Index

Special Report:

Know your enemy

by Simon Edwards

How safe is your network? Don't bank on it, because nothing is 100 per cent hacker proof. Simon Edwards discovers the truth about hacking

What's the first thing most companies do when they get hacked? Probably nothing, because most of them won't realise it's happened. We're not talking about Denial-of-Service attacks here, or even Web page defacements. The serious attacks to which we refer are those insidious intrusions that reach deep into your system, bypassing your expensive firewalls and stealing or damaging your data slowly, over long periods of time. If you don't believe this could happen to you, may we humbly suggest you read on. You might change your mind.

It's hard to take hackers seriously these days. Films like The Net, The Matrix, Hackers and, more recently, Swordfish portray stereotypically weird kids with green hair and names like CyberD00d tapping their way through virtual reality landscapes in search of hidden files. Laughable TV documentaries 'expose' the hacker scene using little more than flashy graphics and the same lame old stories about Captain Crunch and his cohorts abusing the telephone system (phreaking) back in the early 1970s. It's enough to make you dismiss the media reports as hype. And frequently these reports are hype, because who really cares that a new email worm is working its way around the globe? So what if a football club has its Web page defaced? Kevin Mitnick has been released? Whatever.

The real stories aren't even the reports of online banks fouling up, with customers' details being published on the Web. The real stories don't get heard because most of the time the hackers are too good to get caught and, if they do slip up, the large companies on the attack's sharp end don't report the breach. 'It's a well-known fact that the major FTSE 100 companies don't report security breaches when they happen,' says Dan Cuthbert, network security consultant at IDSec Network Security. 'This is normally because of tarnishing the company name and also indicating to the world that their security is weak. The sad fact is that these days system administrators don't have time to keep up to date with all the patches and weaknesses. And don't forget the amount of time it takes to get a Change Release signed off to actually secure the box.'

Call the firewall brigade

Fortunately many skilled hackers put their knowledge to good use. Computer security consultancies are often manned by experts that probably wouldn't call themselves hackers at work, but who share a very close skills set to those who cause mischief.

They might work in monitoring stations, keeping a seasoned eye on clients' perimeter networks. They could be penetration testers, working in teams to break into a client's network then submitting a report on where the holes are and how to close them. The really good ones specialise in zero knowledge testing, where they approach the target with as little information as a real attacker. Cuthbert believes that security professionals need to maintain a close relationship with hacker techniques and must walk a fine line between the light and dark sides of computer knowledge. 'You have Blackhat and Whitehat approaches to security. Well, the security pros need to be more Greyhat - they need to know exactly how to break into the boxes in order to understand where and how the Blackhats are doing it.'

Security companies might also provide advanced training, way beyond the level that semi-technical managers often receive. There are also plenty of good books around that make essential background reading. Hacking Exposed (second edition) is one such volume, despite its rather sensationalist title.

Everyone seems to be promoting the idea of outsourcing at the moment, and security companies are no exception. They argue that their teams are best able to provide continuous, expert monitoring and configuration of critical systems because in-house IT staff won't have the time or knowledge to do as good a job. The company email server might need patching, but someone in accounts is screaming down the phone about a crashed Windows 98 PC. The email server takes second priority in most cases, and any delay gives potential attackers more time to do their dirty work. An external, dedicated team can patch the server and save your business. That's the argument, but in reality companies are reluctant to hand over the keys to an outsider.

A survey conducted by Internet security testing company NTA Monitor found that while companies working in the financial sector often employed external vulnerability testers, retail outlets, law firms and governmental departments were less likely to do so. Sales manager Kevin Foster believes that high-price models turn many organisations away from outsourcing IT security. 'We know that the independent testing is still only used by a small percentage,' he said. 'Some have been put off testing through bad experiences with over-priced, poor-quality work from huge auditing companies.'

Putting a price on security

So how much does a security audit cost? Faced with this question, security consultancies generally start sucking their teeth and suggest a few meetings before settling on a price. This may work for large enterprises (which possibly already have a decent in-house staff of security experts), but smaller businesses are likely to run scared.

