Disclaimer:
This is a theoretical instruction to security based on any IPnetwork,
like the internet for example. It has been written for informational
and educational purposes only. It should be seen as an introduction
to the methods and strategies used by hackers rather than a howto.
The author is not suggesting to perform illegal actions and cannot
be held liable for any actions of other individuals who perform
any of the actions discussed in this paper and possible resulting damage.
Introduction:
Over many years I saw the security community growing, but I also saw
a development that I dislike. Newbie's to internet security ain't
interested in security itself. Defacing sites, ranting on
IRC networks and becoming a somehow infamous cracker are more important
to them, then becoming familiar with the topic security.
I am going to describe the methods and strategies used to access
various UNIX hosts among the internet unauthorized without any kind of
cracker application. This guide will not teach you how to hack, neither
do you have to be a security expert to use the techniques described here.
Hacking means finding your own way to do it, and finding new approaches
to accomplishing something. Since I address this to newbies within the
security scene I'll use words they probably know:
I can only show you the door. You're the one that has to walk through it.
A. Prerequisites
Your Operating System:
You'll need a UNIX-like system (POSIX necessary) on your home computer.
You simply won't be able to do this on a Windows system, even if you
argue, that you have ports for some of the mentioned stuff for your
WindowsNT. I dislike OS debates, so I won't state all details here,
but I suggest you get one BSD distribution like Net-/Free-/OpenBSD,
since their default install is pretty secure enough for a beginning.
You can also use a Linux distribution, but make sure you know how to
secure them. Operating from a secure machine is the most important
prerequisite, since a local compromised system can be used to reveal
your identity. If you are new to Linux/BSD and it's security, you
better read some tutorials about securing them before you continue using
this document. My current system is a FreeBSD4.6 but any other BSD will
do it as well.
Knowledge you should already have:
Make sure you know the basic commands on your console/OS.
Tools like 'man' and 'info' will tell you everything you need to
know about a tool your OS is using, so read the manpages and get used
to the tool.
Basic tools you should have used AND understood:
angst (sniffer, flooder to degenerate switches - see my VoIP tutorial)
aldebaran (advanced libpcap-based network TCP sniffer - see my VoIP tutorial)
awk (a programming language that uses POSIX)
cat (concatenates files and print on the standard output)
chmod (changes file access permissions)
cut (remove sections from each line of files)
dd(converts and copies a file)
dsniff(network auditing and penetration testing tool)
find(search for files in a directory hierarchy)
finger(user information lookup program)
ftp (Internet file transfer program)
gcc (GNU project C and C++ Compiler)
grep(prints lines matching a pattern)
gzip(compress or expand files)
head(outputs the first part of files)
ifconfig(configure a network interface)
ipfw(IP firewall - see my ipfw tutorial)
inetd (internet ``super-server'' - I suggest xinetd as well)
kill(terminate a process)
last(show listing of last logged in users)
less(opposite of more ;)
ln(makes links between files)
ls(list directory contents)
mail(send and receive mail)
more(file perusal filter for crt viewing)
mount (mount a file system)
mknod (make block or character special files)
nc(Netcat - TCP/IP swiss army knife)
nmap(THE network exploration tool and security scanner)
ping(send ICMP ECHO_REQUEST packets to network hosts)
ps(report process status)
rcp (remote file copy)
sed (a Stream EDitor)
sort(sort lines of text files)
ssh (secure shell client [remote login])
syslogd (Linux system logging utilities)
tail(output the last part of files)
tar (tar archiving utility)
tcpdump (tcpdump - dump traffic on a network)
telnet(user interface to the TELNET protocol)
vim (Vi IMproved, a text editor)
xhost (server access control program for X)
xterm (terminal emulator for X)
Requirements from your side:
You need to make sure that you are better secured then the system
you want to root. I suggest you disable all services you don't need
while scanning or even rooting the other system. I wrote a little
shell script to kill -9 all processes I don't want to run while I
scan/root systems. I suggest you do the same and maybe think about
using the CFS by Matt Blaze (Cryptographic File System) to make sure
no one can ready your filesystem in case you get compromised. First
think about your own security before probing other peoples security.
Your connection / ISP
DO NEVER HACK WITH YOUR OWN ACCOUNT. At least not without securing
your way through the net! You can use shell accounts on a foreign
UNIX box, where you either can gain control over all loging processes
or are your that no syslogd and network monitors are running. Old
and forgotten BSD systems within universities are pretty good, since
they often haven't been patched to common vulnerabilities. What ever
you do: check the connection for unusual things like monitors, IDS
like Snort etc or proxies. Do a traceroute to gain some knowledge of
used backbone. You can also use university accounts, like I used to do,
but make sure you know the administrators activities, like monitoring
or random scanning of users! If a university is close to you, get your
Laptop, a PCMCIA Ethernet Card and plug your Laptop to one of the free
(and not monitored) RJ-45 connectors. But never forget: think about the
administrators!
