- Email: [email protected]
Hacking Techniques
feature
Hacking Techniques The tools that hackers use, and how they are evolving to become more sophisticated.
overcome those that they see as the ‘enemy’. So what are the tools that our ‘desert island’ hacker would want to take with him? There are three that spring to mind — Nmap, Nessus and Netcat.
Nmap Richard Barber, Articon-Integralis
With tales of hacked networks and websites being reported by the media daily, people assume that hacking must be easy. But, in truth, the tools and techniques employed by hackers are extremely complex, utilizing a broad range of technologies. The number of mechanisms for breaking into systems, whatever the objective, is on the increase with new tools emerging continuously. This article will aim to highlight and demystify the key techniques and tools currently being employed in the hacker’s world, and look at how these tools and methodologies are changing. It will also touch on what we may see in the future. The climate of fear that has been built up by the media has led to hackers being perceived as unstoppable. The most widespread attacks, which are often no more than website defacements, are treated by the press as an indication of hackers’ powers and a warning of their capabilities. But, part of this fear is a lack of understanding about what the hackers actually do and how they do it. Heightened concern about the damage hackers can do has made the lives of network administrators who are responsible for security all the more difficult. They face pressure from both bosses and peers to ensure that employees are working on secure systems. Ultimately it becomes a race against the hackers and the more education about hacking techniques there is, the more chance there is of keeping them at bay. In order to achieve this, companies must seek out advice and support from security experts who can help them to ensure that they have installed the appropriate software. They must also ensure that supporting policies are put in place to back these up. Hacking tools and techniques have become more sophisticated in recent years and the picture has become further complicated by the diverse range of hackers, ranging from spotty teenagers defacing websites for their own amusement to serious ‘crackers’ threatening the
security of governments and businesses throughout the world. Each group operates using differing tools and some are much more dangerous than others.
Desert island favourites When a hacker wants to automate a task he writes code — just like any other programmer. The code is tested and circulated to others for use and testing. Through a process of feedback, the code is improved to the point where it is simple and effective, even if the underlying functionality is complex. Hackers can be passionate about making their code robust. Like for any programmer, it is a matter of professional pride to perfect the code so there are no glitches or bugs. One of the amazing things about these programs is how much functionality can be crammed into a small code ‘footprint’. When you look at such code you begin to understand why they sometimes refer to some commercially produced software as ‘bloatware’. Hackers design their programs to be highly functional, compact and elegant. Another driving force is the response of the security professionals who examine the work of the hacker and try to circumvent, detect, respond or defend against the hacker’s program. Clearly, hackers will want to improve applications to
Nmap is best known as a port-scanner which can use multiple techniques and includes a very useful operating system fingerprinter which is useful in determining which vulnerabilities your victim may have. Like most, if not all of these hacking tools, it is freely available and, in the best traditions of the hacker movement, is best used on Linux. A hacker needs to map your network effectively and quietly so that an attack can be planned, stage-by-stage. This is the systematic undermining of the corporate network for the purpose of satisfying curiosity or even as a part of a coherent industrial espionage effort. In other words, the uses are limited by the imagination and motivation of the attacker.
Nessus This is an excellent tool, providing a capability as a vulnerability scanner with a client/server architecture. It is, like most similar code, available as Freeware and there are frequent updates to the source code. It works on the basis of plug-ins which can be written using C or native scripting language, NASL (Nessus Attack Scripting Language). There is a very active community (an indication of the tools’ popularity) and new plug-ins become available almost daily. One excellent feature is that it does not assume any defined bindings for ports and services (e.g. http is normally situated at port 80 but may be it at ports in the 8000 range). Therefore, if administrators move ports around, they can still be identified. It also carries a good reporting capability — something that all administrators ask for in good products.