Internet Security Systems (ISS) claims to have a more transparent pricing model than most for its managed services and charges between £200 and £450 for monthly firewall-monitoring services, plus a £700 setup fee. For full management services on networks of 25 IP addresses or fewer, expect to cough up another £450 per month. Basic intrusion-detection monitoring costs £1,270 per month, plus a £1,500 setup fee. These figures are approximate due to changing currency rates.

British company NTA Monitor is also willing to publish standard prices and will monitor one or two hosts for £12,000 per month, with the service including firewall, Internet routing, public server and non-public server checks. A one-off audit costs just £1,500.

It's important to check exactly what a security audit or managed service includes. Some companies will spend time and effort giving your network a thorough probe, while others may simply run some generally available scanning tools against your IP addresses. Ensure you find out what steps are going to be taken and don't be put off by smoke and mirrors.

Poachers and gamekeepers

But it's not enough to rely on pre-built security solutions. The more you build up layers of applications and devices, the more holes appear and, although people from the outside can pick holes in these, it's also important to avoid implementing dangerously insecure solutions. A large part of this means learning to think like a hacker.

Companies like ISS, Defcom and Foundstone offer training courses designed to teach IT managers and technicians skills ranging from overviews to in-depth hacking techniques with the purpose of performing audits and penetration tests. A 'pen test' is a concerted effort to hack a network by someone who is authorised to do so. But just because you might happen to be the systems administrator of a network doesn't mean you can just compile a few port scanners and packet sniffers for testing purposes. The Data Protection Act, and possibly your own company's internal security policies, will restrict such activity, or ought to. Read Angus Hamilton's column from last month (see RWC, issue 84, p258) for more on this.

So-called ethical hacking courses from the above companies cost around £3,000 for what is usually a four-day tutorial on hacking techniques (see ISS ethical hacking). Foundstone's Ultimate Hacking course tours the US, so you'll have to fly over to attend that one, but ISS and Defcom both run courses based in London.

Conferences can be a good source of information, often providing a mixture of conceptual training for non- or partially technical managers alongside more in-depth discussions and workshops about, for example, firewall configuration issues. WebSec, run by the MIS Training Institute (www.misti.com), is usually a good one, as is Infosecurity (www.infosec.co.uk), which tends to be more stand/product based. Compsec 2001 (www.compsec2001.com) is the next main UK conference, running from 17-19 October in London. Defcom is slated to run a hacking demonstration on the second day, which should be entertaining if you've never seen one.

For those who really want to get inside hackers' heads, there are the Black Hat conferences (www.blackhat.com), which run in Amsterdam, Las Vegas and Singapore every year. Def con (www.defcon.org) is another, more 'underground' conference that may appeal to younger security enthusiasts. It runs over a weekend every July in Las Vegas and combines technical discussions with a big party. And you're just as likely to meet a Federal agent as the kid who's been trying to hack your machines all year.

This year at Def con, Ofir Arkin, from Sys-Security Group, demonstrated his new Xprobe software tool, which uses ICMP (Internet Control Message Protocol) to accurately and remotely identify the operating system of a target machine. The beauty and danger of Xprobe is that it can deduce whether a system is running Windows NT, 95, Linux (including a fair guess at the kernel version) and various Unixes without making any significant ripples in the network's traffic. This means the probe is probably impossible to detect using generally available technologies. You can find out more about X and Xprobe from www.sys-security.com/ html/projects/X.html

Socially acceptable passwords

Social engineering is a surprisingly effective means to gain illegal access to a system. In-house technical support staff are a big target for hoax phone calls, and usernames and passwords gleaned this way can give a full-scale attack a jump start. It also reduces the amount of time spent probing the network from the outside, which might alert security staff. Social engineers can use basic domain lookups to glean contact information, phone numbers and basic network details and use this knowledge to bluff more details out of IT staff. Inversely, a hacker posing as someone from the IT department could call around the less technically savvy users and get their passwords straight from them. Educating all employees on how to behave securely is a good idea. Tell IT staff never to ask for passwords, and let other employees know that they should report all requests for such information.

