Slashdot Mirror
Anatomy of a Hack
Tiberius_Fel writes "Informit.com is running an extensive article about the anatomy of a hack against a sample network. It's an excerpt from a book titled Protect Your Windows Network: From Perimeter to Data. Even though it makes references to Windows, the techniques can be applied to other operating systems fairly easily." From the article: "Although attacking networks can be fun and informative--not to mention illegal if you do not have all the proper permissions--the fact remains that the vast majority of us do not need to know how to do so. Frankly, becoming a good penetration tester (pen tester) takes more than a week-long class. It takes commitment, dedication, intuition, and technical savvy, not to mention a blatant disregard for the rules and the right way to do things."
Shut it off.
will it spwan more script kiddies?
I am a viral sig. Please copy me and help me spread. Thank you.
For all too many business owners and managers out there it just isn't worth it for them to learn to secure computers. They have enough trouble learning and keeping up with the business they have. Normally it isn't until they are breached that they realize that security is a need.
But that's what America is for. They need something, but don't have the time to do it. So you learn how to provide for their need, and sell it to them.
heh heh heh, he said "penetration testing", heh heh heh
-- If I were a fish, I'd be wet
http://www.phishbait.com.ru/crafty.html?action=php _redirect_like_last_article.php
Don't trust anyone under thirty.
I have done my fair share of security work and with regards to the blurbs "not to mention a blatant disregard for the rules and the right way to do things" I can say that one rule to never violate is always have a lawyer go over the contract and make certain the customer signs it before you do anything. Further is is a good thing to record all your activities on a black box while testing the system.
Bad Panda! No Bamboo for you! In matters of importance ACs will not be responded to. Want to say something critical,OK
"Frankly, becoming a good penetration tester (pen tester) takes more than a week-long class. It takes commitment, dedication, intuition, and technical savvy, not to mention a blatant disregard for the rules and the right way to do things.""
Man! Things were so much easier back in my day. Just do what my friends did.
Pen testing tends to improve things for everyone in any aspect of a business as a whole. It tends to increase security awareness amongst those who once neglected it. Especially among those who spend money and time securing their physical assets (houses, autos and the like) but often neglect their networks and computer systems.
I like to check out the security of my network using the nessus vulnerability scanner. It's free, it works, and it makes me think happy thoughts. :)
( and it keeps me from doing a lot of work )
If con is the opposite of pro. Then isn't congress the opposite of progress?
A lot of people will post on this story about how weak Windows is, or how great OpenBSD is, or whatever.
The keys to secure computing are
The use of multiple layers is crucial. Never depend on just a firewall, encrypted transmissions, or just on password protection. Never depend on your vendor to secure your data - it's your data, not your vendor's. Read your EULA, and you'll note how little they care.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
Isn't hacking more about the creation of something than the destruction of something? This sounds more like cracking. Anyone can open up a locked car with a coat hanger and hot wire it, but that doesn't make them equal with the skill of the engineers that created the car.
Powered by caffeine and sugar; BSD
Q sex comments
If you want to get the bad guy, you have to become him. Think about what you would do to break into a network. It's really part of critical thinking where you poke holes in your own arguments. In this case, you're poking holes in your own work.
Protect Your Windows Network: From Perimeter to Data.
Who in his fucking right mind would put Windows boxes at the edge of his network?! If you must use it, at least use a proper OS for babysitting.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Stilling from the blind is not an act to be written in history.
What he doesn't really go into his how to build your production systems in a way that *ASSUMES* you're going to get attacked, maintains a clean environment for developing them in, and gives you the tools to rebuild rapidly from trustable versions. On the other hand, he does show how his example's victim's system was thoroughly broken into, getting from the production system to the development system, because it really *is* hard to do a good job of separating them adequately in a real environment, so even if you think you have a clean-room, you might not.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
..into other people's networks.
I wouldn't have figured that out without them. From what I understand, laws describe what is legal, and individuals decide what is moral. Then again, maybe psycopaths need to be told...
I have freaks! I did something right...
it would be nice if Slashdot made the distinction, but the most of the world, hacking~cracking. BTW its become really difficult to open cars doors with coat hangers. You need to leave the VT52 terminal once and a while and get out more!
