5216122-hackers [compatibility mode]

8/14/2019 5216122-Hackers [Compatibility Mode]

1/73

HACKERS

- The Modern Roadwarrior-

June 4, 2001 Copyright 2001 All Rights Reserved 1


2/73

General Powell describes an historic meeting with Gorbachev, who

was becoming frustrated in trying to explain how the old model of theworld was unworkable. He finally leaned across the table toSecretary Schultz and said." You need to understand, SecretarySchultz toda I am endin the cold war." He then turned to Powell

THE CHANGING WORLD

and said," General, you will have to find another enemy."The bipolar world of the last half century has become amultipolar economy dominated by the United States, Europe and

the Pacific Rim.- Economic competition has replaced military competition.- Information and economic value have become synonymous.- Personal and economic interests have mer ed with national


interests.The new economy is based upon information technology that isfast leading to an age of networked intelligence(the network is thecomputer) that is leading to a new society with new politics.The world is on the doorstep of a digital economy fueled byinformation and knowledge. (Information is Power)


3/73

The breakdown of the old world order has lead to a rise innationalism, old hatreds and religious rivalries and theformation of numerous nation-states each competing for its ownviable economy and identity.

THE CHANGING WORLD CONTd

The con

flict of the superpowers has given way to regionalconflicts between comparatively small ethnic and political groups.The foundation of both the mature and the emerging economies isbased upon access to information that will enhance a matureeconomy or propel a weak one into power.The competition then among nations is one based uponacquiring the latest and best economic information that will give


the corporation or the nation an economic advantage.

BUSINESS HAS BECOME WAR,THE BATTLEFIED IS THEINFORMATION HIGHWAY AND THE HACKER, FOR GOOD

OR BAD, IS THE MODERN ROAD WARRIOR.


4/73

Hackers

- An Academic View -



5/73

The original generation of Hackers has been said to be suchpersonalities as John Von Neuman, Alan Turing and GraceHopper.

HACKER HISTORY

e rs use o e erm ac er s a r u e o mem er o e"Tech Model Railroad Club" from MIT in the late 1950s. This was originally a term of praise for the very bestprogrammers and designers.

Media coverage in the 1980s redefined the term to besynonymous with "Computer Criminal". The visibility and rise of Hackers is the result of four major


1. The proliferation of computers2. The dramatic rise and geographical expansion of networks.3. The dramatic rise in computer literacy.

4. The dependence of organizations upon information.


6/73

Computers are tools for the masses. Computersshould not be private devices for the rich. Information belongs to everyone. Most hackers start

PERSONAL BELIEFS

at the university which generates and distributesknowledge. Coding is community property. The status of all

software should be shareware, freeware or publicdomain. Coding is an art. A good program has a certain


elegance and beauty. In beauty there is creativity whichis demonstrated by a program that can penetrate others. The computer lives. Most hackers have a social and

personal relationship with their computer.


7/73

Access to computers should be unlimited and total.

The Hacker Ethic

-All information should be free.

Mistrust authority--promote decentralization.

Hackers should be judged by their hacking.You can create art and beauty on a computer.


omputers can c ange your e or t e etter


8/73

Mostly White. There seems to be a correlation between race andaffluence. Mostly Male. Unknown why males seem to be prominate ashackers. Although there have been examples of females serving as

PERSONAL QUALITIES

Hackers and Hacker Leaders. Young. Most are under 30 and concentrated around colleges anduniversities.Bright. A good hack results from meeting a challenge which willrequire in many cases exceptionally high intelligence.Understanding, Prediction and Control. These three conditionsseem to bring a sense of competence, mastery, and self-esteem.


Computer fascination. For many of us the computer is simply atool. For the hacker it is an unendingly fascinating toy - a mysterywrapped in an enigma to be explored and understood.No malice. The good hack does no damage.


9/73

Misguided youths. Hackers are misguided youths and

are essentially harmless. Their intelligence and creativity should be encouraged butdirected toward more constructive channels.

Social Views on Hackers

Security specialists. Hackers know the corporatesecurity weaknesses. They should be hired as security specialist and their expertiseutilized to protect the corporate vital information resources.

Scumbags. Hackers are the scum of the earth andshould be treated as varmints and hunted down with dogs


. Ordinary criminals. Hackers should be treated nodifferent than any other criminals. Human nature inevitably breeds predators and it is the

responsibility of everyone to put in place the necessary controls toprotect their valuables.

HACKER COMMENTS


10/73

"Hacking to me [is] to transcend custom and engage increativity for its own sake..."

"For the most part, its simply a mission of exploration. In the

words of the captain of the starship Enterprise, Jean-Luc Picard,"Let's see what's out there!"

HACKER COMMENTS

"Its like picking a lock on a cabinet to get a screwdriver to fix aradio. As long as you put it back what's the harm?" "Although computers are part "property" and part "premises" .....they are supreme instruments of speech..... We must continue to

have absolute freedom of electronic speech." "Thousands of people legally see and use this ever-growingmountain of data much of it erroneous. Whose rights are we


violating when we peruse the file. ...The invasion took place longbefore the hacker ever arrived." "Crime gets redefined all the time. Offend enough people orinstitutions and lo and behold, someone will pass a law."

