs for 24 hours, it is usually done in real
time with other tracking devices - and only in extreme situations.
Bottom line - even if you use a GSM mobile phone as modem device, the
GSM service providers knows a lot more about you than you might suspect.
So how do we use dial in accounts? It seems that having a compromised
dial in account does not help at all, but common sense goes a long way.
Suppose you used a landline, and they track you down to someone that
does not even owns a computer? Or to the PABX of a business? Or to a
payphone? Keeping all of above in mind - hereby a list of notes: (all
kinda common sense)
1. Tag your notebook computer, modem and croc-clips along to a DP
(distribution point). These are found all around - it is not discussed
in detail here as it differs from country to country. Choose a random
line and phone.
2. In many cases one can walk into a large corporation with a notebook
and a suit with no questions asked. Find any empty office, sit down,
plug in and dial.
1. Remember that the device number (IMEI) is logged (and it can be
blocked). Keep this in mind! The ultimate would be to use a single
device only once. - never use the device in a location that is linked to
you (e.g. a micro cell inside your office)
2. Try to use either a very densely populated cell (shopping malls) or a
location where there is only one tracking cell (like close to the
highway) as it makes it very hard to do spot positioning. Moving around
while you are online also makes it much harder to track you down.
3. Use prepaid cards! For obvious reasons you do not want the source
number to point directly to you. Prepaid cards are readily available
without any form of identification. (note: some prepaid cards does not
have data facilities, so find out first)
4. GSM has data limitations - currently the maximum data rate is
9600bps.
All of this seems like a lot of trouble. Is there not an easier way of
becoming anonymous on the Internet? Indeed there are many ways to skin a
cat. It really depends on what type of connectivity you need. Lets
assume all you want to do is sending anonymous email (I look at email
specifically because many of the techniques involved can be used for
other services such as HTTP, FTP etc.). How difficult could it be?
For many individuals it seems that registering a fake Hotmail, Yahoo
etc. account and popping a flame email to a unsuspected recipient is the
way to go. Doing this could land you in a lot of trouble. Lets look at a
header of email that originating from Yahoo:
The mail header tells us that our mailserver (wips.sensepost.com)
received email via SMTP from the web-enabled mailserver
(web111.yahoomail.com). It also tells us that the web-enabled mailserver
received the mail via HTTP (the web) from the IP number 196.34.250.7. It
is thus possible to trace the email to the originator. Given the fact
that we have the time the webserver received the mail (over the web) and
the source IP, we can use techniques explained earlier to find the
person who was sending the email. Most free web enabled email services
includes the client source IP (list of free email providers at
www.fepg.net).
How to overcome this? There are some people that think that one should
be allowed to surf the Internet totally anonymous. An example of these
people is Anonymizer.com (www.anonymizer.com).
Anonymizer.com allows you to enter a URL into a text box. It then proxy
all connections to the specified destination. Anonymizer claims that
they only keep hashes (one way encryption, cannot be reversed) of logs.
According to documentation on the Anonymizer website there is no way
that even they can determine your source IP. Surfing to Hotmail via
Anonymizer thus change the IP address in the mail header.
But beware. Many ISPs make use of technology called transparent proxy
servers. These servers is normally located between the ISP's clients and
their main feed to the Internet. These servers pick up on HTTP requests,
change the source IP to their own IP and does the reverse upon receiving
the return packet. All of this is totally transparent to the end user -
therefor the name. And the servers keep logs. Typically the servers
cannot keep logs forever, but the ISP could be backing up logs for
analyses. Would I be tasked to find a person that sent mail via Hotmail
and Anonymizer I would ask for the transparent proxy logs for the time
the user was connected to the web-enabled mailserver, and search for
connections to Anonymizer. With any luck it would be the only
connections to the Anonymizer in that time frame. Although I won't be
able to prove it, I would find the source IP involved.
Another way of tackling the problem is anonymous remailers. These
mailservers will change your source IP, your <from> field and might
relay the mail with a random delay. In many cases these remailers are
daisy chained together in a random pattern. The problem with remailers
is that many of them do keep logs of incoming connections. Choosing the
initial remailer can be become an art. Remailers usually have to provide
logfiles at the request of the local government. The country of origin
of the remailer is thus very important as cyberlaw differs from country
to country. A good summary of remailers (complete with listings of
remailers can be found at
www.cs.berkeley.edu/~raph/remailer-list.html).
Yet another way is to make use of servers that provide free Unix shell
accounts. You can telnet directly to these servers (some provide SSH
(encrypted shells) access as well). Most of the free shell providers
also provide email facilities, but limit shell capabilities -e.g. you
can't telnet from the free shell server to another server. In 99% of the
cases connections are logged, and logs are kept in backup. A website
that list most free shell providers are to be found at
www.leftfoot.com/freeshells.html. Some freeshell servers provider more
shell functionality than others - consult the list for detailed
descriptions.
How do we combine all of the above to send email anonymously? Consider
this - I SSH to a freeshell server. I therefor bypass the transparent
proxies, and my communication to the server is encrypted and thus
invisible to people that might be sniffing my network (locally or
anywhere). I use lynx (a text based web browser) to connect to an
Anonymizer service. From the Anonymizer I connect to a free email
service. I might also consider a remailer located somewhere in Finland.