This was posted in Microsoft Technet magazine way back in January.
s /2005/01/AnatomyofaHack/default.aspx
http://www.microsoft.com/technet/technetmag/issue
Personally I always thought it was convenience to break into someone's network and leave them a little note about how I got in. That way when someone comes along that really wants to do harm, they'll have patched the holes I found.
But, we all grow up sometimes I guess.
...Jon Katz, is that you?
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
Quick overview of the meat of the article
1. Do a WHOIS lookup of the IP range the network is on.
2. Search newsgroups for previous network internals that the SA has posted somewhere.
3. Do a port scan and fingerprint.
4. If there is a vulnerable service running, use a common exploit.
5. A quick description of how sql injection attack works on a web-application login.
6. Use xp_cmdshell on MS-SQL to download remote shell code via tftp.
7. Once somone has the sql server under control, use the poorly configured internal network to become domain admin.
Somone needs to put together a description on how a "social engineering" penetration test should be done objectivly. If there is one out there please let me know. =P
Yes, thats right, its been over 3 years since Jon has posted on Slashdot; however we still remember how much of a hack he was/is.
All you have to do is to boot with a known good rescue CD (Knoppix is great for this).
Then you can mount the infected drive and validate the checksums against the packages available on the web.
This will not tell you anything about your data, but none of your data should be executable anyway, right?
The same goes for Red Hat or any other distribution that has checksums for both packages and files contained within those packages.
You can even completely re-install the kernel on a Debian system in this fashion.
Slashdot surrendering to the mainstream, negative meaning of "hack".
:~
I though it was supposed to be a hacker forum
Sorry to bust taboo, but I can't believe anybody modded my post "informative". So I certainly agree with the "overrated" mods, but "troll"? Perhaps modding would improve around here if every mod contained the Mod's username.
Don't trust anyone under thirty.
"Since any competent pen tester (or system administrator) with a need for these types of tools can write them, there is no reason for us to distribute them here."
/. before but I'm too lame to look for it.
Ah so, it is true then, Jedis do build their own light sabers.
Disclaimer: I've seen this link on
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It's got wake on lan.
I really hate Dan Patrick.
I just read the whole FA (yup, I'm new here as my user ID can tell ;) and I'm not sure what to think about it.
;)
The metodology used is not extraordinary: setting up a purposedly insecure network then hacking (sic) it themselves using the known holes is kind of cheesy. It helps to show how it works, but I prefer the honeynet approach: setting up boxes with known (or not) security holes, then analysing how a real intruder creates havoc.
Then there's some strange (re)definition of words.
For example, straight from TFA:
There are several techniques for getting our tools (often called "warez") onto the database server.
Then, as a side note:
Warez is a hacker/attacker colloquialism. It comes from the term "software," but is now used varyingly to mean either "attack tools" or "bootlegged software." In this chapter, we use it in the former context.
I think it's the first time I see the term "warez" used to describe "attack tools" (sic). I used to live in ancient times where "warez" weren't yet called "warez", then "warez" became "warez". Now what? "warez" aren't "warez" anymore? As it changed? (then a great many online dictionaries definition should be updated btw.).
The definition of XSS is also interesting:
In Figure 2-5, we see that not only do we get logged on, but the application also displayed the fake username we sent it on the home page. This latter artifact is actually a separate type of vulnerability known as a cross-site scripting (XSS) vulnerability, where the user input is echoed directly to the screen without sanitizing it first. We will not use it in the following attack, but it is interesting to note that it is there.
This definition of XSS is wrong: it's not because we see what was typed that the input weren't sanitized (sic). And it's certainly not because we see what was entered that this could lead to code being executed on another user's computer. Moreover I find the last sentence of this paragraph misleading: We will not use it in the following attack, but it is interesting to note that is is there. Of course they're not using it: they're "hacking" the server(s), not joe random visitor's box.
Then there are quite a lot half-truth, that can also be misleading:
A fully compromised system cannot be trusted to tell you the truth. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it.
If by "fully compromised" it means that the BIOS has been flashed and now lies about the files it reports, I then more or less agree. However such a tool is improbable (not enough room in the BIOS memory and not all BIOS can be flashed at will). So by "fully compromised" that's probably not what they meant. How would then an attacker lie when booting from a CD and running the scan from the CD? Or when hooking the compromised HD as a second HD on a clean system? It's not like everybody run their virus/trojans/rootkits scanners from the suspicious host.