Netcat This has been described as the swiss-army knife of hacker tools. One of its most 9
feature useful capabilities is to operate in what is called ‘Client/Server mode’. The really useful part is that any installation can be on the client or on the server. This tool can be used to enable command-line access to a machine (usually a Unix flavour or derivative) by programming an outbound ‘ping’ — ICMP echo request — which carries the command prompt in its payload. The ping is directed (in a simple, ideal world) at the hacker’s own machine which replies to the ping with a payload that carries a command. The hacked machine receives the ping response and Netcat passes the command to the target’s shell. The results of the command execution are then passed back to the hacker’s machine in another ping. In this way an effective, if slow, command line session can be maintained. A full description of these capabilities is beyond our remit here, but suffice it to say that these tools are extremely useful for providing file transfer inside/outside networks, defeating intrusion detection systems, firewalls and the like. That’s not to say that a well maintained, overlapping, tightly-controlled security policy implemented with the appropriate hardware and software won’t be a good defence, but few companies have such a policy.
Rootkits and loadable kernel modules Imagine that someone has managed to access your computer over a network, perhaps the Internet, or even the internal corporate network. It only takes persistence, time, a modicum of skill and the right tools to achieve this. They then start looking at your PC and noticing strange directories and files. Quickly you type ‘ps–ef’ and see processes that you don’t recognize or can’t account for. You jump to the right conclusion and delete the offending directories and files and kill the processes. You reboot the machine and are satisfied that you’re clean. But what if you only suspect that there is something is wrong with your Linux 10
machine but ‘ps–aux’ doesn’t reveal anything and neither does a search of the directories and files or even the audit logs. You conclude everything is okay, and the computer is just having an off day. Wrong! You’re the victim of a hack attack from a hacker who has managed to install a ‘rootkit’, a set of programs that replace the genuine thing, but are programmed to lie to you and conceal the existence of the hacker’s presence, tools and activity. Rootkits first appeared for Linux (the first ones were known as Linux Kernel Modules or LKM) around 1996 and were programs that replaced system programs like ‘ps’, ‘ls’ and ‘du’. Later versions appeared for Solaris and now for NT and Windows 2000. The latest versions can almost entirely replace the set of system
Tips for senior managers • Don’t bury your head in the sand • Remember that hacking is a serious business • Invest in security. It may secure the future of your business • Develop and communicate clear security policies • Build in processes for auditing security risk and updating security infrastructures and policies
programs that interface with the kernel. Bad news indeed! There are checks that can be run though. Tripwire can compare original file checksums with the suspected rogue ones, and commands like ‘# echo *’ will bypass a rogue ‘ls’ command. And network activity can still be monitored. The safest way is to use independent network monitoring equipment or another ‘trusted’ computer. But, as we have mentioned already, hackers like to improve their ‘products’ and so, in 1999, or thereabouts, LKMs made their appearance. Most likely they had been in the hacker underground for
some time before that. They were designed as real-time loadable add-ons to the kernel. Their purpose was to get around the problem that rootkits had — namely, that they were easy to spot because there were ways of bypassing the controls that rootkits put in place. LKMs, in effect, make the kernel lie to the programs that call it. If someone suspects there’s a large directory chewing up disk space, they invoke ‘ls’ or ‘du’ to check. They suspect these may have been compromised so they use ‘# echo *’. They still find nothing to confirm their suspicions because the kernel itself is hiding the information from the user and the system commands. If LKMs can be run at bootup from /rc.d/ scripts and then hide the script itself, it would be difficult to find them But, they have their limitations as well. They only run in memory so a reboot from a floppy will cause their existence to be exposed. And network activity can still be detected, although, if the hacker can bury the data in unused portions of the IP packets it might take some digging to realize that something valuable is really there.
Denial-of-service (DoS) This is a particularly nasty area of activity. All it means is that someone can effectively bring your website to its knees and prevent you doing business. In broader terms, DoS and its close relative Distributed denial-of-Service (DdoS), are methods of preventing you from providing a service such as a website or E-mail. DoS may even totally block your connection to the Internet. DoS (not to be confused with the operating system of a similar name) can be achieved using a number of tools — Trin00, Tribal Flood Network (TFN), Stacheldraht and WinTrin00. These are generic and require the use of ‘zombies’ — computers that have been subverted and have attack code on them. Later, the zombie computer is normally used as part of a larger attack which comes from a large number of sources (hence the name
feature ‘distributed’). In many instances, the owners of the zombie computers do not even realize that they have been party to such an attack. The Packetstorm site at http:// securify.com, has a wealth of information on the subject, and carries security advise from the likes of Microsoft and Sun. DoS detection utilities such as ‘ddosping’ are available, and so are the DoS tools themselves. For example, a search of their archive will reveal an entry for: 13:InetdDoS-spewfing.tgz [20] 1732 inetd denial-of-service exploit code, with source spoofing functionality added. By ArchAng3| 0f Death. As a matter of interest, the ddosping tool was produced by Foundstone Inc. which is a US-based security consultancy company run by, amongst others, the authors of the book Hacking Exposed, an excellent resource and reference by Stuart McClure, Joel Scambray and George Kurtz.