100% safe?
Even when using all of above measures I cannot be 100% sure that I
cannot be traced. In most cases logs are kept of every move you make.
Daisy chaining and hopping between sites and servers does make it hard
to be traced, but not impossible.
1. The cybercafe is your
friend! Although cybercafes are stepping up their security measures
it is still relatively easy to walk into a cybercafe without any
form of identification. Sit down, and surf to hotmail.com - no one
would notice as everyone else is doing exactly the same thing.
Compose your email and walk out. Do not become a regular! Never
visit the scene of the crime again. When indulging in other
activities such as telnetting to servers or doing a full blast hack
cybercafes should be avoided as your activity can raise suspicion
with the administrators.
2. Search for proxy like
services. Here I am referring to things like WinGate servers.
WinGate server runs on a Microsoft platform and is used as a proxy
server for a small network (read SOHO environment with a dial-up
link). In many cases these servers are not configured correctly and
will allow anyone to proxy/relay via them. These servers do not keep
any logs by default. Hoping via WinGate servers is so popular that
lists of active WinGates are published
(www.cyberarmy.com/lists/wingate/).
3. With some experience you
can hop via open routers. Finding open routers are very easy - many
routers on the Internet is configured with default passwords (list
of default passwords to be found at
www.nerdnet.com/security/index.php )Doing a host scan with port 23
(later more on this) in a "router subnet" would quickly reveal valid
candidates. In most of the cases these routers are not configured to
log incoming connections, and provides excellent stepping-stones to
freeshell servers. You might also consider daisy chaining them
together for maximum protection.
4. Change the communication
medium. Connect to a X.25 pad via a XXX service. Find the DTE of a
dial-out X.25 PAD. Dial back to your local service provider. Your
telephone call now originates from e.g. Sweden. Confused? See the
section on X.25 hacking later in the document. The exact same
principle can be applied using open routers (see point 3) Some open
routers listens on high ports (typically 2001,3001,X001) and drops
you directly into the AT command set of a dial-out modems. Get
creative.
The best way to stay anonymous and untraceable on the Internet would be
a creative mix of all of the above-mentioned techniques. There is no
easy way to be 100% sure all of the time that you are not traceable. The
nature of the "hack" should determine how many "stealth" techniques
should be used. Doing a simple portscan to a university in Mexico should
not dictate that you use 15 hops and 5 different mediums.
Once you have your platform in good working order, you will need to know
as much as possible about your target. In this chapter we look at
"passive" ways to find information about the target. The target might be
a company, a organization or a government. Where do you start your
attack? This first step is gaining as much as possible information about
the target - without them knowing that you are focussing your sniper
scope on them. All these methods involve tools, web sites and programs
that are used by the normal law abiding netizen.
For the purpose of this document, let us assume that we want to attack
CitiBank. (no hard feelings CitiBank). We begin by looking at the very
obvious -
www.citibank.com. You would be amazed by the amount one can learn
from an official webpage. From the website we learn that Citibank has
presence in many countries. Checking that Citibank have offices in
Belgium we check the address of
www.citibank.be and the Malaysian office
www.citibank.com.my The IP
addresses are different - which means that each country' Citibank
website is hosted inside the specific country. The website lists all the
countries that Citibank operate in. We take the HTML source code, and
try to find the websites in each country. Having a look around leaves us
with 8 distinct countries. Maybe XXX.citybank.XXX is registered in the
other countries? Doing a simple "host www.citibank.XXX" (scripted with
all country codes and with .com and .co sub extensions of course)
reveals that following sites:
So much for websites - it is clear that many of these domains are used
by cybersquatters -
www.citibank.nu for example. We'll
filter those. Also, most of above mentioned sites are simply aliases for
www.citibank.com These days most
websites are hosted offsite. Mail exchangers are most of the time more
closely coupled with the real network. Looking at the MX records for the
domains (host -t mx citibank.XX) gives one a better idea of the IP
numbers involved. Trying to do a zone transfer would also help a lot
(host -l citibank.XXX). After some scripting it becomes clear which
domains belongs to the real Citibank - all of these domain's MX records
are pointing to the MX record for
www.citibank.com, and their websites point to the official .com
site. The theory that the MX records for the different branches are
closer to the "satellite" network does not apply for Citibank it seems:
(these are all MX records).
What about the rest of the countries - are all of them cybersquatter
related, or have our friends at Citibank slipped up somewhere? Let's
remove above-mentioned countries from our list, and have a look those
than remain. Close inspection of all the rest of the domains shows that
cyber squatters (in all sizes and forms) have taken the following
domains:
How about the rest? We find the following hosts and services belonging
to Citibank (most of this is done with scripting, manual labor, and
cross checking):
and the obvious official .com sites and MX records. But the real prize
is German Citibank. In the checking scripts we also check if a DNS zone
transfer was possible. In all of the domains tested a ZT was denied. All
but Germany:
From all of the above we can now begin to compile a list of IP numbers
belonging to Citibank all over the world. We take the list, sort it, and
remove any duplicates if there are any. The end result is:
Once we have these IP numbers we can go much further. We could see the
netblocks these IP numbers belongs to - this might give us more IP
numbers. Later these IP numbers could be fed to port scanners or the
likes. Another technique is to do "reverse resolve scanning". Here one
reverse resolves the subnet to see if there are other interesting DNS
entries.