Then at the end of TFLA (the 'L' stands for "Long") they explain, in a very windowish style, how to recover from a "hack": reinstall everything, because there's nothing you can trust (besides Windows's installation medium?)
So is it about the anatomy of a "hack" or how to recover from a "hack"? Both? Then why not a single word about how to configure an IDS?
Speaking of IDS, from TFA: Once we took over an entire network through an intrusion detection system.
WTF? I'm not sure if by their definition Snort qualifies as an IDS, but I run Snort in a passive way: no IP, not a single packet emitting from the box, etc. If an IDS becomes an entry point for intruders, then it's not an IDS but an IAS: Intrusion Automation System
The article could be summarized like this (like others already pointed out i
I am dismayed even /., among all places, is not using the word 'hack' correctly.
Breaking into another computer or network is not hacking, it is called 'cracking.'
Get the terms straight.
as i've taught technical material (novell, microsoft, cisco) i've gotten a a deeper understanding of how things work. from doing labs, building demos for students, having students provide a different way of looking at things, this knowledge builds. a degree in computer science helps also.
understanding something completely is the best way to break it, compromise it, protect it. you must also have some creativity and/or intuition.
just some thoughts.
eric
Yes, one can detect a rootkit if one boots from a known clean media such as a CDROM. It's sometimes tricky though, because you don't really know what to look for, and even if you find part of it, you may not have all of it. Recently I've seen descriptions of rootkit watchdogs -- essentially two instances of a kernel rootkit installed in different ways, where each will re-activate the other if it goes away. Clever systems administrators who "clean" a system and miss part of a rootkit might wind up remaining 0wn3d by Th3m.
Although you seem to assume that nobody in their right mind would trust a scan run directly from the booted, known-to-be-compromised system, you would be surprised. (At the very least, you might be surprised how many systems administrators and managers are not in their right mind.) It can be quite difficult to talk people out of trusting their AntiVirus scan after a system has been rooted. After all, they spent millions of dollars for it (at the enterprise scale). I am frequently asked "If I can't trust FAVORITE_ANTIVIRUS_VENDOR, who can I trust?" and "If I can't trust the AntiVirus scan to detect a rootkit after a box has been cracked, what good is it?" Even if they understand the technical issues, which sometimes they don't, they are still able to maintain cognitive dissonance with the best of televangelist fans, "That person has no legs, but Jesus, acting through the hands of Tommy Ray Piemaker just healed them and they got up and walked!"
Here's an interesting starting point on rootkits:Recognizing and Recovering from Rootkit Attacks
If you mod me down, I shall become more powerful than you could possibly imagine.
Yeah guys, I RTFA, what do you think of this:
Naturally, many other ports can be open, particularly if the target system is not a Windows system. However, these are the ones we look for in this chapter.
Wasn't windoze the OS with stupid, wide-range, unexplainably open ports? Any volunteers to slap the author senseless?
I just read
Non-MS machines not being perfect, and the parent comment that Windows should never be on the perimeter defense, are two entirely different things.
Network security in general, like another poster already commented, is about risk management. You'll NEVER be 100% secure - this doesn't mean that OS with the worst security track record in history is good enough. The idea is to get yourself to a comfortable level of paranoia vs functionality.
After watching Code Red, Blaster, Slammer, Sasser, etc, etc, etc run rampant through the Internet, I'm sorry, but I have to agree. Putting Windows anywhere NEAR your perimeter is like russian roulette. Sure, you can find someone who hasn't experienced problems with them. They're still in the 1%, however.
And don't anyone give me the marketshare bullshit excuse, please. The server market is still nowhere close to being dominated by Windows, yet it still sees the vast majority (99.99999%) of worm traffic.
SQL injections? Yeah, they work on any OS. Helps the cracker a whole lot if your SQL server runs with root privs - which for all I know is still the default and required state of a MSSQL box. If not... hooray, Microsoft caught up to 10 years ago.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
...but I can't. ;)
Ranma-sensei
P.S.: Yes, I know this is offtopic - come on, mod me down!