War Diallers The first port of call for a hacker looking to break into a system is often a ‘war dialler’. This is software which sits on your PC and is linked to the modem, fax and phone line works with telephone numbers. The war dialler can discern the difference between fax and modems and then tests the lists of numbers that are run through it. Hackers will feed the software a range of numbers and then leave it to see what it comes up with. This provides hackers with routes into networks through the phone lines. Whilst this should not be such an easy technique, it is often made so by employees who connect phone lines to modems at work without telling their IT departments, thereby supplying the hackers with their entrance.
Traceback avoidance One of the best traps for catching inexperienced attackers are tracing techniques. However, as with other methods, serious hackers leave almost no evidence of their existence. This method of hiding is
known as ‘traceback avoidance’ and is almost impenetrable. A hacker opens a browser and links through to a website which provides a source and destination address, so in theory, you could trace where a movement came from. Sounds simple, but the only certain information you have is the computer from which the message was sent, not the identity of the person who sent the message.
Anonymiser One of these avoidance techniques is the use of an ‘anonymiser’. Offered by a number of websites and therefore easily accessible, the anonymiser makes the user effectively invisible by taking away their identity. This technique can be more clearly illustrated through the case of a 14-yearold boy in the USA who hacked the Pentagon site directly from his home computer. Because he had used an anonymiser, it took eight security agencies alongside four FBI agents, weeks to track down the source of the attack. Once they had pinpointed the location, it was then necessary to mount a full surveillance operation to monitor usage of the computer and confirm that a crime had been committed, before any action could be taken.
Around the world A more complex invisibility cloak is to reach your destination by taking a circuitous route round the world. Let’s take the Pentagon as the target of the hacker. From a home computer in the UK he hacks into a machine in France. Not only is this a means of hiding, the language barrier throws up yet another cloak. He then routes through to Russia onto China, through Israel and then to Iran before finally reaching the Pentagon. Not only have there been constant language changes, but the chances of these countries working together to trace the source of an attack are slim.
Hacking Web sessions Stealing sensitive information on the Web is usually done using a Web browser with
a password and login details. One thing that hackers decided a long time ago, and which is a part of human nature is always to take the line of least resistance. So, if encryption is difficult to break, they look for another way. In the early days of Web access, Secure Socket Layer (SSL) encryption seemed to stop hackers from doing anything. But they soon found out that SSL is only one component in an E-commerce system. While the link was encrypted, the data on the server was not, so hackers simply broke into the Web server and stole data from there. And they still try to do that today, with varying success!