"At the risk of sounding like some digital posse comitatus, I say:Fear The Government That Fears Your Computer."


11/73

A Hacker is someone who has achieved some level ofexpertise with computers. A Cracker is someone who breaks into systems without

HACKER DEFINITIONS

. A Script Kiddie is someone who uses scripts orprograms from someone else to do his/her cracking. Other terms are leech, warez puppy, warez d00d, lamerand

rodent.

A Phreaker is a hacker who specializes in telephones stems.


A White Hat is someone who professes to be strictly agood guy. A Black Hat is someone who is viewed as a bad guy.

A Grey Hat is someone who falls in between White andblack

C O O


12/73

Psychological Need/Recognition. Desire to Learn/Curiosity. Revenge/Maliciousness.

HACKER MOTIVATION

Experimentation. Gang Mentality. Misguided trust in other individuals. Altruistic reasons. Self-gratification.


es re o m arrass. Joyriding.

Scorekeeping.

Espionage. Cyber-Warrior

TYPICAL HACKER ATTACKS


13/73

Insider Attack. Social Engineering. Virus Infiltration. Denial of Service.


Password Infiltration. Lack of Security Infiltration. IP Spoofing. Trojan Horse. Stealth Infiltration.


. TCP/IP Protocol Flaw.Worms and viruses

49% are inside employees or contractors on the internal network. 17% come from dial-up from inside employees. 34% are from the Internet. The major financial loss is internal hacking.


14/73

Lax Security (Hard on the outside,soft on theinside!). Target of Extremist Group, e.g., Tamil Tigers.

WHAT MAKES A TARGET?

Target of a Radical Group, e.g., Animal rights. High visibility makes a good "Scorekeeper" site. High visibility makes a good "Embarrassment" site. Resources that are useful to the hacker. Destruction of ability to provide service to customer


, . ., . You are a challenge,. e.g., Cheswick and Bellovinsite.


15/73

HACKER CATEGORIES

Semi-Professional Hacking. Performed part-time and does notprovide an income.

They fit the classical hacker characteristics.,i.e. they work and play on the, ,

against his/her self-esteem,can have narcissistic personality disorders.

Inter-City Hacking. Inner-city residence(any race,color, religion,creed, etc,), exhibits anger at social condition, exhibits no social

conscience, jail is not a deterrent. Hacking gives them a sense of power and allows them to make their ownrules.

Eurohacking. More worldly , enlightened then US hackers and


are generally motivated by philosophical or political concerns. Generally thought of as a way of life and not a crime, thinks hacking istreating technology without respect; thinks its great sport to spin upintelligence communities.

Professional Hacking. This encompasses any for profit activitysuch as spies, industrial espionage, Narcoterrorist, White Collarcriminals, etc.

HACKER ATTACK CATEGORIES


16/73

HACKER ATTACK CATEGORIES

Personal Attacks. Attacks against an individuals electronic privacy. This could take the form of exposure of TRW records, exposure of criminal records,

changing correct to incorrect entries on your digital self, change your DMV record,change your telephone record, send explicit sex material across Internet in yourname,etc.[Instructors note: One reporter critical of hackers was reputedly to have been

" " . , ,

turned off, flooded him with unordered mail-order merchandise and posted his creditreport on public BBS]

Corporate Attacks. This attack primarily includes: industrial espionage on the part of competitive corporations (whether foreign ordomestic); economic espionage such as insider trading information, plans of the Federalreserve System, and possible merges; and white collar crime such as electronic funds transfer, bank fraud, toll fraud, etc.

Information Warfare. This attack is a ainst a countr its olitics and its


sphere of influence This primarily includes: Offensive Information Warfare against such infrastructures as Wall Street, theFederal Reserve System, the Internal Revenue Service, Air Traffic Control Systems,Manufacturing Systems, Communication Systems, etc. Defensive Information warfare to provide infrastructure assurance against attacks.

Note: These are attacks considered from an information perspective and from avery high level.


17/73

HACKER EXAMPLES

The Cuckoo's Egg discussed four hackers, Dirk Brzesinski, PeterCarl, Markus Hess and Karl Koch, from Hannover, Germany,penetrated or attempted penetration of at least 50 computersconnected to MILNET.

These systems included the Pentagon, Lawrence Livermore Labs, the LosAlamos Nuclear Weapons Systems and the National Computer SecurityCenter. They exploited these systems by means of weaknesses in TCP/IP and theUNIX operating systems. One of their favorite techniques was to plant Trojan Horses to stealauthorized passwords.


e erman aos ompu er u roug c aos o enational Aeronautics and Space Administration computer systems inthe late 1980s.

They primarily planted Virus programs at the Goddard Space Flight Centerin Greenbelt, Md. They gained access through a Unix flaw that the system administrator hadfailed to patch.

HACKER EXAMPLES C td


18/73

HACKER EXAMPLES Contd Eberhard Blum, part of the Bundesnachrichtendienst (BND), isreputed to have instituted a program called Project Rehab composed

of computer scientist designed to penetrate the communicationssystems of the Eastern block.