The WHOIS queries (via RIPE, ARIN,APNIC) show some interesting
information. (By doing a query on "*citibank*", we find many more blocks
that was not revealed in the host finding exercise!)
The IP numbers that does not fall in above mentioned blocks seems to be
on ISP-like netblocks (The Russian block is marked as Space Research
though). ISP-blocks are blocks of a network that the customer lease, but
that is not specifically assigned to Citibank (in terms of AS numbers or
netblocks).
We see that there are different size blocks - some are just a few IPs
and others a single class C and some several class Cs. Let us break the
list of blocks down in two categories - Class C or sub class C on the
one side, and Class C+ on the other. We are left with a table that looks
like this:
Given the sheer size of the Class C + netblocks, it would take forever
to do a reverse scan or traceroute to all the blocks. The European and
some of the American blocks seems very straight forward - most of them
are only parts of a subnet. Why not find out which networks in the
larger netblocks are routed on the Internet? How do we do this? Only the
core routers on the Internet know which networks are routed. We can get
access to these routers - very easily, and totally legally. Such a
router is route1.saix.net. We simply telnet to this giant of a Cisco
router, do a show ip route | include [start of large netblock] and
capture the output. This core router contains over 40 000 routes. Having
done this for the larger netblocks, we find the following:
The blocks not marked with a "none" are routed on the Internet today.
Where are these plus the smaller blocks routed? Since a complete class C
network is routed to the same place, we can traceroute to a arbitrary IP
within the block. We proceed to do so, tracerouting to the next
available IP in the block (e.g. for netblock 62.157.214.240 we would
trace to 62.157.214.241) in each netblock. Looking at the last confirmed
hop in the traceroute should tell us more about the location of the
block. Most of the European blocks are clearly defined - but what about
the larger blocks such as the 192.193.0.0 block and the 193.32.0.0
block? The information gained is very interesting:
It is interesting to note that none of the 192.193 IP blocks are routed
to Europe. Citibank has thus registered unique individual blocks for
Europe based branches, and are routing some of its 192.193 class B class
Cs to Asia. It seems that many of the Citibank websites are running on
"ISP blocks". If the idea is to get to the core of Citibank these sites
might not be worthwhile to attack, as we are not sure that there is any
connection with back-ends (sure, we cannot be sure that the Citibank
registered blocks are more interesting, but at least we know that
Citibank is responsible for those blocks).
Taking all mentioned information into account, we can start to build a
map of Citibank around the globe. This exercise is left for the reader
:)).
As promised, the next step would be reverse resolve scanning some nets.
By doing this we could possibly see interesting reverse DNS names that
might give away information about the host. We proceed to reverse scan
all the mentioned blocks, as well as the corresponding class C block of
the IPs that does not fall in above mentioned blocks (the ISP-like
blocks). Extracts of the reverse scan looks like this:
Most of the non-192.193 block does not resolve to anything. Some of the
192.193 reverse DNS names tells us about the technology used. There are
PIX firewalls (nr-pix21.citicorp.com_), possible ISS scanners or IDS
systems (iss2.citicorp.com) and proxy servers (cd-proxy.citicorp.com).
We also see that there are other Citibank-related domains -
citicorp.com, citicorpmortgage.com, citimarkets.com, citiaccess.com and
citicommerce.com. It can clearly be seen that most of the IP numbers
reverse resolves to the citicorp.com domain. There are sub-domains
within the Citicorp domain - ems.citicorp.com, pki.citicorp.com,
pbg.citicorp.com and edc.citicorp.com.
How do we get reverse entries for hosts? Well – there is two ways. Just
as you can do a Zone Transfer for a domain, you can do a Zone transfer
for a netblock. Really. Check this out:
And just as some Zone Transferes are denied on some domains, some ZTs
are also denied on netblocks. This does not keep us from getting the
actual reverse DNS entry. If we start at getting the reverse DNS entry
for 210.128.74.1 and end at 210.128.74.255 (one IP at a time), we still
have the complete block. See the script reversescan.pl at the end of the
chapter for how to do it nicely.
To attack a target you must know where the target is. On numerous
occasions we have seen that attacking the front door is of no use.
Rather attack a branch or subsidiary and attack the main network from
there. If a recipe exists for mapping a network from the Internet it
would involve some or all of the following steps:
• Find out what "presence"
the target has on the Internet. This include looking at web server-,
mail exchanger and NS server IP addresses. If a zone transfer can be
done it is a bonus. Also look for similar domains (in our case it
included checks for all country extensions (with .com and .co
appended) and the domain citicorp.com) It might involve looking at
web page content, looking for partners and affiliates. Its mainly
mapping known DNS names to IP address space.
• Reverse DNS scanning will
tell you if the blocks the target it is contains more equipment that
belongs to the target. The reverse names could also give you an
indication of the function and type of equipment.
• Finding more IP addresses
- this can be done by looking if the target owns the netblock were
the mail exchanger/web server/name server is located. It could also
include looking at the Registries (APNIC,RIPE and ARIN) for
additional netblocks and searches where possible.
• Tracerouting to IP
addresses within the block to find the actual location of the
endpoints. This helps you to get an idea which blocks bound together
and are physically located in the same spot.
