Diary of a hack attack, 01/10/2000

Diary of a hack attack
We go behind the scenes as a hacker for hire tests an e-business's security perimeter.

By DEBORAH RADCLIFF
Network World, 01/10/2000

On a crisp, sunny November day in the nation's capital, in the sparsely furnished second-floor office of Para-Protect, "Bob the hacker" hunches over his monitor and fires off Unix command lines in short, machine gun blasts.

Bob is testing the perimeter defenses of a certified Internet mail delivery company, which is paying for the privilege.

The start-up e-business doesn't have the budget to pay for a full-blown assault on its network, which would involve Bob actually taking down the company's servers. And besides, it can't afford to have its e-business servers down for any length of time. But it has hired Para-Protect, an information security consulting company in Alexandria, Va., to conduct a scouting expedition.

And they've agreed to allow me to tag along on the mission, code-named Alabama, as long as I keep Bob's identity and the name of the

e-business secret.

These paid-for front-line assaults are a good starting point for network protection because the tests (often referred to as "red teaming" or "penetration tests") can offer a baseline for information security policies and practices, industry professionals say.

With networked systems under attack from every direction - the Internet, modems and even disgruntled employees - the need for such services is on the rise. By 2003, the security consulting services market will likely reach $14.83 billion, according to market research firm International Data Corp.

Venture-funded e-business start-ups such as Para-Protect's client are especially vulnerable to attack. Because of the intense pressure to get to market quickly, these start-ups are often building their infrastructures too fast to give security the thought it deserves, information security practitioners say.

"We have worked with companies that don't have a firewall. Most often, they are small start-ups that just got their venture money and have hired 50 people. Then they get hacked, and they realize they're suddenly more of a target than they used to be," says Ian Poynter, founding president of security consulting firm Jerboa in Cambridge, Mass.

In our case, the e-business start-up's only line of defense is a Cisco 8000 router. If the router can deflect our probes, the company can use the supporting documentation from our report to show its customers that its public-key infrastructure (PKI)-based application is secure.

But the folks at Para-Protect are skeptical. "We disagree that the company doesn't need a firewall. You don't protect your perimeter using just a router even if they are smarter [than they used to be]. Firewalls offer more filtering methods, and you need multitier security levels," says Robert Perholtz, enterprise account manager at Para-Protect.

The battle lines drawn, the attack begins.

08:00

The bargain-basement desks and folding tables are a dead giveaway that Para-Protect's second-floor lab has been tossed together in a hurry. A fidgety Bob is already on his second Pepsi of the day. With his dark brown hair slung back in a long, messy ponytail and his beard growing to his waist, Bob fits the physical profile of the stereotypical subversive hacker.

But don't let his looks fool you. Bob is a former U.S. Army sergeant and computer analyst for the Army, the Pentagon, and the Defense-Wide Information Systems Agency, which supports all of the U.S. Department of Defense. His last assignment was with the Defense Department's Computer Emergency Response Team (CERT). To hear Perholtz tell it, hacker Bob got out of the Defense Department and hasn't cut his hair or beard since.

Bob tells me that the first order of business is to learn more about our target. We start by paying a visit to the victim's Web page, replete with information about its ethics, partners and history.

"During discovery, we're looking for partner affiliates to find corporate links to the network," Perholtz says. "Often, fringe organizations aren't as secure as the main network."

We find nothing that stands out. So we go to the InterNIC and ARIN registrars (services that assign and record domain information) and key in a "whois" command. It spits out the domain name of our client and verifies the IP addresses we're about to attack.

Not only do these services give us the IP addresses of the target's three servers, they also give away other strategic information, such as company nicknames, and even the names and phone numbers of those administering the machines.

With the information provided by these services, we can get an overall picture of our target's network configuration, Bob says. At this point, we're only looking to verify the domain information of our intended target. It would be a real bummer if we hit the wrong victim.

09:36

The next step is to run traceroute against our three target IP addresses. Traceroute is a utility within Unix and Windows NT used by administrators to trace packets traveling between a source and destination. In our case, traceroute shows us that the router is blocking our packets, so we deduce that the router is doing its job.

But we were able to trace outgoing traffic to a specific port number, which our victim uses to connect to its ISP, UUNET. Bob makes note of this in his log.

It's time to grab some hacker tools. Although Para-Protect keeps a database full of its favorite tools, Perholtz runs a Web search on "hacker tools" to show just how available these are to anyone. Our search turns up 2,070 hits, including tools such as the Shadow Advantis Administrator tool set, which sends timed pings to a specified range of ports. The pings are slow enough and small enough to fall beneath the radar of intrusion-detection software.

Hacker Bob prefers network mapping (nmap), which does much the same thing. Nmap, also available from the Web, is an IP network discovery tool developed by a hacker named Fydor. But really, it's a port scanner on steroids. In addition to finding open ports, it can change the characteristics of outgoing packets to get past the router's IP filtering list.

Throughout the day, Bob will run several types of nmap scans: (For more technical detail, visit insecure.org/nmap)

SYN, used to establish a TCP session. When the target responds back, we know the host is active. When it doesn't respond to ping, we know the host is blocked.
FIN, which uses a bare packet as the probe to determine if a port is open or closed. From this we could guess what well-known services may be running based on what the open ports are generally used for. Even if the port is closed, it's required to respond with a reset packet (RST). If a RST bounces back, the port is closed. If nothing is returned, it means the port is open.
Fragmentation scanning. When a packet reaches a host, the target has to reassemble the packet in order to make sense of it. Fragmented packets confuse these machines and can potentially bypass access controls.

Our first nmap scan in SYN is terminated because Bob misconfigures the command line, which he discovers later in the day. Bob gets another Pepsi from the fridge down the hall.

Then he pays a visit to UUNET and uses the subcommand "nslookup" to ask UUNET's Domain Name System (DNS) to tell us which machines it knows from our target network. UUNET gives us three domain names that come from our victim: "mail," "www" and another name Bob doesn't want mentioned because it would give away our target.

There are probably a number of other machines connected to the network, but Bob says they're outside the scope of our investigation. However, the DNS server does point out which of our IP addresses is our target Web server. We already know which machine is the router. So we make an educated guess that our third IP address is our target's PKI/proxy server.

We've now diagrammed the network. A router sits as sentry to a Web server, a proxy server and another server, likely the mail server. It's time to find out what services are running on those servers. Attackers often look for services with known vulnerabilities and exploit those first.

Veiling his identity through a local ISP, Bob telnets to Port 80. We knew Port 80 would be open 99% of the time because network administrators leave Port 80 open for Web traffic. Telneting into Port 80 shows us what is running on the HTTP server: Microsoft's Internet Information Server 4.0, which is a dead giveaway that the operating system is NT.

Then the phone rings. The client is getting access control list warning messages on its router from Bob's and his ISP's IP addresses. The administrators just want to make sure it's us and not some other hacker. Bob assures them it is.

Now that the victim knows we're rattling its doors, Bob forgoes the low and slow port scanning method, which would have taken days. Instead he launches a second nmap FIN scan against the entire range of ports (1 through 65334).

"This makes a lot of noise," Bob says as he swigs his Pepsi. "But normally it would take days to do this beneath the radar of intrusion detection. We have a two-day time constraint, so we have to do everything now."

The scan turns up nothing special. Only the ordinary services, such as FTP and HTTP, are running, meaning we're looking at a plain vanilla box. However, if configured wrong, FTP (or any standard service) could be exploited by hackers.

12:30

It's time for a break, so we head next door to the Vietnamese grill for a bite to eat. Bob's telling me how his next step would be to find vulnerabilities in the network, the operating systems and the applications running on the servers. But that's outside the scope of this job.

Once discovery is completed, you'd be surprised just how easy it is to break into an NT or Unix machine.

At an extreme hacking course at Ernst and Young in Houston that I attended over the summer, the class broke into NT and Unix machines with reckless abandon. For example, we started in on an NT machine by establishing a null session. Null is a Microsoft utility that allows services to communicate with one another without user passwords or identification. By logging on as null, we were able to see everything we wanted: password files, user accounts and network services that we could exploit. And none of this was logged.

In null, we couldn't touch anything, but that didn't stop us from copying down user names. Then we logged back on under the user name "backup" and a guessed password "backup." At this point, we grabbed the password hashes (encoded passwords) and submitted them to l0phtcrack and John the Ripper, both of which are password-cracking tools freely available on the Web.

It only took 15 minutes to crack 70% of the passwords, log on as a super user and gain root access. Then, for the final slap in the face, we hid our bag of hacker tools behind a readme.txt file on the victim's server to use again.

NT passwords are the easiest to crack, according to my Ernst and Young instructor, Eric Shultz. That's because Microsoft's LAN Manager splits passwords into seven-character halves and uses a known constant to encrypt each half. Cracking tools are programmed for this and can thus decrypt the passwords very quickly. And the only way administrators can catch our bag of hacker tools hidden on the network is to set the log files to alert them when disk space changes significantly.

Although we used different command lines and Unix-based tools, gaining root on Unix during the class was also pretty easy. In fact, we leapfrogged through four networked Unix machines in a game of capture the flag. We also had a little fun corrupting the DNS server to reroute traffic to a phony IP address. Then we installed Trojan horses such as Back Orifice so the machine would do our bidding and punched open back doors so we could telnet back in without the need for IDs or passwords.

The Para-Protect folks do a fair amount of these kinds of full-blown attacks on a network, as well. And judging from his body language, Bob the hacker would really like to conduct further investigation into the vulnerabilities of his target. But he's fighting some internal networking problems of his own well into the day.

Day 2

In fact, the next morning we run fragmentation scanning against the target host. Bob finds a number of open ports vulnerable to packet fragment attacks. It would also be possible to modify an attack tool to get past the router, Bob says.

Thus, Bob's report recommends the client buy a firewall. The client would also be wise to do further testing on its entire network infrastructure. Of course, any more work depends partially on the client's ability to justify the expense.

But the client shouldn't count on Para-Protect's report to scare funding out of executive management. Rather, it should sell information security to management in a way that shows the added security brings value to the business, says Gregory White, chief technology officer of San Antonio, Texas-based Secure Logix, while speaking at a November Computer Security Institute conference in Washington, DC.

"If you're going to try and justify expenses based on risk analysis alone, you're going to have an uphill battle," White explained. "You need to sell security as a business enabler."

Related links

Radcliff is a freelance writer in northern California. She can be reached at derad@aol.com.

Insecure.Org
Offers a variety of security tools, including nmap.

L0phtcrack

John the Ripper

Buyer's guide and review: Intrusion-detection software
We tell you what to look for, recommend one app and provide a detailed vendor-spec database. Network World, 10/4/99.

Hacker alert
Intrusion-detection software is hot, but can it really stop hackers cold? Network World, 9/27/99.

Network World Fusion Focus on Security
Archive of our free, twice-weekly newsletter.

The security specialist
An intelligence career prepared Howard Schmidt for the job of protecting Microsoft's network. Network World, 5/10/99.

Defending against cyberattack
Network World, 8/23/99.

Security Alert
Daily bulletins from the security front.

To top

Send this article to a colleague