This organization since the fall of the Eastern block is reputed to have targeted.

The Direction Generale de la Securite Exterieur (the French CIA)is reputed to target foreign businesses.

Their favorite US targets seems to have been IBM and TI. They are reputed to search visitor rooms looking for information on laptops and

to bug Air France flights. The French are reputed to auction these industrial secrets to the highestcorporate bidder.


the industrial espionage activities of Japanese corporations. These secrets are funneled through MITI which uses the information as part oftheir national industrial policy.

China, the former Soviet Union, France, Japan, Israel, Sweden,

Switzerland and UK are reputed to be to be the most active in nationalindustrial espionage

HACKER EXAMPLES CONTd


19/73

HACKER EXAMPLES CONTd Robert Morris Jr, Cornell University, brought the Internet to its knees in 1988through the "Internet Worm".

The Worm consumed computer resources making them unavailable to others therebyeither halting the computer or slowing it to a crawl. The worm primarily consisted of two

attack programs.

A program designed to exploit the backdoor DEBUG command in,

a Finger daemon program to inundate the Finger daemon's input bufferand a password guessing program.

The Legion of Doom (LoD) and the Masters of Destruction(MoD) were two ofthe major computer gangs in the late 80s and early 90s.

They were from Brooklyn, the Bronx and Queens. They wiretapped, intercepted data transmissions, reprogrammed phone computerswitches, stole and sold passwords, etc. The LoD were convicted in 1992 apparently turned in as a result of a falling out with


.

Selected LoD Members Selected Known MoD MembersMark Abene (Phibr Optik) Chris Goggans( Eric Bloodaxe)Julio Fernandez(Outlaw) Scott Chasin(Doc Holliday)John Lee(Corrupt)Elias Ladopoulos(Acid Phreak)Paul Stira(Scorpion)


20/73

A Typical Hacker Attack


THE BOEING ATTACK


21/73

THE BOEING ATTACK - 1995November 1995

1. A computer consultant noticed the

system was sluggish.(a). He executed the topcommand to determine what wasslowing down the system.

(b). A program called vswas

Hacker November 19955. The programmer used the tar

command to make a copy of the/var/.e,/binand/etcdirectories.

INTERNET

consuming a large amount ofsystem resources and was runningas superuser.

2. He next ran ps.a). vs did not appearso he

suspected a break-in.3. He executed the Emacs dired

command and found the vsprogram ina directory called/var/.e/vs.

Modem Attack

computer.6. The programmer then shut down the

system.7. He next examined the /bin/loginfile

and found it had been modified to allow

logging in with a special password.8. This seemed to be an exceptionally

sophisticated attack.


. e nex a o e

directory and did a ls -acommand.(a). The directory /var/.ewas not

displayed.

Boeing Computer

Trusted Connection Trusted Connection

Trusted Connection

Commercial Computer Government ComputerEducation Computer

THE BOEING ATTACK 1995


22/73

THE BOEING ATTACK - 1995

Hacker

November 1995

9. He found the/var/.e/vswas apassword sniffer which passed copiedpasswords to a remote computer.10. He found the/bin/lsand/bin/ps

command had been modified to not

INTERNET

Modem Attack

display the directory/var/.e.11. He also found the/bin/ls, /bin/ps

and/bin/loginfile creation dates andmodification times had been reset tothe original dates and times.

12. He found, in addition, that thechecksums for the modified commandsmatched those of the originalunmodified versions.


Boeing Computer

Trusted Connection Trusted Connection

Trusted Connection

Commercial ComputerGovernment ComputerEducation Computer

a . compar son o t e mo e

programs with the backup versionrevealed the differences.


23/73

What to Attack (selecting a network/target).1. Interneta. Access the Network Information Center. The

Attack Methodology

. . ,Database (ds.internic.net) and Information(is.internic.net) Services.b. whoisserver to obtain public information onhosts, networks, domains and systemadministrators.


.notation).d. DNS to acquire the dotted decimal addresse. tracerouteto determine intermediate networks.

f. SNMP to dump a router table.

Attack Methodology Contd


24/73

What to Attack (selecting a network/target).

2. Telecommunication/Modema. Social Engineering.


b. Dumpster Divingc. Demon Dialing(Scanning/Autodialing/WarDialing)c. Wiretappingd. Optical-spying

e. Cheese box(unauthorized call forwarding)f. Piggybackingg. Call Forwarding


. asswor rea eri. Parking Lots

j. Shoulder Surfingk. Socializing

l. Stealing Laptopsm. Wireless Communication(Wardriving)

A k M h d l C d


25/73

Who to Attack (selecting a host).1. Pingthe address with an ICMP Echo Request. This can alsobe used to find the route of the packet to the address.


2. DNS with a reverse name look-up to translate the numericaddress into a domain name address.3. DNS HINFO records provide the hardware and operatingsystems release which will be helpful in formulating an attack.

