Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[ISN] PERIMETER/NETWORK SECURITY Tools of the Trade
From: mea culpa (jerichoDIMENSIONAL.COM)
Date: Mon Jan 24 2000 - 17:41:55 CST
Forwarded From: darek.milewskius.pwcglobal.com
(link found on www.securityfocus.com)
SPECIAL FEATURE ? PERIMETER/NETWORK SECURITY
Tools of the Trade
So you want to defend your enterprise against attack? Make sure you understand
these popular hacker tools first. BY EDWARD SKOUDIS
Beep Beep Beep Beeeeeeeeeeep?. It?s 3:45 a.m., and your pager?s going off.
You?re hoping it?s just a bad dream, but it?s not. You dial in and find
out your network?s down. Then you discover you?ve been hacked. The
attacker must have messed something up bad, since several servers are
down. Then you find out he left Trojan Horse backdoors almost everywhere,
allowing him to store pirated software and who knows what else on your
systems. Worse yet, when you check your e-mail, you have several messages
from other companies asking why you are attacking them. You?ve been used
as a jumping-off point for the attacker to scan others? networks.
Unfortunately, this nightmare has become a reality for an increasing
number of IT professionals. To help you better understand the attacks
occurring today, this article describes some of the most widely used
hacker tools as well as tried-and-true defensive techniques for securing
your network against them.
The premise behind this article is simple: You cannot adequately defend
against sophisticated attack tools unless you first understand how they
work. In other words, the purpose of this article is not to teach you how
to crack into systems. Rather, it is to describe what?s going on "in the
wild" and outline ways of defending your organization against these
sophisticated tools and techniques.
Because of the nature of these tools, their distributors and distribution
methods, they may cause damage to your systems. Discussion of a tool in
this article does not imply endorsement or recommendation. If you want to
experiment with any of these tools, be very careful: review the source
code to ensure that you understand what the tool is doing, and test them
only on experimental systems that aren?t connected to your production
Because of their extreme usefulness, password-cracking tools have been a
mainstay of the hacker?s toolkit for more than a decade. In a
password-cracking attack, the attacker first retrieves an encrypted
password file from a victim machine. The vast majority of systems,
including Windows NT and UNIX, store their passwords encrypted in the file
system to authenticate users during login. Once the encrypted password
file is stolen, the attacker feeds it into a password cracker, together
with a dictionary. The password-cracking tool attempts to decipher the
passwords by encrypting each entry in the dictionary and comparing it with
the encrypted value. If the encrypted values match, the hacker knows the
password. If the two values do not match, the tool continues through the
entire dictionary, and can even attempt every combination of characters in
a full brute-force attack. The limiting factor in how fast passwords can
be cracked is how quickly guesses can be encrypted and compared. The
faster the system running a password cracker, the more quickly passwords
will be cracked.
L0phtCrack. Originally released in 1997, L0phtCrack
(www.l0pht.com/l0phcrack) has continuously redefined the state-of-the-art
in ease-of-use for password crackers. Written and distributed as shareware
by the hacker group L0pht Heavy Industries, L0phtCrack deciphers Windows
NT passwords. The tool has a slick and simple-to-use GUI, allowing even
novice users to crack passwords with a simple point-and-click. L0phtCrack
2.5, released in January 1999, offers significant performance
improvements. With its optimized DES encryption routines, L0phtCrack 2.5
is 450 percent faster than earlier versions, allowing it to crack all
alphanumeric passwords in a single day with a 450 MHz Pentium II machine,
according to the L0pht.
L0phtCrack can take an encrypted password file from numerous sources. The
SAM database from a Windows NT system can be captured using a program
included with L0phtCrack or from the system?s administrator back-up floppy
disks. Alternatively, the latest version of L0phtCrack also includes a
GUI for capturing encrypted Windows passwords off a network. When you log
into an NT domain, your password is hashed and sent across the network.
With L0phtCrack?s built-in sniffer, this encrypted value can be grabbed
Because of the tool?s usefulness to infosecurity professionals, the L0pht
began charging a registration fee for L0phtCrack 2.0 and later. The latest
version is available for a free 15-day demo, with registration and use
beyond this period costing $100. Numerous other cracking programs are
available as well, both on a freeware and commercial basis, including the
venerable and flexible Crack, a UNIX and NetWare password cracker.
The best defense against password cracking attacks is a strongly enforced
password policy. Require users to devise passwords that are difficult to
guess. Passwords should be at least eight characters long and include
alphanumeric and special characters (such as !#$%). Passwords should not
include dictionary terms. For additional security, several automated tools
are available that prevent users from setting their passwords to
easy-to-guess values or dictionary terms.