So you have to start by reinstalling known good copies on a reformatted disk slice, and gradually recover things as you prove them safe. It's much easier if you've done a heavy-duty job of configuration management and kept a really solid wall between your development and production systems, but that's surprisingly hard to get anybody to do well enough.
I once found a directory /.something with cracker data on one of my lab honeypots - the cracker had modified "ls" and "ps" so his files and processes wouldn't be found, including all his little setuid toys. Didn't occur to him that I'd be using "find" as a regular administrative tool that he'd need to hack, or looking at /proc wondering why there seemed to be extra processes there. (After all, it's a *lab* machine - I was experimenting with it.) You'd probably find some of those things if you were using Knoppix to check, but you might not, since the evil processes were running with innocuous-looking names and the directory names started with dots.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I did not mean to say that it is immoral or moral to infringe on a network. I merely meant to say that morality is decided by the person doing the action.
But yes, voluntary "pen testing" is probably often helpful. perhaps crackers could masquerade as white hats (company's POV, hactivists go under crackers in this example) if something screws up... but often companies won't even patch holes when they are pointed out (sorry, no source).
I have freaks! I did something right...
The article relies on somebody setting up a web server that allows SQL injection and runs using the admin user... who in their right mind would set up a system like this??
They may aswell have written an article on how to crack a system if somebody sends you the SA password... pathetic!
Time is an illusion. Lunchtime doubly so. - Douglas Adams
I agree: Multiple layers of defense IS "the way"!
That, and turning off what you do NOT need to be running (e.g.-> services you don't actually use), & going that extra yard hardening up the system AND doing "penetration testing" on your own ontop of that!
You NEED to be thinking JUST like someone who would be after your machines &/or network (i.e.-> YOUR information). It means having to do alot of work yourself and like the best policemen imo? You need to have a dash of the criminal mentality inside yourself as well.
The EULA is just to protect themselves from legal ramifications in case some NEW way to blow by all of the defenses a 3rd party vendor may put into place gets beaten so they are not liable for that... that's mostly it, imo, regarding that.
(They're just protecting themselves, because new methods of 'break-in' & application vulnerability surface quite alot every year that get used to get around things!)
E.G.-> Witness VPN/Cisco routers dictionary crack type penetrations, & not using "3 tries & you're out" on logon attempts into them, which most OS' & Administrators even have setup on them along with periods in which re-attempts are setup to lock said individual/machineaddress/ip out for ontop of it... so much for the "impenetrable VPN" & encryption being 'impenetrable''s another "fantasy"... the best you can do imo, nowadays, is to slow down the attacker & pay attention to your logs (I know, I know, miles long... this is where you automate scanning them looking for repeat attempts & outliers/failures on logon attempts etc. because of the length of them sometimes)
IMO, It's going to be a LONG time before applications themselves are 'crack-proof' as well, and they DO represent a point of attack.
My main examples being web-browsers like IE & FireFox having exploits found in them many times each year as well, if not email programs, etc./et all... remote communicae oriented apps in general. Things like AIM are turning up holes regularly as well.
The day's coming when it'll slow down, however, I don't think we will see a totally secure environment for another decade or so... if ever.
APK
The thing is, I think you guys are confusing "Windows machine" with "naively configured machine". I'll concede in advance that there is a high correlation. ;-)
You seem to be extrapolating from the fact that Sasser and friends were a widespread pain in the ass that Windows sucks. The latter may be true, but the former doesn't imply it. I got the feeling (just from reading the reports at the time, nothing fancy) that those worms mostly spread through stupidly configured home-user systems, not professionally-run boxes with competent sysadmins. (I think it's safe to say that if you don't have competent sysadmins, you're pretty screwed on any OS.)
Of course you shouldn't run your web server as root/Administrator/whatever. Of course you shouldn't leave convenient hacking tools installed by default. But let's be fair, those are poor administration, and not unique to Windows. If you run Apache on Linux, but leave a hole in a CGI app that's running at too high a privilege level, you're just as screwed.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
It seems that much of the article relies on "SQL-injection" which is, to my experience, a disappearing trend. A few years ago, SQL injections was very widespread. I would rather say that the article demonstrates the eggshell-principle of how 1 bad script can make it crack.