Great walls of fire

One of the most chilling phrases, from a security point of view, that you can hear leave the lips of a senior manager is, 'we're safe because we have a firewall'. Firewalls are certainly an essential component of any external-facing network, but they're not the be-all and end-all of Internet security. What's more, there are firewalls and there are firewalls. And we're not even talking about personal 'firewalls' like ZoneAlarm and BlackICE Defender here, which certainly have a place on the desktop but can't be compared to fully featured, stateful firewalls such as Check Point's Firewall-1 or even Linux's newly implemented (from kernel 2.4) Netfilter stateful packet filter. Briefly, because this subject has filled books, a stateless firewall (or packet filter) will allow or deny incoming network packets based on various rules such as IP address, port and so on. You could configure a stateless packet filter to allow port 21 (FTP) connections from client.domain.com, but not from any other network. Similarly, you can deny any connections from evil.hackers.org. But the filtering is done on a packet-by-packet basis, which opens the firewall up to certain abuses, including IP address spoofing.

Stateful packet filters, on the other hand, have a memory and can tell if incoming packets are genuinely a response to a request for a Web page from an internal user, or part of a probe or attack. Some network scanners will incorrectly set certain flags on TCP packets to bypass firewalls. A stateless firewall is more at risk than a stateful one because it can't tell whether or not the incoming traffic is authentic.

Radio controlled

Wireless networks should always be kept behind firewalls, away from critical systems on the local network. Even if WEP (wired equivalent privacy) is used to encrypt the wireless traffic, it's still not safe from eavesdroppers. WEP has been cracked, although it's still better to use it along with other authentication and tunnelling technologies, such as VPNs, than not at all. Some hackers specialise in 'drive-by' hacking, sitting outside buildings with laptops and aerials, logging in to the internal network. A firewall between the wireless segment of the network and important servers should make their lives harder.

Backdoor man

If an attacker is able to gain any kind of meaningful access to your system he will probably wish to return at some point. But rather than have to go through the hacking process again, which often involves the risk of being logged and caught, any hacker worth his salt will want to wedge in a metaphorical doorstop, otherwise known as a backdoor.

Additionally, he may even fix the original security hole that allowed access in the first place because he now 'owns' the system and doesn't want anyone else sneaking in and blowing his cover by maliciously damaging software or generally being less skilled and subtle.

Creating a backdoor could be something as simple as creating a new user account with high privileges. This applies to both Windows and Unix systems, and administrators would do well to check user accounts lists regularly. Programs that manage scheduled jobs are another attractive target as these can be told to launch programs that temporarily open entry points at times when the administrator is likely to be busy or absent. This approach also means the backdoor will continue to last even after a server restart. Startup files are good for this, too, and should be inspected for strange-looking entries.

When a backdoor is used to hold open a network port, providing a place for the attacker to connect to, it's also exposing itself. Judicious use of the netstat command will list any open ports, so if you discover an unknown service running on, for example, TCP port 54320, alarm bells should ring. Back Orifice has been designed to offer stealthy remote access to a Windows (9x, NT or 2000) host (see below) and can be detected in such a way, although the person who installs it can change which port it operates on, to port 21 for instance - usually reserved for FTP. If the system isn't expected to be running FTP services, then it's time to run an anti-virus program or MooSoft's backdoor remover, The Cleaner (www.moosoft.com/cleaner.html).

Trojans

A backdoor may be placed on a system by a hacker who's already gained privileged access, but by using a Trojan horse an attacker may be able to persuade an administrator to unwittingly install a backdoor himself. 'Trojan' refers to programs that claim to do something useful but conceal a less benign function. For example, the BoSniffer utility claims to be able to discover and remove Back Orifice, but in fact installs it. Other Trojans can insert backdoors into setup executables for legitimate products, so always be aware of where installation files originate and ensure the checksums match the developer's documentation. Some Trojans are subtler still. Basic commands like dir, pwd or cd can be replaced with Trojans that perform the same functions along with additional ones. A Trojan version of dir could still list all of the files and directories in an NT system with the exception of a folder called C:\Hack_Toolz, which contains programs useful to the attacker. Running a reliable copy of dir, copied from another system, would show up the rogue folder.