• Look at routing tables on
core routers. Find out which parts of the netblocks are routed - it
makes no sense to attack IP numbers that is not routed over the
Internet.
The tools used in this section are actually quite simple. They are the
Unix "host" command, "traceroute", and a combination of PERL, AWK, and
standard Unix shell scripting. I also used some websites that might be
worth visiting:
For completeness sake I put the (really not well written) shell and PERL
scripts here. They are all very simple...:
Reversescanner.pl: (the input for this script is a IP range e.g.
160.124.19.0-160.124.19.100. Output is sent to STDOUT so >& it...)
Tracerouter.pl:
Input is a network or subnet e.g. 160.124.19.10. Output is to STDOUT so
>& it. It takes the next IP in the specified input block and trace to
it. (the script also provides for the a.b.c.d-w.x.y.z input format as
the reversescanner)
Domain_info.sh:
All the domains you want to investigate should be in a file called
"domains". Output is appended to file called "all". Change as you
wish...:)
Get_routes.pl:
This perl script logs into core router route1.saix.net and displays to
STDOUT the routing tables that matches any given net. Input field is the
route search term (makes use of the Net::Telnet module that can be found
on CPAN).
The rest of the results were compiled using these tools in scripts or
piping output to other ad hoc scripts, but this is not worth listing
here.
Added later: hey! I wrote a script that does
a lot of these things for you automatically. It uses a nifty tool called
“The Geektools proxy”, written by a very friendly chap named Robb
Ballard <[email protected]> . Before you try this, ask Robb if you may
have the PERL code to the script – he is generally a cool dude, and
without it you miss a lot of functionality. Oh BTW, it also uses Lynx
for site crawling. Hereby the code (its really lots of glue code – so
bear with me):
The file “common” looks like
this (its used for guessing common DNS names within a domain(its not
really in 3 columns, I just save some trees. )
In the previous chapter we saw how to know where your target is. As we
have seen, this is not such a simple matter as your target might be a
international company (or even a country). Mapping the presence of the
target on the Internet is only the first part of gaining intelligence on
your target. You still have no idea of the operating system, the
service(s) running on the server. At this stage we are still not doing
any "hacking", we are only setting the stage for the real fun. If the
previous chapter was finding the correct houses, this chapter deal with
strolling past the house, peeping through the front gate and maybe even
ringing the doorbell to see if anyone answers.
The techniques explained in this chapter could cause warning lights to
dimly flash. An alert sysop might notice traces of activity, but as we
are legally not doing anything wrong at this stage, it is hard to make a
lot of noise about it. We are going to do our best to minimize our level
of exposure.
The output of the previous section is lot of IP numbers. We are still
not sure that these are all the IP numbers involved - we suspect that it
is used. We have netblocks - blocks of IP numbers. Within that block
there might be only one host that is even switched on. The first step
here is thus to try to find out which machines are actually alive (its
of no use to attack a machine that is not plugged into the 'net). The
only way to know that a host is actively alive on the 'net is to get
some sort of response from the machine. It might be a ICMP ping that is
return, it might be that the IP is listed in a bounced mail header, it
might be that we see a complete telnet banner.
Companies spend thousands of dollars hiding machines. They use
unrouted/experimental IP blocks (10.0.0.0/8 type of thing) and use NAT
(network address translation) on their outbound routers or firewalls.
They have fancy proxies that'll proxy anything from basic HTTP request
to complicated protocols such as Microsoft Netmeeting. They build
tunneling devices that will seamlessly connect two or more
unrouted/experimental subnets across the Internet. In many cases the
main concern for the company is not the fact that they want to hide
their IP numbers - the driving force might be that they are running out
of legal IP numbers, and the fact that they are hiding the IP blocks is
a nice side-effect.
The ratio between legal and illegal IP blocks varies from company to
company and from country to country. The South African Telecom use 6
class B networks - all their equipment has legal IP numbers. On the
other hand a very well known European telecom used a single IP and NAT
their whole network through that IP. As a general rule (very general)
one can assume a ratio of legal to illegal netblocks of 1:10. Given that
Citibank has over 60 legal netblocks, one can safely assume that they
should have many times more illegal netblocks.
The problem with illegal IP blocks is that one cannot discover if
machine on an illegal IP number is alive - not directly in anyway. The
packets that are suppose to trigger a response simply does not arrive at
the correct destination. I have seen many wannabe "Security experts"
scanning their own private network whilst thinking that they are in fact
scanning a client (with a very worried look in their eyes they then tell
the client that they have many problems on their network:)). Other
problems that arise are that a client might be using a legal netblock,
but that the netblock does not actually belong to them. Some legacy
sysop thought it OK to use the same
netblock as the NSA. Scanning this client "legal" netblock might land
you in a spot of hot water. When conducting any type of scan, make sure
that the netblock is actually routed to the correct location. Another
note - if an IP number is connected with a DNS name is does NOT mean the
IP number is legal (or belongs to them. Many companies use internal IP
numbers in their zone files - for secondary MX records for instance.
Keeping all this in mind, where does one begin to discover which
machines are alive? One way might be to ping all the hosts in the list.