4. Pinglist(a modification of traceroute with udp) to map thenetwork.5. Netmappers are publicly available.


6. Portmappers are publicly available.7. The Login Screen can be used to derive information about thetarget.

Note: Breadth is more important than innovation Select a known vulnerability rather than expose a new one.



26/73

Testing the host (finding a weakness).Note: Weaknesses are generally specific to an operating system ,host hardwareor due to old bugs that have not been patched.

Utilize a Vulnerability Scanner such as Internet Security


Networks(SATAN) to scan for various holes.a. Check for unprotected logins or mail alias( sync,guest,lp,etc.). Does not

require a password.b. Connect to mail port with Telnet and logs mailer type and version.

c. Attempts an anonymous FTPconnection and trys to grab the/etc/passwdfile by using the root account. May want a list of supported commands.d. rpcinfoto test for services running. This program prints out the current


protocols are active. Looking for NFS/mountd, yp/ms, rexd.e. ypxto attempt to grab the passwords through the Network InformationSystem(NIS), originally called Yellow Pages, in order to invoke some type ofdictionary attack.f. Transitive Trust Analyserto learn the source of logins and to recursively

probe those hosts.g. fpingto determine Internet connection or Firewall.

Att k M th d l C td


27/73

Hacker goals after penetration Leave no evidence of the successful attack. The good hack retains a cloak of invisibility.


. Obtain machine root(superuser)access. Install password sniffing tools to collect data forlater retrieval.

Install two or more security backdoors (securityholes).


.

Check the mail alias database and log files. Run security auditing programs such as:

COPS

Internet Security Scanner(ISS)Security Analysis Tool for Auditing Networks(SATAN


28/73

HACKERS

- A Hackers View -



29/73

- A Hackers View-

Note: A hacker spends 60-70 hours/week Hacking!Why? A challenge/A game of wits/skill and ingenuity.

A sense of enjoyment/Accomplishment. Intensely interested in computers.

Hacker Profile: Teens or early twenties.


. Academically advanced. Bored in school. Hackers grow up to become computer professionals.

As many as 80% of all system operators claim to have hacked.


30/73

Type of Hackers

The Novice:12-14 years old.

Live off more advanced Students.Hacking is fun and mischief.They will generally log on, look around, get bored

and leave.They can be unpredictable.


when confronted. The more experienced hacker will be ambiguous.

Easily defeated by security

Type of Hackers Contd


31/73


The Student:Very bright but bored.

They will spend days examining files on asystem.

Hacking is a solitary pastime - not antisocial

behavior.Generally adheres to good computer ethics.


system.He wants to stay out of trouble.He respects the system/programmers and doesn't want to

create additional work.He may seek employment with the company (at just the

T f H k C td


32/73

The Tourist:Likes adventure and a challenge.


, .The successful hack constitutes the thrill.They will normally plan their attack.They are meticulous and always figure the odds ofsuccess.The harder the target the less likely they will attempt a


- .

They normally trade information with other hackers.They may service other hackers.

The best defense is to harden the system.



33/73

The Crasher:A troublemaker.

No obvious ur ose or lo ic to their hackin .


Makes themselves visible by creating as muchtrouble as possible.They are very patient and plan their attack to

accomplish the most damage.Erases programs, files, etc

'


hackers.They crash hacker bulletin boards, close down hackeraccounts, etc.

The Crasher must be stopped during thereconnaissance phase.



34/73

The Thief:Not perceived as Hacking but as Computer


.They will spend hours in reconnaissanceand planning the attack.

They use bribes, blackmail, wiretaps,spying, etc.


robbing.Rarely discovered.

The best defense is in-depth security.

Levels of Effort


35/73

Level One.

Targets of opportunity. Tests for basic flaws and if none are available moves on. Little or no effort.

. Partial to a particular OS and will expend extra effort. Well known system defaults, loopholes and bugs.

Level Three.

More intense effort normally related to a specific host. Tries common passwords and normally succeeds.

Level Four.


Extreme effort that takes months. Successful about 90% of the time.

These are Tourists that research and plan with great patience.

Level Five.

A Thief ("Show me the money"). He expects payback for his time and effort.

Attack Methodology


36/73

gy

The Beginning - Motivation: Decide why thissystem should be attacked. Ste 1 - Tar et Reconnaissance sometimes

called footprinting, is when the Hacker gathersinformation about the target system and thenetwork. Step 2 - Scanning - The Probe and Attack. Step 3 - Gaining Access - Advance/Hide the


attack and install a backdoor(s). Step 4 - Maintaining Access - Establish aListening Post.

Step 5 - Covering Tracks/Exploitation.


37/73

Attack Methodology

The Beginning - Motivation: Decide why

s sys em s ou e a ac e .Boredom.Revenge.

Financial gain.Peer respect.


c a enge.Rattle the site.Curiosity

Attack Methodology


38/73

Attack MethodologyStep One - The Target Reconnaissance.

Target Reconnaissance, sometimes called footprinting,is when the Hacker gathers information about the targets stem and the network.