Hijack the session So, Web-based E-commerce systems may have design flaws. What else can enterprising hackers do? They can have a go at ‘session hijacking’, a subversion of an active session. In the past, SSL sessions were set up using information that identified the user and the link they had at the time. This is called the session ID and was carried as part of the URL, in the form of a number. Because the identity of the user is only authenticated once, an enterprising hacker has the chance to run through all of the numbers in the URL. Landing on your ID number, the session is immediately directed to his machine, maintaining the link and letting him assume your identity. The SSL protocol didn’t care that the source IP address (the original user’s) was now different (had become the hacker’s source IP address). SSL would then re-negotiate the link based on the session ID and the hacker has become you. In an attempt to put a stop to this, Web designers came up with the concept of persistent cookies. Cookies are text files stored on the user’s hard drive which contain identifying information. However, a hacker could also sign up to the same service, obtain a cookie, and decipher its contents. He could then modify his own cookie in a semi-random (but automated) fashion and again hijack an existing session. So, Web designers came up with nonpersistent cookies. These are not stored 11
feature on the hard drive but in active memory and therefore should be immune to hacks as they cannot be edited. This protects them from session ID attacks, at least in theory. The reality is that hackers have discovered several methods of breaking through, including: • Raw read/write from/to client-side memory. • Adapting browser source to edit cookies. • Writing Javascript that lets you view the page and edit. • Writing a proxy that allows for editing of an entire session passed back and forth between browsers. For most people, the fourth option would be almost impossible — yet, it has been done. A program under the name Achilles was developed which not only allows a hacker to edit any http session but also supports SSL, which means that it can run over an encrypted link. It was released for general access in November 2000 but was active in the hacker underground for about a year before that. So, the hackers can infiltrate E-commerce websites and alter information. The severity of the impact can be realized if you consider that many Web designers put in zero-sized (hidden) frames in the Web data passed from the server to the user’s browser, containing pricing or privileged information. This potentially gives the hacker the ability to set any price for any product or service.
New tools This information first came to light during a presentation by Ed Skoudis of Global Integrity during the SANS conference in November 2000.
Dsniff Dsniff is a suite of tools to make sniffing and spying trivial, even on a switched network. It was written by Dug Song who also wrote the fragrouter program. It consists of several key components: dsniff, arpredirect, macof, tcpkill, tcpnice. Dsniff is the master program of the suite and is essentially a sniffer that 12
decodes a number of protocols and can be application-specific as well. Clearly, this is a powerful set of tools and a description is beyond the scope of this article. However, there is plenty of good reference material available on the Internet. There is also a section of references to accompany this article, available at www.CompsecOnline.com.
So what now? By this point readers should have several clear impressions: • Hackers are not just pimply-faced 14year-olds with mystical computer skills — although that doesn’t mean that there are not any like that! • Hackers are capable of writing good if not excellent code and of releasing these tools to the public domain for others to use as they see fit. • There is a constant activity to develop, refine and improve tools. • There is a large community of ‘users’ of these tools who use and comment on them, contributing to refining and improving the tools. • Hackers really use this stuff! So where does that leave us? One could be forgiven for entering a mild state of panic, thinking that the world (or at least the bit connected to the Internet) is about to come to an inglorious end, crashing down around our ears as hackers watch and gloat. Reality is a bit different. As Bruce Schneier says in his book Secrets and Lies, “In theory there is no difference between theory and practice — in practice there is.” The point is that there is a process that helps keep all this in perspective and that process is risk analysis. All life contains risks. If we showed a child a list of all the risks they will face during their life, I suspect many of them would give up there and then. But part of growing up is to learn what risks are and how to judge what risks are acceptable. Sometimes as individuals we get it wrong, and that can be lifethreatening. It can be just as serious for a corporation, but when the threats and
risks are known and understood, we can decide how to handle them. The Y2K issue was a case in point, and lots of money was spent defusing a potentially disastrous problem. In the end nothing much happened (apart from a few glitches in December 2000 and January 2001), but this was probably down to people making good decisions based on good information. Security is a continuing issue that needs regular, but not manic, reappraisal. Things do move on and it would be foolish to think that today’s threats can be adequately met with yesterday’s responses and provisions. Security must be central in the plans of any business in order to enable them to find adequate responses to attacks by a growing number of capable hackers with an ever increasing array of hacking tools at their disposal.
Further reading Further details about some of the hacking tools discussed, as well as a reading list full of useful links, are available to subscribers alongside this article at www.CompsecOnline.com.
Tools www.nmap.org/tools.html www.insecure.org (nmap) www.nessus.org www.packetfactory.net/Projects/Firewalk/ www.anzen.com/research/nidsbench/ http://packetstorm.securify.com//linux/ modules/ http://packetstorm.securify.com//groups/ thc/slkm-1.0.html
Books Hacking Exposed (2nd Ed), Scambray, McClure & Kurtz Network Intrusion Detection, Stephen Northcutt Information Warfare & Security, Dorothy Denning Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Traceback, Traps & Response, Edward Amoroso
Hacking Techniques The tools that hackers use, and how they are evolving to become more sophisticated.
overcome those that they see as the ‘enemy’. So what are the tools that our ‘desert island’ hacker would want to take with him? There are three that spring to mind — Nmap, Nessus and Netcat.