Is this a good idea? There are pros and cons. Pinging a host is not very
intrusive - ping one machine on the 'net, and chances are that no-one
will notice. Ping a class B in sequential order, and you might raise
some eyebrows. What if ICMP is blocked at the border router, or on the
firewall? Not only wont you get any results, but also all your attempts
will be logged. If a firewall's "deny" log increase tenfold overnight,
you can bet on it that it will be noticed. In many cases ICMP ping
requests is either blocked completely, or allowed completely. There are
exceptions of course (say an external host is pinging a internal host
every X minutes to make sure it is alive, and sends alerts when the host
is dead), but generally ICMP is either blocked or allowed. I have not
seen any hosts that log ICMP ping packets. Thus, if ICMP ping is allowed
to enter and leave the network, you can safely ping the whole netblock
without anyone noticing. That is - if there are no IDS (intrusion
detection system) in place.
An IDS is a system that looks for suspect looking packets - it will pick
up on any known signature of an exploit. It then reacts - it might
notify the sysadmin, or it might close the connection. Any IDS worth its
salt also looks for patterns. If you portscan a host an IDS located
between you and the host would pick up that you are trying to open
sequential ports on the same IP - portscanning it. So - if you are
pingscanning a big network the IDS might spot a pattern and might react.
The "signature" that the IDS would pick up is that the IMCP flags are
set to "ping request", and that these are coming in at a rapid rate to
many machines (see, that is how an IDS picks up on floodping for
example).
If we can counter most of the above obstacles, a ping sweep/scan might
be a first good indication of hosts that are alive on the netblock. We
counter the obstacles by doing the following - we first ping a few
random hosts in the netblock (manually) to see if ICMP are allowed to
the inside (yes - I know - this is a hit and miss method because in the
whole of the class C there can be one IP that is alive, but rather safe
than sorry). If we see ANY ICMP reply we assume that ICMP is allowed to
the inside, and proceed to ping scan the network very carefully. In this
case very carefully mean very slowly, and not in sequence. We also want
to try confuse the sysadmin as to who we really are. If we could send
packets with fake (or spoofed) IP addresses we could "cloak" ourselves
among the other fake IP addresses. Packets with fake IP numbers will be
returned, just as the packets to our IP address, but the
"non-suspecting" hosts would simply ignore them, as it never knew that
it was "sending" it out. How does one go about scanning stealthy and
very slowly?
Enter Nmap (www.insecure.org/nmap). Nmap is a scanner tool build by the
good Fyodor of Insecure.org. It is the preferred scanning tool for many
security people (good and bad). It has recently been ported to Windows
NT as well (by the people at Eeye.com). Without going into the detail of
all nmap's option (there are a lot), we find that the command
would do the thing. Let us have a quick look at the different parameters
and what they mean. -sP -PI mean that we want to ping sweep with ICMP
only, -D10.0.0.1,172.16.1.1 mean that we want to send decoys 10.0.0.1
and 172.16.1.1, -Tpolite means that we want to scan slowly, and --
randomize_hosts tells nmap to shuffle the destination. Now, obviously
you would not use 10.0.0.1 and 172.16.1.1 - that is stupid as the
sysadmin will quickly spot your (legal) IP between the rest of the
(illegal) IP numbers. A further note - don't be stupid and put Microsoft
and the NSA's IP numbers in the decoys - it can be spotted easily.
Instead try to use IP numbers that are assigned to public mailservers,
and add a public webserver here and there. The more decoys you add the
safer you are. There is a balance of course - remember that if ICMP
request could be logged. To use or not to use decoys can open large
debates - an argument against using decoys could be that if a sysop sees
a decoyed pingsweep (it pretty obvious when a large number of IPs starts
pinging your hosts all of a sudden) it means that someone has spent the
time to cloak him/herself - and this on its own is reason for concern.
This concern could lead to investigation, something the sysop would
normally not do.
Let us see how well this works in a real life. Let us choose a Citibank
netblock that we have discovered - we take a small block in Argentina
200.42.11.80-200.42.11.87. We first do a manual ping of a few machines,
and find that 200.42.11.81 is alive...and then it hits like a ton of
bricks - this method is not that well designed! Imagine the sysop seeing
a failed ping request from MY IP number, then a successful ping request,
and after two minutes a "storm" of ping requests from all over the world
to the rest of the netblock...and that "storm" containing my IP number.
It does not take a rocket scientist to figure out what happened. So - I
either have to ping from a totally remote site to establish if ICMP is
allowed in, or do use the decoys right from the start.
We choose the first method, and proceed with another netblock. This time
we choose the block 63.71.124.192-63.71.124.255 in the US of A. We first
manually ping some IPs in the block - from a (undisclosed) offsite
location. 63.71.124.198 is found to be alive (I hear you saying - why
not do the whole of the ping sweep from the "other" location - well,
maybe that "other" location does not have the capabilities to run my
carefully crafted scanner, or I do not want to attract ANY attention to
that site). We now fire up nmap as mentioned. The complete command is
(decoys X-ed out):
Aha! ICMP is allowed into the network, and there are 3 machines
responding to it. What do we do if we find or suspect that ICMP is
blocked?