Also, periodically auditing your company?s passwords by running a password
cracking tool is usually a good idea. Of course, only security
administrators or their duly authorized team members should be allowed to
run cracking tools, and then only with explicit (written) management
approval. You should also decide in advance what you will do with the
cracked passwords. Will you send an e-mail to the user who chose a poor
password? Will you visit the user to explain password policy? These
questions should be answered before you begin assessing your passwords.
Many companies spend a lot of money and time securing their firewalls to
prevent attacks. However, while this helps secure the front door to the
network, unregistered modems on the internal network offer a convenient
and attractive side door for intruders. Because war dialers are highly
effective tools for locating these modems and breaking into networks, they
are among intruders? favorite tools.
Originally made famous by the movie War Games, war dialers take advantage
of the proliferation of inexpensive modems. The concept behind war dialers
is extremely simple: the tool dials a list of telephone numbers, in
increasing or random order, looking for the familiar modem carrier tone.
Once the tool generates a list of discovered modems, the attacker can dial
those systems to find an unprotected login or easily guessed password. One
of the most searched-for items in a war dial attack is "unpassworded" PC
remote control software, typically installed by an end-user to gain remote
access to company systems. These PC remote control programs are
devastatingly vulnerable when used with a modem and not properly secured.
THC-Scan. One of the most feature-rich war dialing tools available today
is The Hacker?s Choice (THC) Scanner (http:// r3wt.base.org), written by
"van Hauser." THC-Scan Version 2.00 was released on Christmas Day, 1998.
A look-alike cousin of the long-available and widely used ToneLoc war
dialer, developed by "Minor Threat" and "Mucho Maas," THC-Scan brings some
new and useful functions to the war dialing arena. Unlike simpler war
dialing tools, THC-Scan automatically detects the speed, data bits, parity
and stop bits of discovered modems. The tool also attempts to determine
the OS type of the discovered machine. Further, it has the ability to
recognize when subsequent dial tone is discovered, which makes it possible
for the attacker to make free telephone calls through your PBX.
War Dialer Defenses
Of course, the most effective defense against war dialers is to eliminate
unsecured modems. If there is not an absolute, explicitly defined business
need for a modem, remove it. For modems with a defined need, require users
to register them with the IT department. For registered modems requiring
only outgoing use, configure the corporate PBX to allow outgoing calls
only. Every company should have a strong modem policy describing the need
for modem registration and PBX controls. Also, do not assume that because
you have a PBX with digital lines that users cannot install modems. Handy,
inexpensive digital-line modem adapters are widely available at stores
like Radio Shack.
In addition, conduct periodic war dial penetration tests to locate illegal
modems on your telephone exchanges. Use a good war dialer to find modems
connected to the network, reconcile the discovered modems with the
registration list, and investigate the discovered unregistered modems to
either remove them or have them properly registered.
Netcat: An Oldie But a Goodie
Netcat is a general-purpose TCP and UDP connection tool, originally
written for UNIX by "Hobbit" in 1995 (www.l0pht.
com/users/10pht/nc110.tgz), and later adapted to NT by "Weld Pond" in 1997
(www.l0pht.com/users/10pht/nc11nt.zip). Although it?s been around for
many years, Netcat is an amazingly useful tool for system administration,
network debugging and, yes, breaking into networks.
Known as the Swiss army knife of hacker tools, Netcat is chock full of
features. When combined with the powerful scripting capabilities of UNIX,
Netcat acts as an effective building block for creating network tools. The
basic program can run in either listener or client mode. When run in
listener mode, Netcat acts as a server process waiting for connections on
specified TCP or UDP ports. In client mode, Netcat will initiate a
connection to any port specified by its user.
When used as a listener on one system and a client on another, Netcat can
be deployed in many attack scenarios. It can provide a back-door login
prompt using any port, including, for example, UDP port 53. From a network
packet perspective, this login session will appear to be a series of DNS
queries and responses, though it?s really a back-door login. Additionally,
when used in client and listener mode on two systems, Netcat can create a
quick, simple file transfer mechanism on any port.
In addition to these capabilities, Netcat can also source-route packets,
thereby fostering IP spoofing attacks and supporting network debugging.
When used in client mode, it also is a very effective UDP and TCP port
scanner. Also, when open ports are discovered on a system, Netcat offers
the ability to connect easily and cleanly to these ports to discover what
With this flexibility, Netcat can also be used in replay attacks against
e-commerce applications. The interaction between client and server could
be captured using a sniffer. Then, this client-to-server data can be
viewed and altered to suit the attacker?s needs. The attacker could change
account balances, account numbers or other data, or simply replay the same
message again. Netcat is then used in client mode to transfer the replayed
message to the legitimate server.
The NT version of Netcat includes an especially interesting feature that
allows it to bind to ports in front of processes already listening on
those ports. This capability is particularly useful in an attack against a
file server or a Web server. When bound in front of an active port, the
attacker?s Netcat process will receive the connections, and then can
decide what to do with them. Connections can be dropped in a
denial-of-service (DoS) attack, or an attacker can write custom code to
look for interesting items, such as sensitive data (passwords, bank
accounts, etc.) before passing the request to the legitimate server
The best defense against Netcat is the Principle of Least Privileges
(affectionately pronounced "polyp"). That is to say, don?t let unneeded
ports through your firewall. For those ports that you must let through,
only allow connections to and from specific hosts. For example, for DNS
queries through your firewall, open UDP port 53 only from systems
requiring that service (usually, an internal DNS server that forwards
requests out to the Internet). This will prevent an attacker from being
able to transmit Netcat packets to any host on your internal network.
Additionally, for those systems that are externally accessible, defending
against Netcat attacks involves knowing what processes are running on your
machines. On publicly accessible machines, you should be able to identify
the purpose of all processes running on your boxes. Unusual processes
running on publicly accessible systems should be investigated, since they
might be backdoor listeners. Periodic port scans will also reveal if a
listener has been added to a machine.
To avoid replay attacks, all applications should timestamp and provide
sequence numbers for all messages, including Web cookies, form elements or
just raw data. All messages, their timestamps and their sequence numbers
should utilize some sort of cryptographic integrity checks to ensure that
they are not altered or replayed.
Session Hijacking Tools
A number of applications used for a command-line login to systems are
insecure. In particular, programs such as telnet, rsh, rlogin and FTP are
all subject to hijacking attacks. Of course, any run-of-the-mill sniffer
will give an attacker the clear-text passwords when these protocols are in
use. The problem is bigger than that, however. Any attacker that is
connected to any network segment between the client and the server can use
a session hijacking tool to take over a session.
When a legitimate user is logged into a command-line session, the hijacker
can find the session, take over for the user and reset the client
connection. The hijacker then has complete control of that login; all
subsequent accesses, changes and deletions will be recorded as the
legitimate user?s actions. The user will simply notice that the session
has dropped and assume that the network messed up the link.
A large number of hijacking tools are available today within
hacker/cracker communities. The latest is Hunt (www.root shell.com),
written by "kra" and released in November 1998. Additionally, juggernaut,
by "daemon9," provides basic session hijacking capabilities.
Session Hijacking Defenses
For sensitive session traffic (such as remote management of your firewall,
PKI or other critical components), use a tool that provides strong,
cryptographic authentication and encrypts the entire session. Secure Shell
(SSH) offers these capabilities and is available as freeware or
commercially supported software. Also, VPN products provide
authentication and session encryption. Without the encryption keys used in
SSH or VPN tools, an attacker won?t be able to hijack the session.
A Happy Ending?
Now back to our original attack scenario? three months later.
During your investigation of the initial attack, you discovered that the
intruder used war dialing to locate an unprotected modem on a user?s desk.
He took over that system, scanned the rest of the network and installed
backdoors on machines throughout your network. From there, the attacker
observed an admin logging into your public Web server. So he hijacked the
session, took over the server and began attacking other Internet sites.
Because of this intrusion, security awareness was heightened in your
organization. Management authorized you to implement a strong password and
modem policy, begin periodic war dialing and password cracking tests,
deploy strong session encryption tools for sysadmins and implement an
automated intrusion detection system (IDS).
Even though you realize that no network is invulnerable, the security of
your company has vastly improved with these new measures. With diligence
in studying and implementing sound defensive strategies, you know you will
be able to repel most attacks and quickly detect and respond to the rest.
Hopefully, with this knowledge, you?ll sleep a lot better at night.
Edward Skoudis is a technical director at Global Integrity Corp., an SAIC
company. He can be reached via efscip.saic.com.
With its point-and-click GUI, L0phtCrack is an easy-to-use password
cracker?which makes it all the more dangerous should it fall into the
Once an attacker finds an open modem and cracks some passwords, then what?
Frequently, he?ll install backdoor routines on systems to let him back in
later. Back Orifice or "BO" (www.cultdeadcow.com/ tools) is a
high-profile example of a powerful backdoor that has caused a large number
of problems on corporate networks.
Released in August 1998 by the hacker group Cult of the Dead Cow (cDc),
Back Orifice (a play on Microsoft?s Back Office) includes a server
component to be installed on a victim?s Windows 95 machine as well as
client software that runs on the attacker?s system. Its primary purpose is
to remotely control a victim Win95 system across a network. The attacker
enters commands into the BO GUI client, and the BO server on the victim
machine follows those commands.
The tool is amazingly feature-rich and sports very tightly written code.
The server (installed on the victim machine) is in a tiny package of only
121 Kb, allowing for quick and easy installation. The client communicates
with the server using UDP packets, configurable to any port, with a
default of UDP 31337 ("Elite," in hacker parlance). Rudimentary password
protection and encryption is also included.