Search the Internet - Web sites, IRC, newsgroups, etc. Use the Domain Information Grouper(DIG) to attempt

a Zone Transfer. Gather information on network users through theWeb, newsgroups, telephone books, Social


Engineering, Dumpster Diving, examine cars, etc. This will reveal password combination and the policyfor determining user names.



39/73

For example:

whois navy.mil will find hosts on the navy.com network nslookup on navy.mil will return information contained inthe navy.mil DNS.

ut ze a zone trans er program or name .x er toretrieve the DNS files from the primary DNS. Utilize the ping command to determine which systems areconnected to the Internet.

telnet navy.mil will determine the machine type and OSversion.


and machine type. Utilize rpcinfo to scan for active ports and return a list ofrpc programs running on the machine w/version numbersand port numbers. . Utilize finger to get a list of users on the system, etc.



40/73

Step One - The Target Reconnaissance Contd.Utilize whoisto provide the following type information:OrganizationalDomainNetworkPoint of Contact

The following type databases can provide this type information:InterNIC Database http://www.networksolutions.comAmerican Registry for Internet Numbers http://www.arin.net

European IP Addresses http://whois.ripe.netAsia pacific IP Addresses http://whois.apnic.netU.S. Military http://whois.nic.mil


. . . .

With the following type tools:Whois Web Interface http://www.networksolutions.com

http://www.samspade.orghttp://search.websitz.com

Xwhois http://www.goatnet.ml.org



41/73

Step One - The Target Reconnaissance Contd.

Examine the target organization Web pages for: Locations Related companies

rgan za on w p one num ers - a a resses. Privacy and Security policies Links to other sites. News articles

Press releases Review the HTML source code.

Utilize Internet Search Tools such as :


, , - .

AltaVista, Hotbot, etc search engines to search for linksback to the target, rogue web sites at home, etc. EDGAR database (Security and Exchange Commission) onthe parent organization and subsidiaries.



42/73

Step One - The Target Reconnaissance contd.The following type information should now be available:Host name(s).

os a ress es .Host owner.Host machine type.Host operating system.Network owner.Other hosts on network.


.Hosts trusted by networkHosts outside network.List of users.User-name assignment policy.

Step Two - The Probe and the Attack.Attack Methodology Contd


43/73

Step o e obe a d t e ttacRemote Blind attack.

The user knows the network address but not a valid account oraccess.Exploit a service weakness

Inside User Attack.The user/hacker has user-level/unprivileged access.Sniffed passwords.

Traded accounts.Shoulder surfing.Remote blind attack.


.

Social engineering.Default user Accounts.

Physical Attack.Plug into the networkPhysical access to the host.Piggybacking.

S



44/73

Step Two - The Probe and AttackProbe the system for weaknesses and exploit a security weakness to gain

system entry.

Probe the system perimeter for potential weaknesses.This is ahighly automated function and the most dangerous for the hacker.

Security Administrator Tool for Analyzing Networks (SATAN). Internet Security Scanner (ISS). Strobe

The probes provide a list of available services and ports.

The services, depending upon their software version, will haveknown weaknesses that can be exploited. These weaknesses are normally documented by a CERT advisory.


. ,

want a login account and a password. Example:An encrypted password can be broken with Crack.Typical attacks would be : a phf attack on a web page.

a fingerd buffer attack. a FTP bounce attack.



45/73

Step Two - The Probe and Attack (Scanning)

Network Scanning Ping Sweep a range of IP addresses/Network blocks todetermine if an individual system is alive. The following tools

ping w/TCP/IPfping is part of the TAMU toolsnmap by FyodorPinger from Rhino9Ping Sweep from SolarWindsWS_Ping ProPack from ipswitch


Network Scanning Countermeasures Utilize Intrusion Detection Systems (IDS) such as Network Flight Recorder RealSecure

BlackIce NetProwler

Step Two - The Probe and Attack (Scanning)Attack Methodology Contd


46/73

Step Two - The Probe and Attack (Scanning) Port ScanningPort Scanning is the process of connecting toTCP/UDP ports on the target system to determine

.

hacker to know the type of OS/Service in use. Typical port scan tools are as follows:Strobe by Julian Assange.

Udp-scan that comes with SAINT (a newerversion of SATAN).


.

PortPro from StOrMPortscan from Rhad of the 7th Sphere.Superscan from Foundstone.

Network Mapper (Nmap) from Fyodor (arguablythe best).




47/73

Step Two - The Probe and Attack (Scanning) Port ScanningTypical port scans are as follows:TCP connect scan: The three-way handshake (SYN,SYN/ACK, ACK). The Scanner immediately sends an ACK/FIN packet to end the session.

TCP SYN (Half-Open) scan: A full TCP connection is notmade. Only a SYN packet is sent to the target port. If a SYN/ACK is received the target port is LISTENING. A RST/ACK is immediately sent by the Scanner so that the connection isnever established and therefore not logged. If a RST/ACK is received it usually means the port is not LISTENING.

TCP FIN Stealth scan: Onl a ACK/FIN acket is sent to the


target port. Closed Ports tend to respond with a RST/ACK. Open ports tend to ignore the FIN packet.

