Hackers, like security people all start at the same place, ignorant, in
need of a clue. As both groups begin learning, the same materials:
Hacker FAQ
Wietse Venema and Dan Farmer's guide to unix
security
and so forth equally benefit both groups. In fact I am convinced at this
point that many of the better security people spend time on IRC's #hack and
many of the better hackers are avid readers and contributers to the firewalls
mailing list.
Even so, there is a kind of dividing line when you get into the arena of hacking scripts and programs. I have spent a lot of time with some of this software, but it was to understand how it works, to try to educate the folks I am supposed to be serving on how they might protect themselves.
The following is a discussion of a C program and some support files, used to attack sendmail. It got captured when the hacker, who went by the handle of zomo tried to use it on a smap demon from the TIS Firewall toolkit.
The source distribution looked like this:
(Oh, the author's statement was that this software should not be distributed
without permission, so only part of the code is available, sorry)
A UNIX Makefile
A main program
A sample run
Lets take a closer look at the attack itself, this is the actual e-mail message captured by the firewall.
Now that we know, the attack, how to defend? In this case, all you need is Sun's Sendmail patch and you are good to go. Now lets consider the general approach here, the attack places a "grappling hook", a small program on the soon_to_be_victim computer, that allows the rest of the attack to be brought over. How might we detect a grappling hook?
Probe TCP Ports is a simple program which does a fine
job of determining what ports on a computer are open, that is have a service
demon. Perhaps strobe and satan are more famous varient of the same thing.
Below is a sample run:
Now it is important to remember that the program you use to protect yourself can just as easily be used against you. It hardly qualifies as subtle, but hackers still run port scans across the internet. is a program that may be used to detect such scans.$ probe_tcp_ports 128.3X.XX.XXX Host 128.38.23.119, Port 21 ("ftp" service) connection ... open. Host 128.38.23.119, Port 23 ("telnet" service) connection ... open. Host 128.38.23.119, Port 25 ("smtp" service) connection ... open. Host 128.38.23.119, Port 53 ("domain" service) connection ... open. Host 128.38.23.119, Port 79 ("finger" service) connection ... open. Host 128.38.23.119, Port 111 ("sunrpc" service) connection ... open. Host 128.38.23.119, Port 513 ("login" service) connection ... open. Host 128.38.23.119, Port 514 ("shell" service) connection ... open. Host 128.38.23.119, Port 515 ("printer" service) connection ... open. Host 128.38.23.119, Port 664 connection ... open. ... *** Port 664 is where I have installed a grappling hook on my bosses' computer *just kidding* ***
If however, the grappling hook and the file transfer is not detected, then what happens? Well, then the rest of the attack is brought over consider the readme from an early version of rootkit. There really isn't much I can add to the readme, basically if someone gets to run it on ya, they got ya. Please notice the substitute system binaries that CERT and the like have been warning you about. They look and feel and checksum like the "real" thing. Here is one person's opinion on what to do if your system is compromised by an intruder. My own thought is to throw in the towel and reload the binaries from CD-ROM and the data-only from backups... oh and don't forget the patches this time.
Any vulnerability in a computer system can open the door for the grappling hook and then programs like root kit. One of these vulnerabilities is the hosts.equiv file. Lets take a look at how this problem can be exploited.
Page created by Stephen Northcutt