Nmap Richard Barber, Articon-Integralis
With tales of hacked networks and websites being reported by the media daily, people assume that hacking must be easy. But, in truth, the tools and techniques employed by hackers are extremely complex, utilizing a broad range of technologies. The number of mechanisms for breaking into systems, whatever the objective, is on the increase with new tools emerging continuously. This article will aim to highlight and demystify the key techniques and tools currently being employed in the hacker’s world, and look at how these tools and methodologies are changing. It will also touch on what we may see in the future. The climate of fear that has been built up by the media has led to hackers being perceived as unstoppable. The most widespread attacks, which are often no more than website defacements, are treated by the press as an indication of hackers’ powers and a warning of their capabilities. But, part of this fear is a lack of understanding about what the hackers actually do and how they do it. Heightened concern about the damage hackers can do has made the lives of network administrators who are responsible for security all the more difficult. They face pressure from both bosses and peers to ensure that employees are working on secure systems. Ultimately it becomes a race against the hackers and the more education about hacking techniques there is, the more chance there is of keeping them at bay. In order to achieve this, companies must seek out advice and support from security experts who can help them to ensure that they have installed the appropriate software. They must also ensure that supporting policies are put in place to back these up. Hacking tools and techniques have become more sophisticated in recent years and the picture has become further complicated by the diverse range of hackers, ranging from spotty teenagers defacing websites for their own amusement to serious ‘crackers’ threatening the
security of governments and businesses throughout the world. Each group operates using differing tools and some are much more dangerous than others.
Desert island favourites When a hacker wants to automate a task he writes code — just like any other programmer. The code is tested and circulated to others for use and testing. Through a process of feedback, the code is improved to the point where it is simple and effective, even if the underlying functionality is complex. Hackers can be passionate about making their code robust. Like for any programmer, it is a matter of professional pride to perfect the code so there are no glitches or bugs. One of the amazing things about these programs is how much functionality can be crammed into a small code ‘footprint’. When you look at such code you begin to understand why they sometimes refer to some commercially produced software as ‘bloatware’. Hackers design their programs to be highly functional, compact and elegant. Another driving force is the response of the security professionals who examine the work of the hacker and try to circumvent, detect, respond or defend against the hacker’s program. Clearly, hackers will want to improve applications to
Nmap is best known as a port-scanner which can use multiple techniques and includes a very useful operating system fingerprinter which is useful in determining which vulnerabilities your victim may have. Like most, if not all of these hacking tools, it is freely available and, in the best traditions of the hacker movement, is best used on Linux. A hacker needs to map your network effectively and quietly so that an attack can be planned, stage-by-stage. This is the systematic undermining of the corporate network for the purpose of satisfying curiosity or even as a part of a coherent industrial espionage effort. In other words, the uses are limited by the imagination and motivation of the attacker.
Nessus This is an excellent tool, providing a capability as a vulnerability scanner with a client/server architecture. It is, like most similar code, available as Freeware and there are frequent updates to the source code. It works on the basis of plug-ins which can be written using C or native scripting language, NASL (Nessus Attack Scripting Language). There is a very active community (an indication of the tools’ popularity) and new plug-ins become available almost daily. One excellent feature is that it does not assume any defined bindings for ports and services (e.g. http is normally situated at port 80 but may be it at ports in the 8000 range). Therefore, if administrators move ports around, they can still be identified. It also carries a good reporting capability — something that all administrators ask for in good products.
