Slashdot Mirror
Anatomy of a Hack
Tiberius_Fel writes "Informit.com is running an extensive article about the anatomy of a hack against a sample network. It's an excerpt from a book titled Protect Your Windows Network: From Perimeter to Data. Even though it makes references to Windows, the techniques can be applied to other operating systems fairly easily." From the article: "Although attacking networks can be fun and informative--not to mention illegal if you do not have all the proper permissions--the fact remains that the vast majority of us do not need to know how to do so. Frankly, becoming a good penetration tester (pen tester) takes more than a week-long class. It takes commitment, dedication, intuition, and technical savvy, not to mention a blatant disregard for the rules and the right way to do things."
Shut it off.
For all too many business owners and managers out there it just isn't worth it for them to learn to secure computers. They have enough trouble learning and keeping up with the business they have. Normally it isn't until they are breached that they realize that security is a need.
But that's what America is for. They need something, but don't have the time to do it. So you learn how to provide for their need, and sell it to them.
heh heh heh, he said "penetration testing", heh heh heh
-- If I were a fish, I'd be wet
I have done my fair share of security work and with regards to the blurbs "not to mention a blatant disregard for the rules and the right way to do things" I can say that one rule to never violate is always have a lawyer go over the contract and make certain the customer signs it before you do anything. Further is is a good thing to record all your activities on a black box while testing the system.
Bad Panda! No Bamboo for you! In matters of importance ACs will not be responded to. Want to say something critical,OK
I like to check out the security of my network using the nessus vulnerability scanner. It's free, it works, and it makes me think happy thoughts. :)
( and it keeps me from doing a lot of work )
If con is the opposite of pro. Then isn't congress the opposite of progress?
A lot of people will post on this story about how weak Windows is, or how great OpenBSD is, or whatever.
The keys to secure computing are
The use of multiple layers is crucial. Never depend on just a firewall, encrypted transmissions, or just on password protection. Never depend on your vendor to secure your data - it's your data, not your vendor's. Read your EULA, and you'll note how little they care.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
Isn't hacking more about the creation of something than the destruction of something? This sounds more like cracking. Anyone can open up a locked car with a coat hanger and hot wire it, but that doesn't make them equal with the skill of the engineers that created the car.
Powered by caffeine and sugar; BSD
What he doesn't really go into his how to build your production systems in a way that *ASSUMES* you're going to get attacked, maintains a clean environment for developing them in, and gives you the tools to rebuild rapidly from trustable versions. On the other hand, he does show how his example's victim's system was thoroughly broken into, getting from the production system to the development system, because it really *is* hard to do a good job of separating them adequately in a real environment, so even if you think you have a clean-room, you might not.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
..into other people's networks.
I wouldn't have figured that out without them. From what I understand, laws describe what is legal, and individuals decide what is moral. Then again, maybe psycopaths need to be told...
I have freaks! I did something right...
"It is our blasphemy which has made us great, and will sustain us, and which the gods secretly admire in us." - Zelazny
This was posted in Microsoft Technet magazine way back in January.
s /2005/01/AnatomyofaHack/default.aspx
http://www.microsoft.com/technet/technetmag/issue
Quick overview of the meat of the article
1. Do a WHOIS lookup of the IP range the network is on.
2. Search newsgroups for previous network internals that the SA has posted somewhere.
3. Do a port scan and fingerprint.
4. If there is a vulnerable service running, use a common exploit.
5. A quick description of how sql injection attack works on a web-application login.
6. Use xp_cmdshell on MS-SQL to download remote shell code via tftp.
7. Once somone has the sql server under control, use the poorly configured internal network to become domain admin.
Somone needs to put together a description on how a "social engineering" penetration test should be done objectivly. If there is one out there please let me know. =P
All you have to do is to boot with a known good rescue CD (Knoppix is great for this).
Then you can mount the infected drive and validate the checksums against the packages available on the web.
This will not tell you anything about your data, but none of your data should be executable anyway, right?
The same goes for Red Hat or any other distribution that has checksums for both packages and files contained within those packages.
You can even completely re-install the kernel on a Debian system in this fashion.
Slashdot surrendering to the mainstream, negative meaning of "hack".
:~
I though it was supposed to be a hacker forum
"Since any competent pen tester (or system administrator) with a need for these types of tools can write them, there is no reason for us to distribute them here."
/. before but I'm too lame to look for it.
Ah so, it is true then, Jedis do build their own light sabers.
Disclaimer: I've seen this link on
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It's got wake on lan.
I really hate Dan Patrick.
<sigh>
You may not have R'd TFA, but if you had, you'd notice that the techniques they illustrate to gain increasing and ultimately complete access to the network aren't particularly Windows-centric. The attack starts with a SQL injection vulnerability, for example, which is just as possible on a fully patched LAMP box if it's carelessly set up. The tools and specifics might be different on another system, but don't kid yourself that running non-MS machines at the edge of your networks is some kind of panacea. It's not.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
I just read the whole FA (yup, I'm new here as my user ID can tell ;) and I'm not sure what to think about it.