The idea is to find machines that are alive. The way we do this is by
sending data to the host and looking if we can see any response. If our
data were blocked at the router or firewall it would look as though the
machine is dead. The idea is thus to find data that is allowed to pass
the filters, and that would trigger a response. Per default just about
all operating systems will listen on certain ports (if TCP/IP is
enabled). Computers are likely to be connected to the Internet with a
purpose - to be a webserver, mailserver, DNS server etc. Thus, chances
are that a host that is alive and connected to the Internet is listening
on some ports. Furthermore it is likely (less but still) than the
firewall or screening router protecting these hosts allows some for of
communication to these hosts - communication is less likely to be a
one-way affair. Packetfilters uses source IPs, source ports, destination
IPs and destination ports (and some flags) as parameters to decide if a
packet will be allowed to enter the network. Normally a firewall will
allow the world to communicate to some host or hosts in some form or the
other - thus not looking at the source IP address.
The idea would thus be to send a TCP connect on well-known ports and
hope that 1) the firewall passes it through 2) the host is listening on
the specified port. Given the response of the host, one can determine
which of 1) and 2) happened. If we get no response we know that the
firewall is blocking us - if we get a response from the server telling
us that the port is not open we at least know that it was not filtered
by the firewall. Hereby two examples:
>telnet wips.sensepost.com
22
Trying 160.124.19.98...
telnet: connect to address
160.124.19.98: Connection refused
telnet: Unable to connect to
remote host
The host responded by telling us that it is not listening on port 22. It
also tells us that there is nothing between us and the host (on port
22). So, if we find that for a certain block a number of hosts returns a
"connection refused" while other are return a SSH version (port 22 is
SSH) we can safely assume that the firewall is configured to allow
anyone to connect to port 22 (anywhere in the netblock). Another
example:
>telnet wips.sensepost.com
44
Trying 160.124.19.98...
telnet: Unable to connect to
remote host: Connection timed out
Here the connection to port 25 is timing out - telling us that there are
something blocking the packet to arrive at the final destination. Let us
assume that we scan a netblock for port 25 and we find that certain
hosts answers with a SMTP greeting, while others simply time out. This
tells us that the firewall is configured to only allow packets with a
certain destination port on a certain destination IP to enter the
network. If we find a "connection refused" answer in a the same net we
know that someone probably screwed up - the service is not running, but
the config on the firewall has not been updated to close the "hole".
A
machine that is dead will respond in the same way as a machine that is
protected by a firewall that does not allow anything through. Thus,
getting no response from a server does not mean that it is heavily
firewalled - it might just be switched off, or unplugged.
Thus, getting back to the original argument - sending TCP requests to a
number of well known ports might tell us if the machine is indeed alive.
This might be useful in a situation where ICMP ping requests or replies
are blocked on a firewall. We have no way to know if any hosts are alive
but the connect to well-known ports and hope that 1) it is not
firewalled and than 2) we get some response (be that "connection
refused" or some service response).
The more ports we test for, the more our requests will look like a port
scan (it is in fact a port scan - with just a limited amount of ports
that are tested), and will trigger an IDS. It the therefore very tricky
to decide if this action can be executed without triggering alarms -
more so when we are scanning a large netblock. As a general rule, the
number of IPs tested times the number of ports tested should not exceed
15. Testing 15 hosts for port 80 is OK, testing 5 IPs for 3 ports are OK
etc. This is a very general rule and really depends on your target, the
competency level of their technical staff and how anonymous you want to
stay (and how lucky you feel).
Let us stay with Citibank (Citibank - I REALLY mean no harm - you are
just such a good example network). Using the previous ping technique it
seems that a device is blocking ICMP to the 192.193.195.0/24 netblock.
We will thus proceed to do a "TCP ping" to 30 hosts (I feel lucky) in
the block. I choose this block because it has interesting reverse DNS
entries (see previous section):
Choosing which ports to scan
for can be a tricky business. The best way is trying to choose ports
that you think might generate a response. Looking at the reverse (or
forward) DNS entries sometimes gives one a clue as to which ports to
test for. Looking at the hosts reverse entries I am choosing my ports to
be 80 (HTTP), port 443 (HTTPS) and port 264 (I hope the fw-a-pri is a
FW1 with management port 264 open).The actual command issued looks like
this:
Let us have a quick look at
the command. -sS means we are doing a half-open SYN scan, -P0 mean don't
stop if you can't ping the host (nmap only scans pingable hosts by
default, and we know that these cannot be pinged), -p 80,264,443 means
only look at ports 80,264 and 443. Note - you have to be root to do SYN
scanning. The output looks like this (somewhat manipulated to save the
rain forest):
What can be deduced from the output? First of all this - hosts in sample
A is filtered on all three ports. This does not mean that the hosts are
not alive - it simply means that we do not know. Hosts in sample B is
alive - we are 100% sure of this - although port 264 is filtered, these
hosts answered that they are not listening on ports 80 or 443 (state
"closed"). Sample C is the more interesting of the lot - both machines
in sample C is listening on ports 80 and 443. It is most likely that
they are running some form of (HTTPS-enabled) webserver.
From this scan we also see that IP numbers that does not have reverse
DNS entries are not necessarily down, and visa versa. It would thus make
no sense to only scan hosts with reverse entries (sometimes companies
would do this - why no one would know). We also see that our scan on
port 264 was unsuccessful in all cases (bummer!). From this part of
netblock we can thus compile a list of hosts that we know is alive:
The worth of mapping the network carefully now pays off. We know that
the 192.193 network is not routed to the same place. This means we can
have a "alive" run against many parts of the 192.193 network without
raising the alarm - parts of the network (class Cs) are protected (or
not protected) by different firewalls/routers, and changes are slim that
these different firewalls are logging to a common place.