TCP Xmas Tree scan: A FIN/URG/PUSH packet is sent to the

target port. The target port should send back a RST packet for all closed ports(RFC 793).


ttac et o o ogy ont


48/73

p ( g) Port Scanning.Typical port scans contd:

TCP Null scan: A packet is sent with no flags setThe target host should send back a RST for all closed ports (RFC793).

UDP scan: The scanner sends a UDP packet to the target port.

A closed port responds with an "ICMP port unreachable" message. An open port will typically not respond with this message.Fragmentation Scan: This is a combination of techniques.Typically, the SYN and FIN scan is used but is broken into tinyfragments prior to sending.

Ident scan: This is also a combination of methods.A full TCP connection is established to port 113.The Ident Protocol (RFC 1413) is then used to determine the owner


of the process connected to that port. Port Scanning Countermeasures

Intrusion Detection Systems such as NFR RealSecure

NetProwler



49/73

Step Two - The Probe and Attack (Stack Fingerprinting)

Stack FingerprintingThis technique allows the hacker to determine the host's operating system.Vendors interpret the RFC guidance differently when writing their TCP stack.TCP Stacks can be robed to determine these differences.

FIN Probe: The stack should not respond, however, manywill respond with a FIN/ACK. Bogus Flag Probe: An unidentified TCP flag is set in theheader of a SYN packet.

ISN Probes: Stacks may differ as to how they determine theInitial Sequence Number. DF Bit Monitoring: Some stacks set the DF bit to enhance


performance. TCP Initial Window Size: The window size on some stacksare unique. ACK Value: Stacks differ on the ACK value, e.g., some return

Seq + 1 while others will simply return the same Seq numberreceived.

S T Th P b d A k (S k Fi i i )



50/73

Step Two - The Probe and Attack (Stack Fingerprinting)

Stack Fingerprinting contd ICMP Error Quencing: Stacks may send error messages atdifferent rates.

information quoted in ICMP errors.ICMP Error Message Integrity: Some stacks may alter the IPheader when sending back ICMP error messages.Type Of Service (TOS): The TOS for "ICMP PortUnreachable" messages should be zero, however, this may varyby stack.


fragments differently.TCP Options: Stacks may handle multiple options such asNo Operation, Max Seq Size, Window Scale Factor, andTimestamps differently.

Step Two - The Probe and Attack (Enumeration)

ttac et o o ogy ont


51/73

Step Two The Probe and Attack (Enumeration)

EnumerationThe process of extracting identifying networkresources/shares, extracting users/groups,

ent y ng app cat ons an anner gra ng.Once enumeration takes place it is simply a matter oftime before a password is guessed or a systemweakness is identified.Enumeration techniques are OS specific. The followingare typical UNIXtechniques.


e wor esources an ares:Look for NFS export file systems with the commandshowmountwhich can extract shared directories.Utilize pscanby pluvius to explore NIS (Internet Yellow

Pages).Utilize the snmpwalkutility to explore the objects in a MIB.

Users and Groupsttac et o o ogy ont


52/73

pUtilize the finger utility to identify the users on asystem.Utilize rwhoor rusersto display users currently

.

Utilize the VRFY command (SMTP) to confirmnames of actual E-Mail users or EXPN command(SMTP) to reveal alias addresses.

Utilize the TFTP protocol to get /etc/passwd Applications and Banners


listening on remote hosts.NAI CyberCop Scanner is arguably the bestcommercial RPC scanning tool.

Utilize netcatto grab banners or explore HTMLcode.

Step Two The Probe and Attack (Enumeration) Contd



53/73

Step Two - The Probe and Attack (Enumeration) Contd

Sam Spade for Blighty Design is a favorite hacker tool forenumerating entire sites. it is a mixed bag of tools.

in : Check to see if a host is alive.

nslookup: find the IP address from a host name or viceversa.whois:Used to find a domain name.

IP Block Whois: Used to find who owns a block of IPaddresses.dig: Queries a DNS server for all the information it has


on a host.traceroute: To find the route a packet takes between asending and a remote host.SMTP VRFY: Determine if an email address is real andits forwarding address.

Sam Spade Contd.



54/73

pweb browser: A utility to view the raw HTTP traffic ratherthan rendered HTML.keep-alive: Keeps a dial-up link alive.

information it has on a domain.SMTP relay check: Relays mail back to the hacker sitethrough an intermediate email server. This is a check on the

security of that server.usenet cancel check: Looks for cancelled messages in agroup of messages.


website download: copies a website to disk.website search: search a website for a matching pattern.email header analysis: Checks a header for consistency tohelp track down forged mail.

Blacklist lookups: Checks the relayed spam source list.

Information Identified

Internet/Intranet/Extranet


55/73

Internet/Intranet/Extranet

Network protocols.Domain Names.Network Blocks.

resses reac a e v a t eInternet/Intranet/Extranet.TCP/UDP Services running on each system.System Architecture.

Access Control Mechanisms.Intrusion Detection Systems.


, ,

and SNMP information Remote AccessAnalog/Digital Telephone numbers.