;)
The metodology used is not extraordinary: setting up a purposedly insecure network then hacking (sic) it themselves using the known holes is kind of cheesy. It helps to show how it works, but I prefer the honeynet approach: setting up boxes with known (or not) security holes, then analysing how a real intruder creates havoc.
Then there's some strange (re)definition of words.
For example, straight from TFA:
There are several techniques for getting our tools (often called "warez") onto the database server.
Then, as a side note:
Warez is a hacker/attacker colloquialism. It comes from the term "software," but is now used varyingly to mean either "attack tools" or "bootlegged software." In this chapter, we use it in the former context.
I think it's the first time I see the term "warez" used to describe "attack tools" (sic). I used to live in ancient times where "warez" weren't yet called "warez", then "warez" became "warez". Now what? "warez" aren't "warez" anymore? As it changed? (then a great many online dictionaries definition should be updated btw.).
The definition of XSS is also interesting:
In Figure 2-5, we see that not only do we get logged on, but the application also displayed the fake username we sent it on the home page. This latter artifact is actually a separate type of vulnerability known as a cross-site scripting (XSS) vulnerability, where the user input is echoed directly to the screen without sanitizing it first. We will not use it in the following attack, but it is interesting to note that it is there.
This definition of XSS is wrong: it's not because we see what was typed that the input weren't sanitized (sic). And it's certainly not because we see what was entered that this could lead to code being executed on another user's computer. Moreover I find the last sentence of this paragraph misleading: We will not use it in the following attack, but it is interesting to note that is is there. Of course they're not using it: they're "hacking" the server(s), not joe random visitor's box.
Then there are quite a lot half-truth, that can also be misleading:
A fully compromised system cannot be trusted to tell you the truth. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it.
If by "fully compromised" it means that the BIOS has been flashed and now lies about the files it reports, I then more or less agree. However such a tool is improbable (not enough room in the BIOS memory and not all BIOS can be flashed at will). So by "fully compromised" that's probably not what they meant. How would then an attacker lie when booting from a CD and running the scan from the CD? Or when hooking the compromised HD as a second HD on a clean system? It's not like everybody run their virus/trojans/rootkits scanners from the suspicious host.
Then at the end of TFLA (the 'L' stands for "Long") they explain, in a very windowish style, how to recover from a "hack": reinstall everything, because there's nothing you can trust (besides Windows's installation medium?)
So is it about the anatomy of a "hack" or how to recover from a "hack"? Both? Then why not a single word about how to configure an IDS?
Speaking of IDS, from TFA: Once we took over an entire network through an intrusion detection system.
WTF? I'm not sure if by their definition Snort qualifies as an IDS, but I run Snort in a passive way: no IP, not a single packet emitting from the box, etc. If an IDS becomes an entry point for intruders, then it's not an IDS but an IAS: Intrusion Automation System
The article could be summarized like this (like others already pointed out i
Please don't download any of the MP3 files you find there.
Note to Newbies, On the whole don't trust any mirror you find on slashdot that's not somebody like Mirrordot, Google, or the like. You may find yourself at goatse . cx
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
Non-MS machines not being perfect, and the parent comment that Windows should never be on the perimeter defense, are two entirely different things.
Network security in general, like another poster already commented, is about risk management. You'll NEVER be 100% secure - this doesn't mean that OS with the worst security track record in history is good enough. The idea is to get yourself to a comfortable level of paranoia vs functionality.
After watching Code Red, Blaster, Slammer, Sasser, etc, etc, etc run rampant through the Internet, I'm sorry, but I have to agree. Putting Windows anywhere NEAR your perimeter is like russian roulette. Sure, you can find someone who hasn't experienced problems with them. They're still in the 1%, however.
And don't anyone give me the marketshare bullshit excuse, please. The server market is still nowhere close to being dominated by Windows, yet it still sees the vast majority (99.99999%) of worm traffic.
SQL injections? Yeah, they work on any OS. Helps the cracker a whole lot if your SQL server runs with root privs - which for all I know is still the default and required state of a MSSQL box. If not... hooray, Microsoft caught up to 10 years ago.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
So you have to start by reinstalling known good copies on a reformatted disk slice, and gradually recover things as you prove them safe. It's much easier if you've done a heavy-duty job of configuration management and kept a really solid wall between your development and production systems, but that's surprisingly hard to get anybody to do well enough.
I once found a directory /.something with cracker data on one of my lab honeypots - the cracker had modified "ls" and "ps" so his files and processes wouldn't be found, including all his little setuid toys. Didn't occur to him that I'd be using "find" as a regular administrative tool that he'd need to hack, or looking at /proc wondering why there seemed to be extra processes there. (After all, it's a *lab* machine - I was experimenting with it.) You'd probably find some of those things if you were using Knoppix to check, but you might not, since the evil processes were running with innocuous-looking names and the directory names started with dots.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The article relies on somebody setting up a web server that allows SQL injection and runs using the admin user... who in their right mind would set up a system like this??
They may aswell have written an article on how to crack a system if somebody sends you the SA password... pathetic!
Time is an illusion. Lunchtime doubly so. - Douglas Adams