Make sure it is hard to detect your hacking and grasp its route,
by using a first access information concealing method in a detour way
at least through the middle route. Administrators of big systems use
stealth tracking systems that can identify you easily. Things like
traceroutes, whois, rwhois and rDNS are the only a few simple tools
for administrators, they have plenty of them.
Never forget about those facts!
B. Scanning a host
Your security first:
I cannot mention it often enough: make sure you cannot be tracked down!
Do NOT use your private ISP account. A simple whois of your logged IP
within a systemlog can (and probably will) show the admin at least a
eMail-adress of your ISP for abuse and things like hacking, scanning etc.
Your IP and the timestamp of your scans will be the details that will
make sure you get jailed!!! Do not think you can disconnect after one hour
and reconnect with your new dynamic IP to secure yourself!! You really
think, just because the admin cannot ping your host afterwards,
he won't whois your IP range used and track at least your ISP down again?
If you know a wingate/SOCKS server that won't log your connects, and you
are damn sure, then stick with it. Otherwise I suggest to use machines you
already rooted. Already rooted machines should be patched by yourself,
a small backdoor included, like a changed /bin/login if you doubt the admins
skills or a smarter backdoor if you think he has at least basic knowledge ;)
and left again without any traces! Such machines are ideal for scans and hacks
etc, since you control all logging and monitor processes.
Scanning, without beeing detected:
Make sure you know what you do when you start network scanners like nmap!
At least read once the entire book TCP/IP Illustrated (by Stevens) to
understand what SYN, ACK, NUL etc are supposed to be. Scans beeing
recommended in many other papers I read have been:
NUL (a tcp packet without any flags)
XMAS (a combined ack/syn/rst probe)
FIN (similiar to the well known SYN-ACK scan)
I cannot recommend you one scan, because most admins I know are smart
enought to implement good IPfirewall rulesets, or fake the servers replies
to such scans. Many of the mentioned scans above will be blocked as well,
since they are known to be "hacker scans". Some systems will block them with
static rules, but open a gap when it comes to simple SYN scans.
Try the three scans above first, then stick with scans like SYN or connect(2).
If you use the connect(2) scan, then use lscan to get the versions of the
probed services, since you'll need them to find exploits. You can also just
scan the host and afterwards do simple HTTP GET's to recieve some information
about things like the httpd server etc. There are many ways you can go,
decide yourself which is most reliable for you.
My way of scanning hosts:
I include sparetime for my scanner between every single probed port. It's
important to know the default settings of IDS (Intrusion Detection Systems)
like Snort for Scan-Detection! Or I start a distributed scan. This will be
logged within the system, but since every scan is from a different machine/IP
the IDS won't alert the admin or at least the source of the scan (my machine)
cannot be located this easy.
While scanning:
While you scan a host, make sure you cannot be detected and your machine won't
answer requests like UDP traceroute packets (port range 33400-33500) or
ICMP requests.
If you use ipfw (and I recommend it!), then add rules similar to:
ipfw add deny udp from any to mysystem.net 33400-33500 in
and so on. See my ipfw tutorial for more information on this subject.
Like I mentioned above already: turn off all services that are not needed!
Who do you scan:
Most cracker do scan whole IP ranges et cetera to find a host with a
vulnerable service to deface the site and so on, to become a infamous
script kid. Nice. But we are more interested in real security then
random scans and hacks. So we need to 'footprinting'.
Make yourself familiar with those services:
http://www.netcraft.com
http://www.samspade.org
http://MacLawran.ca/bb-dnld/ (currently down for security reasons, but
you can usually get there information on the activity of services like:
ftp, http, smtp, pop3, dns, telnet, imap, nntp, and ssh on your target host.
whois.arin.net
http://www.allwhois.com
Every service you outsource to a website is worthy! The less you have to do
from your very own system, the less risk you have.
Find your way inside:
Your way inside will be a vulnerability that hasn't been patched yet, since
you are (hopefully) not just interested in (D)DoSing the host. After you did
your scan, check the logs or the output for vulnerable deamons. If you prefer
to scan multiple hosts and afterwards want to check the logs use the grep
tool and pipe the output to your "vulnerable service pattern match".
C. Your way to root
Gaining root is nice - not beeing caught even better
You gained root access with a vulnerable service running on the target
machine, ok. What you need to do now is:
- delete all traces of your 'visit'
- install a backdoor for your next 'visit'
- patch the vulnerability you used and maybe others
- log everything you found about the system
- in case you don't need the system, leave a msg via mail to the admin
(white hat style)
Delete all traces of your hack
First of we do a killall -9 syslogd klogd - we don't want to be monitored
Then we move on to the logs that include our traces:
copy secure.1 and messages.1 from /var/log over secure and messages
If there are no *.1 files, truncate them. Then we unset HISTFILE!
Delete every .bash_history that could include data about your used accounts.
rm -rf .bash*
Ok, let's seek for things we could check as well:
ps -aux | grep inetd
ps -aux | grep portmap
ps -aux | grep snort
etc, you get my point.
Things you may have done to delete traces, but left traces this way could be:
- You removed the shutdown account from /etc/passwd and /etc/shadow (happens
when you use some rootkits)
- You stopped system logging, and some network servers have been deleted
When you root a system, try to restore the system completly, except for the
exploit!Either write a script that will restart the syslogd and klogd, or
write a cronjob, whatever, just make sure, you don't leave the system monitors
turned off.
Install a backdoor for your next visit
Like I mentioned already, backdoor for /bin/login or /sbin/login are too easy
to detect, so think about another way, like a port backdoor, or even better,
you upload a vulnerable version of a device,..if possible either customized,
so that only you can use it, or at least a very unknown exploit.
Don't forget: if you want to control this system, you need to secure the system
better then the admin has done! Check the system for possible problems with
suid scripts and race conditions that may cause security problems. Dont forget
that people with a legit account may try to root the box as well,..and they have
a easier way inside then you! If you want to link your backdoor somehow to the
systems 'frontend' then you can use again a ipfw rule like divert to route the
connection you wanna establish. Most rulesets are this big, that admins cannot
check them regularly or don't even remember what they have setup there.
Patch the vulnerability
Check the Bugtraq or other sites for a patch. If you cannot find a patch, or
there is no patch yet, then better turn off the service in case you believe
- the admin check rarely this box
- the service you exploited is insignificant
If you cannot turn the service off, because it would be to obviously for the
admin, then use the systems way to prevent other hackers to use the service
at all:for example add a ipfw rule to match incomming connection attemps,
and add a rule that matches already established connections, to prevent the
system to cancel 24/7 connects from other systems within the LAN etc.
Log everything you found about the system
The usual stuff you do when you enter a system:
- uname -a, w
- last (last connected users)
- set (check the settings written by the installs routine within the shell)
- cat /etc/passwd
- cat /etc/inetd.conf
- cat rc.conf etc, you know what I mean
The more you know about the system, the better you can estimate the systems
worth for further 'projects' you have.
Also check the .bash_history of other users you found within /etc/passwd. This
will give you a impression about the things beeing done on this server. Check
the admin's logs, backups and personal data he stores!
Leave a msg via mail to the admin
In case you found out, that this box is useless for you, don't truncate the
whole system. This is the behaviour of idiots! Instead of beeing one of those
idiots better leave the admin a quick note via mail or create a lil file with
a summary of things you've done to patch the system. Sometimes I even left a
anon mailaddy to contact me in case he'd have some questions, and I had some
intersting conversations this way. It's up to you to decide what you wanna do.
D. Things you should have done at least once
Join a group/community of security interested people
Beeing within a group of people that share the same interest and maybe even
kind of the same skill level when it comes to security questions can be very
interesting.
Watching hacker movies
Yeah, I'm not kidding! At least once take a look at movies like
- Matrix (inspires many apperently many kids)
- Password Swordfish
- Sneakers
They are often fun for people that are into security. I've been within some
movies with friends and suddently had to laugh, like when this little girl
within 'Jurrasic Park' is hacking a UNIX system. Pretty funny, even thru other
people within the cinema didn't get it :)
Share your knowledge
Within the hacking scene OpenSource is a big word, but only quiet a few
people help the OpenSource projects really. You can a least 'open source'
your knowledge you gained over the years and help other people and the next
generation to learn something useful.
E. Things you should 'never' do
Destroying systems or even hardware
Do never destroy a system! Only in case you have bad luck and the local admin
joins your rooting session, and is about to identify you or something. But
this situation is kinda only something that will happen within Hollywood
movies! Never destroy hardware! You think you cannot destroy hardware
remotely? Heh, I guess you have to learn pretty much dude. For example changing
some setting within the XF86Config can destroy the monitor. You'll never need to
destroy hardware, leave it!
Challenge good admins or even the govn-admins!
Even if you feel like you are on an all-time high: never mess with them. Don't
ask why, just don't do it! They have the better position in this fight and like
Sun Tzu stated in his book: "Art of war": never start a fight you cannot win!
Be a smartass
Even if you already know many things about security and networking, there are
people out there that know more then you do! Do not be a smartass towards
newbie's. You've been new to security as well once, and laughing about
questions like: "What is Unix?" doesn't appears to be smart. Think about it.
If you wanto be get in touch with me:
gabbana@insecured.net
or visit the site:
www.insecured.net
Thanks
A big thank you to Mixter (from hacktivisto) for reviewing this tutorial
This article was originally published by CyberArmy.net in the CyberArmy Library.
|
|