Remote System access types (Modems/Faxs/Voice).Authentication mechanism

St Th Ad th tt k hid th tt k d i t ll



56/73

Step Three - Advance the attack, hide the attack and install a

backdoor(s).Advance the attack by gaining root access.Utilize COPS, Tiger and Crack.

Hide the attack. Modify the system logs(syslog, utmp, and wtmp files ). Eliminate all records of the activity.

Install a backdoor.

A modified, drop-in replacement of a critical systembinary code that provides authentication and system reports. For exam le rootkit comes with the source code for s


ls, sum and who. Provide continued, unlogged use of the system. Hide suspicious processes and files. Report a false system status.

Report false checksums for modified programs.

S F E bli h Li i P



57/73

Step Four - Establish a Listening Post.

Install a Sniffer, Snooper and Auditing program. Thisinformation Is used to further the attack.

.

Data is normally not encrypted on an internal network.Looks for name/password pairs, financial information,private data, etc.

Snooper. A program to monitor a user's activities bylooking at keystrokes, monitoring process memory, etc. Host Static Auditing tool. A program to report


system security vulnerabilitiesComputer Oracle and Password System (COPS)Texas A&M Univ Tiger(TAMU Tiger)



58/73

Step Five - Exploitation.Ex and control from a sin le host to multi le

hosts. Renew the attack on other hosts by Exploiting passwords.

Exploiting trusted hosts.


The DataStream Cowboy and Kuji


59/73

LatviaUnited

Kingdom

Commercial

WrightPatterson

AFB

JPL

NASA

South

Korean

AtomicResearch

NATO

Chili

Columbia

Rome

LABs


Rome Labs AttackTwo Hackers - Datastream and Kuji.Attack lasted 26 days.

Activities were monitored for 20 days.

Over 150 intrusions into the Rome Labs.

7 Sniffers compromised 30 Rome Systems.At least 8 countries were used as conduits.

On 28 March 1994 the Rome Labs Sysadmins detected a

Rome Lab Attacks


60/73

password Sniffer. The Sniffer had collected so much information that it had filled adisk and crashed the system

,

turn, notified AFOSI. Air Force Information Warfare Center (AFIWC)was notified and SA Jim Christi was assigned the case. The investigators, after reviewing the logs and interviewing theSysadmins, found that:

The penetration was made on March 23 by two hackers. They penetrated seven computers and planted sniffers.


.

Rome Lab had been used as a jumping off point for hackattacks on other military, government and research facilitiesaround the world.

The Commanding officer was briefed and made the decision to

leave several systems open in the hopes of tracking the hackers. Pursue and Prosecute

The investigative team established a snooper program that began

Rome Lab Attacks Contd


61/73

key stroke monitoring on the systems left open and discovered thehacker handles Datastream Cowboy and Kuji . The majority of the attacks were traced back to:

c bers ace.com Seattle Washin ton and

mindvox.com, New York City. On 5 April, an Internet informant provided AFOSI an EMail addressand home Telephone number (Datastream) in the UK of a hacker whohad been bragging about the exploit.

Scotland Yard initiated a pen register on the hackers telephonewhile AFOSI continued to monitor Datastream's online activity. Duringthis time based u on sniffed asswords he :


Attacked systems at the Jet Propulsion Lab in California and Attacked systems at the Goddard Space Flight Center, Greenbelt,Md Compromised an Aerospace contractor systems in California and

Texas Initiated a scan against Brookhaven Labs , DOE, in NY.


62/73

VIRUS A self-replicating malicious program segment that



63/73

VIRUS. A self-replicating, malicious program segment that

attaches itself to legitimate application programs, operating systemcommands or other executable system components and spreads fromone system to another.

Each reproduced virus code then grows independently of the other.

The virus grows geometrically.Boot Sector. A virus that replaces the boot sector of a floppy orhard drive.System File. A virus that infects system files.Stealth. A virus that hides itself and actions from the operatingsystem.


.

or disk. This virus hides itself and its actions from the operatingsystem.Multi-Parite. This virus infects both files and boot sectors.Macro Virus. This virus is written in a macro language and is

commonly found in software containing a scripting language suchas Word, Excel, and Powerpoint.



64/73

WORM. An independent program that replicates frommachine to machine across network connections and that

.

It is designed to search for idle computer memory and then tocopy itself repeatedly until the memory is exhausted and thecomputer crashes. A worm is not a virus although they are sometimes confused. A virus must infect other programs with a copy of itself. The most famous is the Internet Worm by Robert Morris.


IMPERSONATION. An attempt to gain access to a system byposing as an authorized user. Synonymous with masquerading and

TYPICAL HACKER ATTACKS CONTd


65/73

mimicking.Example: using another person's access code to log on.

.

executed at appropriate or periodic times to determine conditions orstates of a computer system and that facilitates the perpetration of anunauthorized act.Example: a program that causes the system to erase all financial files

when it discovers that a particular person has been removed from thepersonnel files. Writing Logic Bombs is very easy but difficult to detect.


.

A Logic Bomb has a computer state trigger.