The logical progression from here for a hacker is to attack the operating system's kernel. Such a deep attack would effectively signal the end of any control an administrator could hope to keep over the system. By patching the kernel it's possible to hide processes and otherwise misrepresent the system's status and files. Basically, the attacker becomes the super user, and the previous super user is unknowingly demoted. Variations of Unix, Linux and NT can be attacked in this way, but although there are many different Solaris and Linux root kits available there are limited options for Windows NT. Greg Hoglund's NT root kit is still in alpha development, at version 0.40. If you suspect that your system is a victim of such an attack it wouldn't be ignoble to give up and reinstall from trusted media (not backup tapes). Remember to patch your system before making it live, though. Otherwise the hacker could just repeat his initial attack and use his root kit again.

Trap setting

People often take a defensive attitude to security. That is, wait for the attack to happen and hope existing security measures are up to the job. However, those who really want to get inside the heads of the hackers and understand how they work will be able to pre-empt enemy actions more easily. The Honeynet project, run by such respected members of the security community as George Kurtz, Bruce Schneier and Fyodor, is a network of computers, connected to the Internet and left to the devices of unknown hackers who chance across it and attempt to break in. A wide variety of machine types and operating systems can be used, while a firewall gathers all incoming and outgoing network traffic. Intrusion-detection systems can also be hidden and used to view the hackers' methodologies. The Honeynet project (http://project.honeynet.org) recently announced that the average life expectancy (in other words, before it's hacked) of a default Red Hat 6.2 PC is 72 hours. This is based on the fact that seven such machines on the Honeynet network were attacked within three days, and one was taken within 15 minutes of being connected to the Internet. The worrying part of this is that the machines are just connected - not advertised as being Honeynet targets. As such, the project can judge how generally active hackers are being at any one time.

Conclusion

No-one is saying that securing even one Internet-connected system is easy. Indeed, beware the consultant or vendor who claims that 100 per cent security is even possible. But you or your staff will stand a better chance of avoiding or repelling attacks by allocating some time and money into training staff or buying in help. It's no defence to claim that your data or systems hold no interest to hackers, because to do so is to miss the point completely. The fact that your systems exist is enough to attract the least skilled type of intruder, armed with a port scanner and a desire to break things. More technical attackers may not care about your database, but could see your Internet gateway as somewhere safe from which to launch attacks to other, more tempting sites. Are you ready to take hackers seriously yet?

Back Orifice in action

The Back Orifice 2K (BO2K) Trojan is quite old now, but it's still an effective way to take remote control of a Windows NT/2000 system or simply to spy on the user. Among many of its 'useful' features are a key logging option, which dumps the victim's keystrokes down to a text file, and port redirection, which we'll demonstrate here. The idea is that the system (10.0.0.10) will be compromised, either due to some vulnerability in the server applications or by a clueless user running a loaded email attachment. The hacker then needs to set up the backdoor to facilitate easy entry at will.

Step one:

Build a BO2K server by running the configuration utility bo2kcfg.exe. This prompts you to choose a basic server executable, the default one being bo2k.exe.

Step two:

Once opened in the configuration program, the server can be altered to suit. For example, you can choose which port it operates on (we've chosen 1666) and how it behaves when running on the victim's machine. In this screen shot we've told it to run every time the server starts up.

Step three:

The victim's machine is now infected and we've connected using BO2K's client, bo2kgui.exe. Ports can now be mapped to other IP addresses or to local apps. To achieve our remote shell, we'll link port 1667 to the program c:\command.com. If the victim's machine was a Windows 2000 PC, we'd target c:\cmd.exe. Press the Send Command button and the client will register the successful update.

Step four:

Telnet to the victim's machine on the appropriate port, in this case: Telnet 10.0.0.10 1667. Ever seen a remote shell on a Windows 95 PC before? There's nothing to stop you creating an FTP session from the command line and stealing files, adding new ones and generally causing havoc. Port redirection could also be used to access machines within the victim's trusted network, with the victim being used as a launching pad.

Buffer Overflows

It would be a brave systems administrator who claimed that his system was secure from all security holes. Default installations of almost every commonly used operating system come complete with bugged software that permits break-ins, and even the occasional Service Pack won't keep things watertight. Buffer overflows are a common problem for both Unix and NT systems, and one of the most serious reports was made last May, when multiple vulnerabilities were found in the Bind DNS server program. Just about every major OS vendor with the notable exception of Microsoft was affected, with various implementations of Linux, IBM, Hewlett-Packard and Compaq all receiving fixes at top speed.