What is the difference between stateful and stateless firewalls really?
Well to understand the difference, you got to understand how a TCP
connection looks like: the client sends a TCP packet with the SYN flag
set, the server responds with a TCP packet with the SYN and the ACKL
flags set. Thereafter the server and the client send TCP packets with
the ACK flag set. To ensure two-way communication, stateless firewalls
usually have a rule (the very last rule) that states that “established”
connections are allowed; packets with the ACK flag set. How does this
help us? Well, if I send a packet to a server with only the ACK flag
set, the server will respond with a RST (reset) flag. This is due to the
fact that the server does not know why I am sending a packet with only
the ACK flag set (in other words it says: “hey! We haven’t performed a 3
way handshake – bugger off”). Thus, if the machine is alive we WILL get
a response – a RST packet.
How do we do it? Simple – there a nifty tool called hping that does this
(and a lot more). Let us see how. Lets send a packet with only the ACK
flag set- hping will detect if anything comes back. We run hping against
a machine that sits behind a stateless firewall: (first we ping it to
show you what happens)
Although the machine does not respond to ICMP ping packets, it responds
with a RST flag if we send an ACK flag. So – there we go – a real TCP
ping. How do we hping a lot of hosts? Here’s a quick & dirty PERL script
that will do it for you:
The idea in this chapter is to know which machines are "alive". It is of
no use attacking a dead machine. There are several techniques to "hide"
hosts. Hosts on unrouted/experimental networks cannot be discovered
directly. There are ways to determine if a host is "alive". The simplest
way is to ping it. If ICMP is blocked this will not work - then a TCP
ping should be considered. One should be really careful how an
"alive-scan" is executed as it can raise alarms. The tool nmap can be
used very effectively in archiving this.
The next step would be to look for what I call "easy money". Before we
can go into the details of this, there are some points to understand.
There are some major differences between auditing a network and hacking
into a network. Let us look at the analogy of a house. On the one hand
you have the true blue blood burglar - the objective is getting into the
house with whatever means possible. The burglar looks for the easiest
and safest way to get into the house and he does not care about all the
other means. On the other hand the security officer - it is his job to
tell the client of every single little hole in the house. The difference
between the security officer and the burglar is that when the security
officer finds the front door wide open he notes it, and looks for other
problems, whereas the burglar find the front door open and walks
straight in, ignoring the other holes. In the cyber world it works the
same. So, hiring a hacker (in the criminal sense of the world) to audit
a system is a bit worrisome. The hacker will surely help you to find a
weakness in your defense, but the idea of an IT security audit is not
this - the idea is to find all the holes and fix them. Once you and your
security advisor is confident that all holes are closed you might want
to hire a hacker (or penetration specialist) to try to penetrate the
network. The bottom line - doing penetration testing and doing a
comprehensive security assessment of a network is not nearly the same
thing.
This document had come to the point where I have to decide which route
we are going to follow - the view of the hacker or the view of the IT
security assessment officer. Choosing either one of the options I cannot
continue with Citibank as an example unless I want to land in
potentially serious trouble. The rest of the document - with the focus
on either hacking or assessing will thus be looking at actual client
networks - networks we every right to penetrate. The techniques can be
implemented at Citibank as well - in the exact same way, but I simply
cannot do it right here and now as Citibank is not my client
(unfortunately).
At
this stage we know where the target is located, and we have a good idea
of the target's status (alive or dead). From DNS information we can get
an idea of the importance of the target. The next step would be to find
information that would help us choosing the correct weapons. It's no use
bringing a knife to a gunfight - on the other hand it just stupid to
nuke a whole city in order to execute one person. We want to be in a
position to know exactly which weapons to load. The chapter examines
this situation by looking at two examples - both from a hacker's
viewpoint.
Why? Why not use a vulnerability scanner that checks for 1000
vulnerabilities on a host, and just see what it comes up with? Well -
it's tasteless, it consumes bandwidth, CPU power, lots of time, and most
important, it will light up any IDS (or semi-alive sysadmin) like a
Christmas tree. Furthermore, the general vulnerability scanners are not
always that effective and up to date (there are exceptions of course).
Custom-made scanners is tailored for the occasion, they are streamlined,
and they are not as noisy as general scanners. Imagine taking an
"all-terrain 4x4" to the surface of Mars...
How to decide to load the weapons? Most scanners look for
vulnerabilities in services. A service is normally bound to a specific
port. Thus, finding what ports are open on a host will tell us what
services it runs, which in turn will tell us how to configure our
scanners. Many scanners have a portscanning utility built-in, and claim
to scan only "discovered" services. Most of the time this works well -
but you will find that it have limitations. There is no substitute for
plain common sense.
(Let us see - if I can obtain root/administrator access on a host, why
would I bother to see the Ethernet card's stats, or be able to write a
message to all the users? No - if I know that there is a possibility to
obtain super user status I will go for it right away. My point is this -
I would only port scan a host on ports that is servicing services that
can easily lead to a compromise. And mind you - skip the vulnerability
scanners. Grab the banners and versions and see if the host is running
vulnerable versions of the service. If it is - go directly for the kill.