Back Orifice has a multitude of features:
The attacker has complete control of the file system, with the ability to
move, edit, delete and copy programs on the victim machine. It can
capture any user keystrokes, which could prove to be very damaging. If the
victim user types in a password or public-key passphrase, BO will
faithfully store it in a file for the attacker to retrieve at a later
time. The attacker can execute any process on the victim machine, and
have the process listen on any port. The tool attempts to hide itself by
not appearing in a task list. The BO server includes a built-in Web
server, allowing the attacker to access the machine using a browser.
Using the so-called Back Orifice Unified Tool Transport Plug-ins feature
(a.k.a. "BUTTplugs"), other hackers can extend the capabilities of the
tool in a consistent and simple manner. Plug-ins have been released that
announce the activation of BO via e-mail or IRC, so the attacker can
locate the latest victim machine as the tool is spread on a network.
Additionally, a very effective Back Orifice sniffer plug-in program has
been written. BO is very easy to install. The user of the system must
execute a simple program, which installs all BO components quickly and
easily. Victims must be tricked into executing the installation program,
possibly through e-mail attachments or Web sites.
Other Back Orifice-related tools include wrappers to incorporate BO with
an innocuous program. For example, BO could be wrapped around a word
processor or a simple game distributed on a network. The attacker could
attach BO to game.exe and e-mail the resulting file to users telling them
to upgrade. When the executable is run, it will first install BO, and then
run the wrapped application. The users only see the game application run,
and are unaware of their new status as BO victims. Finally, the tool can
be installed through the Web via unsigned Java applets or ActiveX
Despite its efforts to hide itself (by not appearing in a task list), Back
Orifice is fairly easy to detect. For manual Back Orifice detection, look
for a 122 Kb .exe file in the c:\windows\system directory. Also, in the
Windows Registry, the HKLM\SOFT
WARE\Microsoft\Windows\CurrentVersion\RunServices\Default key will have an
executable name associated with it. Note that the file and key names are
configurable by the attacker, but default to ".exe." Finally, a file
called "windll.dll" is added to the c:\windows\system directory.
While this manual analysis is useful for a small number of machines,
several antivirus vendors have included BO detection capabilities in their
latest releases for widespread scans. Of course, to benefit from the BO
detector in your virus tool, you must download and install the latest
At the time of this writing, BO targets only Windows 95 (however, the BO
client will run on both Windows and UNIX). Lest you assume you?re safe
because your desktop standard is NT, keep in mind that NetBus, a tool
written by Carl-Fredrik Neikter, has very similar capabilities to Back
Orifice, but targets NT clients and servers. The NetBus 2.0 beta was
released in January 1999.
Compact and tightly written, Back Orifice is a powerful, easy-to-use
backdoor access tool. It?s also easy to detect, if you know what to look
OTHER ATTACK TOOLS
Description Root exploits allow an attacker with a user-level account on a
UNIX system to gain superuser access, thereby taking over the machine.
There are countless ways for an attacker to escalate their privileges on a
UNIX system. By exploiting race conditions, improperly written SUID
programs and other poor operating system coding, the hacker community
discovers and widely distributes several new root exploits every week.
Defense Security personnel and system administrators should monitor
security mailing lists such as Carnegie Mellon?s CERT (www.cert.org) and
bugtraq (subscribe: list servenetspace.org) for information about new
exploits. When a new attack is resolved, you should quickly and
systematically test and deploy vendor patches to all affected machines.
For particularly sensitive systems?publicly accessible Web servers, DNS
systems, firewalls, etc.?host-based security monitoring software can be
used to detect users trying to gain root.
DENIAL-OF-SERVICE (DoS) ATTACKS
Description These attacks cause a system to crash or slow down to the
point of not being usable. Over the past two years, a very large number of
these attacks have been discovered, targeting many types of operating
systems, routers and even laser printers. With fanciful names like Ping O?
Death, Land, Smurf, Bonk, Boink and Latierra, these attacks are mostly a
nuisance. However, a crashed system can cost your company significant
money in employee downtime or lost transactions.
Defense Again, keeping up with the latest attacks and patching your
systems is the best method of defending yourself against DoS attacks.
Also, consider placing antispoof filters at external routers and select
Description This new and potentially very damaging NT virus installs
itself as a service on an NT system. When an administrator logs into the
system, the virus automatically propagates through an NT network by using
the admin?s privileges to infect all NT machines in the domain. On
affected systems, Remote Explorer randomly encrypts files, denying
legitimate access to the data.
Defense A strong virus policy and an effective virus defense tool stop
Remote Explorer in its tracks. Make sure you?re using the latest virus
ISN is sponsored by Security-Focus.COM