Programs vulnerable to buffer overflows allow attackers to pump more information into login prompts, or other variables, than the program can handle, causing at best a crash and at worst root or system-level access.

@Stake's David Litchfield, a renowned British expert in buffer overflows, spoke at last year's Las Vegas Black Hat conference. He described an overflow as, 'like someone attempting to pour a pint of milk into a glass that'll only hold half a pint, the remainder will overflow. When this overflow occurs, the data that spills out of the buffer can overwrite critical values in memory that control the program's path of execution.'

To put it another way, if a program is expecting an input consisting of, at most, ten characters, you could cause problems by entering 11 or more. Well-written software won't crash, whereas badly written software might and could even allow you to execute a command inserted into the string. For example, entering 00000000000-myexploit_cmd.exe /c dir would give you a shell on an appropriately vulnerable system.

It's essential to ensure that all server-based software written in-house, such as CGI scripts, are thoroughly checked for bad programming practices that might allow buffer overflows. All externally available commercial programs should be updated on a daily basis and security mailing lists should be subscribed to in addition to the usual monitoring of log files and operating system Critical Updates.

ISS ethical hacking

ISS (Internet Security Systems) follows the respected adage 'know your enemy' and runs a four-day ethical hacking training course from its London offices. This is no hacker school, though, and the trainers emphasise the knowledge they impart is solely for the use of pre-empting and dealing with attacks from malicious hackers. Typical attendees are systems administrators and technical people who already know how to run service-providing systems, firewalls and so on.

The course comprises one day of legal training, which covers some of the responsibilities required by the Data Protection Act and reiterates that the next three days will involve learning things that had better not be practised outside a closed computer lab. The final day finishes with an exam, which has a 30 per cent failure rate according to technical manager Chris Ralph. A number of people don't even bother to sit the exam due to the strenuousness of the previous days. The course is very technical and a working knowledge of Windows NT, Linux and TCP/IP is essential because, although the instructors are very good at ensuring you've tried out the tools, there's no time to cover the niceties of using command line tools for those who 'don't do DOS boxes'.

The meat of the course is a mixture of insightful lectures and practical hacking. A Web server is nominated as the target and various potential exploits explained. These include CGI cracks, scripts to break Microsoft's IIS Web server and how to implement the frequently reported buffer overflows. Pupils are encouraged to try out tools for themselves using the provided workstations and a respectable library of scanning and cracking tools.

Just throwing yourself at a Web server isn't exactly rocket science, though, and much time and effort is spent covering the art of network reconnaissance, or enumeration. This involves mapping out the systems that lie in or near the target. Pupils learn how to compromise Cisco routers, remotely install and use Trojans like Back Orifice and attempt to avoid Intrusion Detection Systems. Password-gathering techniques also feature high on the agenda. Tools like L0phtcrack are used to crack downloaded Windows NT passwords that are stored in SAM databases stolen from target machines. The class has earlier been taught how to obtain these files using a very simple technique that takes seconds to run and little real skill. Working as a hacker team, class members are asked to hack at the network and publish their findings on the large whiteboard at the front. Quickly, a map of the target's network appears, along with details of its partner companies and a few usernames and passwords.

While one person unimaginatively defaces the target Web server's home page, another, more adventurous systems engineer remotely uploads a copy of Back Orifice and uses its port-mapping function to give himself a command prompt on the target, complete with system-level privileges.

While the non-technical issue of social engineering is briefly covered, so too are information-gathering techniques that are effectively untraceable, or unsuspicious at the very least. For example, does your email server identify the software name and version it's running? Does your DNS server allow Zone Transfers to hosts other than your secondary DNS machines? The lists of host names available from such transfers is a quick way for a hacker to map out a network.

ISS' Ethical Hacking course is essentially a gripping course on puzzle solving. Candidates all agree that it's added another dimension to their views on network security. They now know how to bypass some generally accepted security implementations, which mean others could too. This insight into the way real attackers think and behave is at least as valuable to an administrator or application programmer as a £10,000 firewall licence, but it costs less than a third.

First Published in PC Pro, issue 85, November 2001.

The above article is © Dennis Publishing Limited 2001. UK property of Dennis Publishing Ltd. This article may not be reproduced or transmitted in any form in whole or in part without the written consent of the publishers.