Netcat This has been described as the swiss-army knife of hacker tools. One of its most 9
feature useful capabilities is to operate in what is called ‘Client/Server mode’. The really useful part is that any installation can be on the client or on the server. This tool can be used to enable command-line access to a machine (usually a Unix flavour or derivative) by programming an outbound ‘ping’ — ICMP echo request — which carries the command prompt in its payload. The ping is directed (in a simple, ideal world) at the hacker’s own machine which replies to the ping with a payload that carries a command. The hacked machine receives the ping response and Netcat passes the command to the target’s shell. The results of the command execution are then passed back to the hacker’s machine in another ping. In this way an effective, if slow, command line session can be maintained. A full description of these capabilities is beyond our remit here, but suffice it to say that these tools are extremely useful for providing file transfer inside/outside networks, defeating intrusion detection systems, firewalls and the like. That’s not to say that a well maintained, overlapping, tightly-controlled security policy implemented with the appropriate hardware and software won’t be a good defence, but few companies have such a policy.
Rootkits and loadable kernel modules Imagine that someone has managed to access your computer over a network, perhaps the Internet, or even the internal corporate network. It only takes persistence, time, a modicum of skill and the right tools to achieve this. They then start looking at your PC and noticing strange directories and files. Quickly you type ‘ps–ef’ and see processes that you don’t recognize or can’t account for. You jump to the right conclusion and delete the offending directories and files and kill the processes. You reboot the machine and are satisfied that you’re clean. But what if you only suspect that there is something is wrong with your Linux 10
machine but ‘ps–aux’ doesn’t reveal anything and neither does a search of the directories and files or even the audit logs. You conclude everything is okay, and the computer is just having an off day. Wrong! You’re the victim of a hack attack from a hacker who has managed to install a ‘rootkit’, a set of programs that replace the genuine thing, but are programmed to lie to you and conceal the existence of the hacker’s presence, tools and activity. Rootkits first appeared for Linux (the first ones were known as Linux Kernel Modules or LKM) around 1996 and were programs that replaced system programs like ‘ps’, ‘ls’ and ‘du’. Later versions appeared for Solaris and now for NT and Windows 2000. The latest versions can almost entirely replace the set of system
Tips for senior managers • Don’t bury your head in the sand • Remember that hacking is a serious business • Invest in security. It may secure the future of your business • Develop and communicate clear security policies • Build in processes for auditing security risk and updating security infrastructures and policies
programs that interface with the kernel. Bad news indeed! There are checks that can be run though. Tripwire can compare original file checksums with the suspected rogue ones, and commands like ‘# echo *’ will bypass a rogue ‘ls’ command. And network activity can still be monitored. The safest way is to use independent network monitoring equipment or another ‘trusted’ computer. But, as we have mentioned already, hackers like to improve their ‘products’ and so, in 1999, or thereabouts, LKMs made their appearance. Most likely they had been in the hacker underground for
some time before that. They were designed as real-time loadable add-ons to the kernel. Their purpose was to get around the problem that rootkits had — namely, that they were easy to spot because there were ways of bypassing the controls that rootkits put in place. LKMs, in effect, make the kernel lie to the programs that call it. If someone suspects there’s a large directory chewing up disk space, they invoke ‘ls’ or ‘du’ to check. They suspect these may have been compromised so they use ‘# echo *’. They still find nothing to confirm their suspicions because the kernel itself is hiding the information from the user and the system commands. If LKMs can be run at bootup from /rc.d/ scripts and then hide the script itself, it would be difficult to find them But, they have their limitations as well. They only run in memory so a reboot from a floppy will cause their existence to be exposed. And network activity can still be detected, although, if the hacker can bury the data in unused portions of the IP packets it might take some digging to realize that something valuable is really there.
Denial-of-service (DoS) This is a particularly nasty area of activity. All it means is that someone can effectively bring your website to its knees and prevent you doing business. In broader terms, DoS and its close relative Distributed denial-of-Service (DdoS), are methods of preventing you from providing a service such as a website or E-mail. DoS may even totally block your connection to the Internet. DoS (not to be confused with the operating system of a similar name) can be achieved using a number of tools — Trin00, Tribal Flood Network (TFN), Stacheldraht and WinTrin00. These are generic and require the use of ‘zombies’ — computers that have been subverted and have attack code on them. Later, the zombie computer is normally used as part of a larger attack which comes from a large number of sources (hence the name
feature ‘distributed’). In many instances, the owners of the zombie computers do not even realize that they have been party to such an attack. The Packetstorm site at http:// securify.com, has a wealth of information on the subject, and carries security advise from the likes of Microsoft and Sun. DoS detection utilities such as ‘ddosping’ are available, and so are the DoS tools themselves. For example, a search of their archive will reveal an entry for: 13:InetdDoS-spewfing.tgz [20] 1732 inetd denial-of-service exploit code, with source spoofing functionality added. By ArchAng3| 0f Death. As a matter of interest, the ddosping tool was produced by Foundstone Inc. which is a US-based security consultancy company run by, amongst others, the authors of the book Hacking Exposed, an excellent resource and reference by Stuart McClure, Joel Scambray and George Kurtz.
War Diallers The first port of call for a hacker looking to break into a system is often a ‘war dialler’. This is software which sits on your PC and is linked to the modem, fax and phone line works with telephone numbers. The war dialler can discern the difference between fax and modems and then tests the lists of numbers that are run through it. Hackers will feed the software a range of numbers and then leave it to see what it comes up with. This provides hackers with routes into networks through the phone lines. Whilst this should not be such an easy technique, it is often made so by employees who connect phone lines to modems at work without telling their IT departments, thereby supplying the hackers with their entrance.
Traceback avoidance One of the best traps for catching inexperienced attackers are tracing techniques. However, as with other methods, serious hackers leave almost no evidence of their existence. This method of hiding is
known as ‘traceback avoidance’ and is almost impenetrable. A hacker opens a browser and links through to a website which provides a source and destination address, so in theory, you could trace where a movement came from. Sounds simple, but the only certain information you have is the computer from which the message was sent, not the identity of the person who sent the message.
Anonymiser One of these avoidance techniques is the use of an ‘anonymiser’. Offered by a number of websites and therefore easily accessible, the anonymiser makes the user effectively invisible by taking away their identity. This technique can be more clearly illustrated through the case of a 14-yearold boy in the USA who hacked the Pentagon site directly from his home computer. Because he had used an anonymiser, it took eight security agencies alongside four FBI agents, weeks to track down the source of the attack. Once they had pinpointed the location, it was then necessary to mount a full surveillance operation to monitor usage of the computer and confirm that a crime had been committed, before any action could be taken.
Around the world A more complex invisibility cloak is to reach your destination by taking a circuitous route round the world. Let’s take the Pentagon as the target of the hacker. From a home computer in the UK he hacks into a machine in France. Not only is this a means of hiding, the language barrier throws up yet another cloak. He then routes through to Russia onto China, through Israel and then to Iran before finally reaching the Pentagon. Not only have there been constant language changes, but the chances of these countries working together to trace the source of an attack are slim.
Hacking Web sessions Stealing sensitive information on the Web is usually done using a Web browser with
a password and login details. One thing that hackers decided a long time ago, and which is a part of human nature is always to take the line of least resistance. So, if encryption is difficult to break, they look for another way. In the early days of Web access, Secure Socket Layer (SSL) encryption seemed to stop hackers from doing anything. But they soon found out that SSL is only one component in an E-commerce system. While the link was encrypted, the data on the server was not, so hackers simply broke into the Web server and stole data from there. And they still try to do that today, with varying success!
Hijack the session So, Web-based E-commerce systems may have design flaws. What else can enterprising hackers do? They can have a go at ‘session hijacking’, a subversion of an active session. In the past, SSL sessions were set up using information that identified the user and the link they had at the time. This is called the session ID and was carried as part of the URL, in the form of a number. Because the identity of the user is only authenticated once, an enterprising hacker has the chance to run through all of the numbers in the URL. Landing on your ID number, the session is immediately directed to his machine, maintaining the link and letting him assume your identity. The SSL protocol didn’t care that the source IP address (the original user’s) was now different (had become the hacker’s source IP address). SSL would then re-negotiate the link based on the session ID and the hacker has become you. In an attempt to put a stop to this, Web designers came up with the concept of persistent cookies. Cookies are text files stored on the user’s hard drive which contain identifying information. However, a hacker could also sign up to the same service, obtain a cookie, and decipher its contents. He could then modify his own cookie in a semi-random (but automated) fashion and again hijack an existing session. So, Web designers came up with nonpersistent cookies. These are not stored 11
feature on the hard drive but in active memory and therefore should be immune to hacks as they cannot be edited. This protects them from session ID attacks, at least in theory. The reality is that hackers have discovered several methods of breaking through, including: • Raw read/write from/to client-side memory. • Adapting browser source to edit cookies. • Writing Javascript that lets you view the page and edit. • Writing a proxy that allows for editing of an entire session passed back and forth between browsers. For most people, the fourth option would be almost impossible — yet, it has been done. A program under the name Achilles was developed which not only allows a hacker to edit any http session but also supports SSL, which means that it can run over an encrypted link. It was released for general access in November 2000 but was active in the hacker underground for about a year before that. So, the hackers can infiltrate E-commerce websites and alter information. The severity of the impact can be realized if you consider that many Web designers put in zero-sized (hidden) frames in the Web data passed from the server to the user’s browser, containing pricing or privileged information. This potentially gives the hacker the ability to set any price for any product or service.
New tools This information first came to light during a presentation by Ed Skoudis of Global Integrity during the SANS conference in November 2000.
Dsniff Dsniff is a suite of tools to make sniffing and spying trivial, even on a switched network. It was written by Dug Song who also wrote the fragrouter program. It consists of several key components: dsniff, arpredirect, macof, tcpkill, tcpnice. Dsniff is the master program of the suite and is essentially a sniffer that 12
decodes a number of protocols and can be application-specific as well. Clearly, this is a powerful set of tools and a description is beyond the scope of this article. However, there is plenty of good reference material available on the Internet. There is also a section of references to accompany this article, available at www.CompsecOnline.com.
So what now? By this point readers should have several clear impressions: • Hackers are not just pimply-faced 14year-olds with mystical computer skills — although that doesn’t mean that there are not any like that! • Hackers are capable of writing good if not excellent code and of releasing these tools to the public domain for others to use as they see fit. • There is a constant activity to develop, refine and improve tools. • There is a large community of ‘users’ of these tools who use and comment on them, contributing to refining and improving the tools. • Hackers really use this stuff! So where does that leave us? One could be forgiven for entering a mild state of panic, thinking that the world (or at least the bit connected to the Internet) is about to come to an inglorious end, crashing down around our ears as hackers watch and gloat. Reality is a bit different. As Bruce Schneier says in his book Secrets and Lies, “In theory there is no difference between theory and practice — in practice there is.” The point is that there is a process that helps keep all this in perspective and that process is risk analysis. All life contains risks. If we showed a child a list of all the risks they will face during their life, I suspect many of them would give up there and then. But part of growing up is to learn what risks are and how to judge what risks are acceptable. Sometimes as individuals we get it wrong, and that can be lifethreatening. It can be just as serious for a corporation, but when the threats and
risks are known and understood, we can decide how to handle them. The Y2K issue was a case in point, and lots of money was spent defusing a potentially disastrous problem. In the end nothing much happened (apart from a few glitches in December 2000 and January 2001), but this was probably down to people making good decisions based on good information. Security is a continuing issue that needs regular, but not manic, reappraisal. Things do move on and it would be foolish to think that today’s threats can be adequately met with yesterday’s responses and provisions. Security must be central in the plans of any business in order to enable them to find adequate responses to attacks by a growing number of capable hackers with an ever increasing array of hacking tools at their disposal.
Further reading Further details about some of the hacking tools discussed, as well as a reading list full of useful links, are available to subscribers alongside this article at www.CompsecOnline.com.
Tools www.nmap.org/tools.html www.insecure.org (nmap) www.nessus.org www.packetfactory.net/Projects/Firewalk/ www.anzen.com/research/nidsbench/ http://packetstorm.securify.com//linux/ modules/ http://packetstorm.securify.com//groups/ thc/slkm-1.0.html
Books Hacking Exposed (2nd Ed), Scambray, McClure & Kurtz Network Intrusion Detection, Stephen Northcutt Information Warfare & Security, Dorothy Denning Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Traceback, Traps & Response, Edward Amoroso