OK, let us take it step by step, with examples etc. Let us assume the
host that I am interested in is 196.3x.2x.7x. From the previous section
I know exactly where it is located and that it is active. For various
reasons I want to get a shell on this host. First of all I am interested
in what O/S it is running. Maybe not the exact version - I just want to
know if the host is running Unix or Windows. And remember, I don't want
to set off all the bells and whistles along the way. Which are the most
common ports that are open on hosts in the Internet? I would say port 25
(SMTP) and port 80 (HTTP). I have a good chance of knowing the O/S by
telnetting to either of these ports, and as such I telnet to port 25:
#
telnet 196.3x.2x.7x 25 Trying 196.3x.2x.7x... Connected to 196.3x.2x.7x.
Escape character is '^]'. 220 xxx.xx.co.za ESMTP Sendmail 8.7.1/8.7.1;
Mon, 14 Aug 2000 00:20:28 +0100 (BST)
I
reply with the QUIT command to terminate the connection. As we can all
see, the host replied with a Sendmail banner (a rather old Sendmail as
well). Common sense tells us that this host is a UNIX system.
Keeping in mind that I am only trying to get a shell on the host, I
proceed to the next logical step - telnetting to port 23 (telnet). Maybe
the port is wrapped. Maybe it is firewalled. Maybe I should just find
out:
#
telnet 196.3x.2x.7x Trying 196.3x.2x.7x... Connected to xxx.xx.co.za.
Escape character is '^]'. HP-UX u46b00 B.10.20 A 9000/831 (ttyp1) login:
It not wrapped or firewalled. The host does not look at though it is
firewalled at all (it could be...we don't know, and we don't care - we
will find out soon enough). We go directly to the next step - see if the
finger port is open:
Hmm...the host's finger service is not filtered, but then again - it's
not running finger. How do we get a username and a password? On UNIX
systems where are several ways to find out if a user exists - we would
have to guess a password. If the Sendmail were not configured to do so
it would allow us to issue a VRFY and EXPN command. These commands will
verify if a user exists and expand the username if it is pointing to
other email address respectively. Let us use some common usernames and
see if they exist:
Let us see what happened here. First of all we see that EXPN and VRFY
commands are allowed. The username "test" exists. The username "user"
and "u46b00" does not exist. The username "root" exists. The username
"root" does not have any aliases, but the username "postmaster" is
feeding the "root" account.
So - the username "test" exists. The username test is very common is
systems that are not kept in a good condition. No points for guessing
what password we are going to use with user "test":
Hmm...interesting. The username "test" does not have password "test",
"test1" or "test01". Now - we might try another few passwords, but this
is really not the idea. How about just getting a list of usernames on
the system? Maybe that would give us a better idea of username that have
weak passwords? Let us see:
The problems with these unkept "old" UNIX hosts are that they keep the
"shadow" password file in the /etc directory of the anonymous FTP user.
While the file does not contain any passwords, it gives us a very good
idea of which users may have weak passwords. We inspect the shadow
password file and focus on the following entries:
These users have suspect names - they don't fit the description of
"normal" usernames - these are typically usersnames that are used by
more than one person and these normally have weak passwords. Starting
from the top, we hit the jackpot with the second user "mis2000":
No password...at all. Now, I hear all the script kiddies going - yeah,
we are hackers, we also could have done that - and the more seasoned
hackers saying - sheet this is not hacking - it is clubbing baby seals.
And it is. But this is not the point - the point is the method used. It
shows that the hacker goes directly for the kill - in a situation like
the one described above it make not sense portscanning the host first -
everything you need is right there.
Let us then look at another example: www.sensepost.com. Our website (it
is hosted offsite BTW). And let us go through the same steps, assuming
we know nothing about the host.
We telnet to port 25 to find it filtered. The port is not wrapped -
wrappers are very characteristic of UNIX hosts. [ Telling if a services
is can be determined as follows:
#
telnet cube.co.za Trying 196.38.115.250... Connected to cube.co.za.
Escape character is '^]'. Connection closed by foreign host.
We see that we can establish a complete connection, but that the
connection is closed immediately. Thus, the service is wrapped (TCP
wrappers made famous by Venema Wietse). Wrappers allows the sysadmin to
decide what source IP address(es) are allowed to connect to the service.
It is interesting to note that wrapper might be set up to work with the
source IP, or with the DNS name of the source. In some situations one
can determine if the server uses IP numbers or DNS names - if the
connection is not closed immediately (say it takes 2-10 seconds) it is
probably using DNS names. Another way to determine if the wrapper is
using DNS names or IP numbers is to connect to it with a IP number that
does not have a reverse resolvable name. The server will attempt to
reverse resolve your IP address - this might take a while - it is this
delay that you will be able to see when connecting to the host. (The
interesting part of this is that if the wrapper uses DNS one can get
past it if one has complete control over both the mechanisms that
controls both the forward and reverse DNS entries)]
Getting back to our website. Port 25 is filtered. How about port 80? (I
hope not - else our website is down!) Connecting to port 80 reveals that
we are dealing with a UNIX platform: