In the case of Unix systems, the Network File System NFS was used.. File sharing via NFS was used by some of the first hackers to gain access to informa-tion.. This became more interesti
Trang 1CHAPTER 13
Hacker Techniques
235
Copyright 2001 The McGraw-Hill Companies, Inc Click Here for Terms of Use
Trang 2No discussion of security would be complete without a chapter on hackers and
how they work I use the term hacker here for its current meaning—an individual
who breaks into computers It should be noted that in the past, “hacker” was not
a derogatory term but rather a term for an individual who could make computers work Perhaps a more appropriate term might be “cracker” or “criminal,” however, to conform
to current usage, “hacker” will be used to identify those individuals who seek to intrude into computer systems or to make such systems unusable
Studies have found hackers most often to be
▼ Male
■ Between 16 and 35 years old
■ Loners
■ Intelligent
▲ Technically proficient
This is not to say that all hackers are male or between the ages of 16 and 35, but most are Hackers have an understanding of computers and networks and how they actually work Some have a great understanding of how protocols are supposed to work and how proto-cols can be used to make systems act in certain ways
This chapter is intended to introduce you to hackers, their motivation, and their tech-niques I won’t teach you how to hack but I’ll hopefully give you some insights as to how your systems may be attacked and used
A HACKER’S MOTIVATION
Motivation is the key component to understanding hackers The motivation of the hacker identifies the purpose of the attempted intrusion Understanding the motivation also helps us to understand what makes a computer interesting to such an individual Is the system somehow valuable or enticing? To which type of intruder is the system of inter-est? Answering these questions allows security professionals to better assess the danger
to their systems
Challenge
The original motivation for breaking into computer systems was the challenge of doing
so This is still the most common motivation for hacking
Once into a system, hackers brag about their conquests over Internet Relay Chat (IRC) channels that they specifically set up for such discussions Listening in on the IRC chan-nels shows how the hackers gain status by compromising difficult systems or large num-bers of systems
Trang 3Another aspect of the challenge motivation is not the difficulty of hacking a given
sys-tem but the challenge of being the first to hack that particular syssys-tem or the challenge of
hacking the largest number of systems In some cases, hackers have been seen removing
the vulnerability that allowed them to successfully hack the system so that no one else can
hack the system
The challenge motivation is often associated with the untargeted hacker, in other
words, someone who hacks for the fun of it without really caring which systems he
com-promises It is not often associated with the targeted hacker who is usually looking for
specific information or access What this means for security is simply that any system
at-tached to the Internet is a potential target
Another form of the challenge motivation that is being seen more and more often is
hactivism, or hacking for the common good This reason is often provided after the fact as
justification for the crime Hacktivism is potentially a more dangerous motivation as it
entices honest and naive individuals
Greed
Greed is one of the oldest motivations for criminal activity known In the case of hacking,
I will extend this motivation to include any desire for gain whether it be money, goods,
services, or information Is greed a reasonable motivation for a hacker? To determine this,
let’s examine the difficulty of identifying, arresting, and convicting a hacker
If an intrusion is identified, most organizations will correct the vulnerability that
al-lowed the intrusion, clean up the systems, and go on with their work Some may call law
enforcement, in which case, the ability to track the intruder may be compromised by a lack
of evidence or by the hacker using computers in a country without computer security laws
Assuming that the hacker is tracked and arrested, the case must now be presented to a jury,
and the district attorney (or U.S Attorney if the case is federal) must prove beyond a
rea-sonable doubt that the person sitting in the defendant’s chair was actually the person who
broke into the victim’s system and stole something This is difficult to do
Even in the case of a successful conviction, the hacker may not receive much of a
pen-alty Consider the case of Datastream Cowboy In 1994, Datastream Cowboy broke into
the Rome Air Development Center at Griffis Air Force Base in Rome, NY and stole
soft-ware valued at over $200,000 Datastream Cowboy, who was identified as a 16-year-old
living in the United Kingdom, was arrested and convicted of the crime in 1997 His
pun-ishment was a fine of $1,915
This example illustrates an important point about the greed motivation: there has to be
a way to control the downside for the criminal In the case of hacking a system, the risk of
being caught and convicted is low; therefore, the potential gain from the theft of credit card
numbers, goods, or information is very high A hacker motivated by greed will be looking
for specific types of information that can be sold or used to realize some monetary gain
A hacker motivated by greed is more likely to have specific targets in mind In this way,
sites that have something of value (software, money, information) are primary targets
Trang 4Malicious Intent
The final motivation for hacking is malicious intent or vandalism In this case, the hacker does not care about controlling a system (except in the furtherance of the vandalism) In-stead, the hacker is trying to cause harm either by denying the use of the system to legiti-mate users or by changing the message of the site to one that hurts the legitilegiti-mate owners Malicious attacks tend to be focused on particular targets The hacker is actively looking for ways to hurt a particular site or organization
The hacker’s underlying reason for the vandalism may be a feeling that he or she had been somehow wronged by the victim or it may be a desire to make a political statement
by the defacement Whatever the base reason, the purpose of the attack is to do damage not to gain access Figure 13-1 shows an example of a Web site that has been vandalized
Figure 13-1. An example of a vandalized Web site
Trang 5HISTORICAL HACKING TECHNIQUES
This section is going to take a different perspective than most when we talk about the
his-tory of hacking The cases of the past have been well publicized and there are many
re-sources that describe such cases and the individuals involved Instead, this section will
approach the history of hacking by discussing the evolution of techniques used by
hack-ers As you will be able to see, many cases of successful hacking could be avoided by
proper system configuration and programming techniques
Open Sharing
When the Internet was originally created, the intent was the open sharing of information
and collaboration between research institutions Therefore, most systems were
config-ured to share information In the case of Unix systems, the Network File System (NFS)
was used NFS allows one computer to mount the drives of another computer across a