You DO know what accounts are necessary on your systems, right?Why would there be any apps in
Any files that don't belong to a package, you delete.Such as? The files that get modified during installation are things like hostname and timezone and so forth. It's kind of hard to hide anything bad in those.Nope. That's one of the reasons why package management systems are so good. They make it easy to validate every file on your machine.Again, no you don't. Not with Debian.Yep. That's pretty standard for a rootkit.
And those mod's are instantly identifiable because they won't have the same checksum as the originals.Of course you would find them. They would show up as NOT belonging to any of the packages that are installed.
It doesn't matter where they're hidden.
It doesn't matter what they're named.
All your Base are...
You compare the checksum of the package on your system with the checksum listed on the website.
You DO know what a checksum is, right?Mandates or not, they are there.Yeah. Right.
No, seriously, how is someone going to sneak something by you in fstab?
And everything in init.d would also be checked.
Do you mean to say that you do not know what changes you've made in init.d? I certainly do. The only changes I've made are for running bind9 in a chroot jail and some tweaks to exim4. Everything else is pure stock and can be checked by a script.#1. Why would I not trust "the OS+libc+package-manager"? It's Knoppix. I booted the system clean.
#2. On Debian, I can check all the files on the whole disk (not just
Here's the first step for you.
cd
dpkg -S * >
See? Every file there lists the package that installed it. If you see any files that do NOT have a package referenced, then you have a problem.Incorrect. The concept becomes very clear once you understand the boot process of Linux.
If you can get the machine to boot from a known good install (Knoppix) then you can trust the tools you'll use to check each file on the disk.
The disk is not magical. There is no secret place that a file can be mystically concealed from a clean boot and the root account.
The process of loading those files is not magical. Each file is called by a specific process. If the processes can be validated and the files verified, then the system is clean.
Therefore, it is just a matter of collecting the information from a known good source (Debian's website) and validating that every file on the disk can be verified as to origin and checksum.
The ONLY times when this will not work is for files that YOU have altered or software that YOU have installed and YOU should be aware of each and every instance of such on YOUR machines.
Even if you do NOT know that about a machine, I can still identify the clean portions and the suspect portions AND THEN isolate the suspect portions for analysis.
Actually, cracking today is a bit more like hotwiring a car using the just the fusebox. It takes about as much knowledge of the electrical subsystem to build the car as it does to do that.
Mod me down and I will become more powerful than you can possibly imagine!
Sure there is. When I say 2+2=4 and someone else is saying it's 6, then condescending is spot on.
No, they are not.
They have the same BASIC system and then they have whatever specifics needed for that app.
If I can validate everything except that app, then it is just a matter of re-installing that app. And that is the issue.
If you don't have a trusted base for the app you're running, then you have bigger problems than a compromised system.
NOTHING you do, including a complete re-install will give you a known clean system in that case.
NOTHING.
Been over that. Next question.
Right..... and you're going to re-install all of that so you have a known clean system.
Oh, you're not? Then what is the difference between my process and your's?
Again, if you're doing development on a production system (or running with development and production linked) you have bigger problems than a compromised system.
You simply will not KNOW if you have a clean system.
You'll have to do a 100% audit of ALL the code you have because the cracker could have installed backdoors in ANY of your code.
Again, in that situation, even doing a complete rebuild will NOT give you a known clean system.
And this is where condescending is required. Fill it in for yourself.
Again, in that scenario there is nothing you can do, including a bare-metal rebuild, that will give you a known good environment.
So, my process would give you results as good as a bare-metal rebuild, even in that scenario.
Again, in a situation where the code you're developing MIGHT be compromised, including your backups, then following my process will give you results as good as a bare-meta
That is because I rock.
Attend, Grasshopper, and I will provide you illumination upon your path to True SysAdmin-hood.
Argue for your limitations, and they will be your's.
Rather, learn the tools available and see how they are used to overcome the obstacles you have set before yourself. Understand that all is but 0's and 1's and therefore subject to the will of the True SysAdmin.
The novice quits upon the absence of a tool. The SysAdmin knows that his understanding is the only tool he will need.
Go in peace and strive to achieve beyond your limits.