TRAP DOOR. A breach created intentionally in an ADP



66/73

OO b eac c eated te t o a y a

system for the purpose of collecting, altering or destroyingdata.

Generall done throu h uttin extra code in a software ro ram

which acts as a testing aid for programmers during construction,testing or program maintenance.

TROJAN HORSE. A computer program that is apparentlyor actually useful but that performs another function. The Trojan can modify databases, write checks, send electronic


, , .

The Trojan Horse can be embedded by a programmer or downloaded from a BBS. Most Trojan Horses in the microcomputer detonate their payloadthe moment they run not only carrying out their intended function

but also destroying themselves.

SOFTWARE PIRACY. The illegal copying of software(and repackaging it for sale)



67/73

(and repackaging it for sale). Software piracy is being fought by the Software PublishingAssociation.

Indications are that this amounts to between 4-7$ billion loss in

sales. This results from individual copying, Pirate BBS, countrypiracy(China, Taiwan, Singapore, etc)and try before buyingrental/loans.

SNIFFING. The installation of protocol analyzer


user passwords and log them into and unused space under an innocuous name,such as "..". The hacker at some time in the future will return and downloadthe passwords and if necessary employ a Password Cracker.



68/73

BROWSING. Searching through storage to locate oracquire information, without necessarily knowing of the

.

DATA DIDDLING. The unauthorized changing of databefore or during their input to a computer system resultingin increased paychecks, extra leave, overtime pay, etc.

EMBEZZELING. Using a computer to prepare falsefinancial reports.


.

which are intended to be construed as real, officiallyproduced documents or records. For example, using desktop publishing to create a false driverslicense, social security card or passport.



69/73

FRAUD. The exploitation of information systems in anattempt to deceive an organization and/or to take itsresources.

DENIAL OF SERVICE. This is performed by trashing asystem, tying up ports, placing garbage on screens,changing file names, and erasing program files. This type attack is becoming more common( Spamming, SYN

Attack, etc). SPOOFING. The deliberate inducement of a user or a


.

Example: a user writes a program that gives "system like"responses to someone trying to log on the system; thus, theperson trying to log on will unwittingly give his password to theperson/program doing the spoofing.

SUPERZAPPING. The unauthorized use of a utility computerth t i l t t t l t dif d t



70/73

program that violates computer access controls to modify, destroy,copy, disclose, insert, use , deny use or expose data in a computer.

The name derives from an IBM utility program called "Superzap" whichermitted an o erator to start, sto or modif a rocedure that has been

misbehaving. The equivalent in a microcomputer would be something like PC Tools orNorton Utility.

SALAMI TECHNIQUES. The unauthorized, covert process oftaking small amounts (slices) of money from many sources in andwith the aid of a computer.

An example is the round down fraud, whereby remainders from thecom utations of interest are moved to the attackers account instead of bein


systematically distributed among accounts that were rounded up.

[The story is told of a Russian worker who left the factory each night with awheelbarrow full of sawdust and every night the guard poked the sawdust andupon finding nothing let him pass. Several years later, after both were retired,

they accidentally met in a bar and the guard asked him what he was stealing inthe wheelbarrow to which the worker replied: "Oh, I was stealing thewheelbarrows."

PIGGY BACKING. Unauthorized access that is gained to an ADPsystem via another user's legitimate connection.



71/73

syste a a ot e use s eg t ate co ect o

A method of gaining unauthorized physical access to guarded areas whenthe attacker does not possess the required authorization to pass. Electronic piggybacking occurs when a computer or terminal covertly

.

computer, to which they both transmit, is unable to distinguish the signals ofthe authorized user from those of the unauthorized user.

EAVESDROPPING. The unauthorized interception of information-bearing emanations through the use of methods other than

wiretapping(TEMPEST).SCAVENGING. Searching through residue for the purpose ofunauthorized data acquisition.


A covert, unauthorized method of obtaining information that may be left in or

around a computer system after the execution of a job. Included here is a physical search (trash barrels, carbon copies, ribbons,diskettes, etc) and a search for residual data within the computer storageareas, temporary storage tapes, and the like.

This, for example, encompasses dumpster diving, unerasing diskettefiles, examining scratch tapes and looking at old ribbons.

BUMBLING. Sometimes called "accidents", "errors of omission",



72/73

or "errors of commission". Indications are that this amounts to 50-60% of annual dollar loss. This isthe result of clumsy fingers, big thumbs, and improper training,

.

and its removal from the organization. For example, this could be as simple as the copying of a software programfor home use. This can be accomplished through diskettes, tape or hard copy. Very rarelydo guards perform body checks or open brief cases.

WIRETAPPING. Normally accomplished at the wiring closet. Passive Wiretapping with electrical induction can easily be


, ,

radio, a modem and a printer. The cassette recorder, throughinduction picks up the signal, amplifies it through the radio,perhaps acoustic coupling it through a modem which convertsthe analog signal to digital for printing.

Active Wiretapping is the monitoring and recording of datawhile the data is being transmitted over a communications link.


73/73

End of Lecture


5216122-hackers [compatibility mode]

Documents