network This can be done across the Internet just as it can be done across a Local Area
Network (LAN)
File sharing via NFS was used by some of the first hackers to gain access to
informa-tion They simply mounted the remote drive and read the informainforma-tion NFS uses user ID
numbers (UID) to mediate the access to the information on the drive So if a file were
lim-ited to user JOE, UID 104, on its home machine, user ALICE, UID 104, on a remote
ma-chine would be able to read the file This became more interesting when some systems
were found to allow the sharing of the root file system (including all the configuration
and password files) In this case, if a hacker could become root on a system and mount a
remote root file system, he could change the configuration files of that remote system (see
Figure 13-2)
Open file sharing might be considered a serious configuration mistake instead of a
vulnerability This is especially true when you find out that many operating systems
(in-cluding Sun OS) shipped with the root file system exportable to the world read/write
(this means that anyone on any computer system that could reach the Sun system could
mount the root file system and make any changes they wished to make) If the default
configuration on these systems were not changed, anyone could mount the system’s root
file system and change whatever they wanted to change
Unix systems are not the only systems to have file-sharing vulnerabilities Windows
NT, 95, and 98 also have these issues Any of these operating systems can be configured to
allow the remote mounting of their file systems If a user determines the need to share
files, it is very easy to mistakenly open the entire file system up to the world
In the same category as open sharing and bad configurations, we also have trusted
re-mote access (in effect, we are sharing access among systems) The use of rlogin (rere-mote
login without a password) used to be common among system administrators and users
Rlogin allows users to access multiple systems without re-entering their password The
Trang 6.rhost and host.equiv files control who can access a system without entering a password.
If the files are used properly (one could argue that the use of the rlogin is not proper at all), the rhost and host.equiv files specify the systems from which a user may rlogin with-out a password Unfortunately, Unix allows for a plus sign (+) to be placed at the end of the file This plus sign signifies that any system will be trusted to vouch for the user and thus, the user is not required to re-enter a password no matter which system the user is coming from Obviously, hackers love to find this configuration error All they need to do
is to identify one user or administrator account on the system and they are in
Bad Passwords
Perhaps the most common method used by hackers to get into systems is through weak passwords Passwords are still the most common form of authentication in use Since passwords are the default authentication method on most systems, using them does not incur additional cost An additional benefit of using passwords is that users understand how to use them Unfortunately, many users do not understand how to choose strong passwords This leaves us with the situation that many passwords are short (less than four characters) or easy to guess
Short passwords allow a hacker to brute-force the password In other words, the hacker keeps guessing at passwords until a successful guess is made If the password is only two characters long, there are only 676 combinations (if just letters are used) You can compare that to 208 million combinations (if just letters are used) for an eight-character password While both can be guessed if all the combinations are tried, it is much easier to guess a two-character password than an eight-character password
Figure 13-2. Use of NFS to access remote system files
TE AM
FL Y
Team-Fly®
Trang 7The other type of weak password is one that is easy to guess For instance, making the
root password “toor” (“root” spelled backwards) allows a hacker to gain access to the
system very quickly Some password issues also fall into the bad configuration category
For instance, on older Digital Equipment Corporation VAX VMS systems the field service
account was named “field” and the password was “field.” If the system administrator did
not know enough to change this password, anyone could gain access to the system by
us-ing this account Other common password choices that make weak passwords are:
wiz-ard, NCC1701, gandalf, and drwho
A good example of how weak passwords can be used to compromise systems is
pro-vided by the Morris Worm In 1988, a Cornell University student by the name of Robert
Morris, released a program onto the Internet This program used several vulnerabilities
to gain access to computer systems and replicate itself One of the vulnerabilities it used
was weak passwords Along with using a short list of common passwords to guess, the
program also tried a null password, the account name, that account name concatenated
with itself, the user’s first name, the user’s last name, and the account name reversed This
worm compromised enough systems to effectively bring down the Internet
Unwise Programming
Hackers have taken advantage of unwise programming many times Unwise
program-ming includes such things as leaving a back door in a program for later access to the
sys-tem Early versions of Sendmail had such back doors The most common was the WIZ
command If a connection was made to the Sendmail program (by telneting to port 25)
and the command WIZ was entered, Sendmail would provide a root shell into the
sys-tem This feature was originally included in Sendmail for use while debugging the
pro-gram For that purpose, it was a great tool However, such features left in programs
released to the public provide hackers with instant access to systems that use the
pro-gram There are many examples of such back doors in programs Hackers have identified
most of the known back doors and, in turn, programmers have fixed them
Unfortu-nately, some of these back doors still exist because the software in question has not been
updated on systems where it is running
More recently, the boom in Web site programming has created a new category of
un-wise programming This new category has to do with online shopping In some Web sites,
information on what you are buying is kept in the URL string itself This information can
include the item number, the quantity, and even the price The information in the URL is
used by the Web site when you check out to determine how much your credit card should
be charged It turns out that many of these sites do not verify the information (such as the
price of the item) when the item is ordered The site just takes what is in the URL as the
cor-rect price If a hacker chooses to modify the URL before checking out, he may be able to get
the item for nothing In fact, there are cases in which the hacker set the price to a negative
number and was able to get the Web site to provide a credit to the credit card instead of
be-ing charged for the item Clearly it is not wise to leave this type of information in a location
(such as the URL string) that can be modified by the customer and then to not check the
in-formation on the back end While this particular vulnerability does not allow a hacker to
gain access to the system, it does provide a big a risk to the site