Tools of the Trade
The "tools of the trade" are the means a cracker
or hacker might use to penetrate your network. Some of the tools covered
are programs, and some of these tools are techniques.
Reconnaissance
When most people hear the word reconnaissance, they think of spies and the
espionage world. Although, that community does indeed uses reconnaissance,
so does the cracker community. What is reconnaissance, and why do crackers
use reconnaissance? First, reconnaissance is the process of gathering
information about specific target(s). When a good burglar decides to rob a
house he will scope out an area to see how often neighbors, cops, and other
traffic passes through. This gives the robber a good idea of the time of
day he can attack. The same basic philosophy holds true for a cracker when
she wants to attack a network or Web site.
When a cracker decides she wants to attack a network,
there are many "recon" tools at her disposal. Let's look at a few
of them and see how they work.
Social Engineering
The first and probably the most underrated tool available
is social engineering. Social engineering
involves tricking, conning, or manipulating people
into providing information detrimental to a company, organization, or a
person. This type of information can be used to help plan, organize, or
execute an attack.
Note
Ira Winkler wrote an excellent book called Corporate Espionage. This book covers social
engineering along with many other tactics used in obtaining information. It
also talks about how to protect yourself against these types of attacks. It
was published by Prima Publishing (ISBN 0-7615-0840-6). For more on Ira,
you can go to http://www.thetrainingco.com/html/BioIraWinkler.html.
How does social engineering work? A good example is
through a help desk. Cracker A wants to attack ABC123 inc., a computer
software company. Cracker A wants to find out usernames, passwords, and
maybe even some security measures ABC123 has in place. Cracker A begins by
calling ABC123's main number, explains to the secretary that he is new to
the company, he works off-site, and he needs the help desk number in order
to set up his account and password. The secretary
provides him with the number. Cracker A then calls up the help desk number,
explaining to the person on the phone what the situation is and asks for a
username, a password, and how can he get access to the network from the
outside. Help Desk Worker B happily provides this information within
seconds, not once questioning his request. (Why not?
Most help desk operations I have seen stress customer service.
"Remember: Never anger a customer.")
That simple scenario can provide the attacker with enough
information to make an attack much easier to pull off without being
detected. Other techniques that are related to social engineering are
·
Dumpster Diving. A person goes
through a dumpster or trash can looking for "trash" that contains
information, such as an IP address, old passwords, and quite possibly a map
of the network. Although this technique is often a dirty one, it is very
effective.
·
Impersonations. A cracker pretends to be someone important and use that authority to obtain the
information he is looking for.
These social engineering techniques are effective, and
there are many more that are beyond the scope of this book. Keep in mind
that people still use these techniques, and they are a
threat to your security and your company's security.
Port Scanners and Passive Operating System
Identification
This section provides a technical overview of port scanners and
sniffers, along with details regarding the art of passive operating system
identification.
Port scanners are programs
that check a computer's TCP/IP stack for ports that are in the LISTEN
state. As you learned in the previous chapter, TCP/IP combines many
protocols, enabling communication on the Internet. The TCP/IP protocol
suite consist of 65,535 ports. Ports 1 through 1023 are considered
"well known" and, on many computer systems, only users with
root/admin privileges can use these ports. Ports 1024 through 49151 are
called registered ports, and ports 49152
through 65535 are considered dynamic and/or private ports.
 Find the PORT NUMBERS list online at http://www.isi.edu/in-notes/iana/assignments/port-numbers.
The Transmission Control Protocol is covered by RFC 793,
which defines many standards that socket programmers need to follow. It
also defines how TCP will react to certain packets (that is, FIN, ACK, and
SYN). In order to understand port scanners and how they work, a person
needs to
understand RFC 793.
RFC 793 (http://www.ietf.org/rfc/rfc0793.txt?number=793)
defines how TCP (Transmission Control Protocol) will react to the FIN, ACK,
and SYN packets:
If the state is CLOSED (that is, Transmission Control
Block does not exist) then all data in the incoming segment is discarded.
An incoming segment containing a RESET (RST) is discarded. An incoming
segment not containing a RST causes a RST to be sent in response. The
acknowledgment and sequence field values are selected to make the reset
sequence acceptable to the TCP that sent the offending segment.
If the state is LISTEN then first check for an RST, An
incoming RST should be ignored. Second check for an ACK. Any acknowledgment
is bad if it arrives on a connection still in the LISTEN state. An
acceptable reset segment should be formed for any arriving ACK-bearing
segment. Third check for a SYN, if the SYN bit is set, check the security.
If the security/compartment on the incoming segment does not exactly match
the security/compartment in the TCB then send a reset and return.
What this tells us is how listening and closed ports
respond to certain TCP flags. Knowing this, programmers can write programs
that go out and identify open and closed ports. These programs are considered port
scanner(s).
Let's look at some "famous" port scanners and
see what they can and cannot do.
To find out more information on TCP/IP,
see the RFCs online at http://www.ietf.org/rfc/rfc0793.txt?number=793
and http://www.ietf.org/rfc/rfc0793.txt?number=791.
For some great information on TCP/IP fingerprinting, see the following: http://www.insecure.org/nmap/nmap-fingerprinting-article.html
NMAP
NMAP is probably the most
popular port scanner being used and actively developed today. The
brainchild of Fyodor (http://www.insecure.org),
NMAP has grown through the active participation of the
open source community. NMAP allows the user many options in scanning. Listing 5.1 shows us
the results of nmap –h. This
is a great starting point for nmap. If you need more details on nmap, see the man page
(available online at http://www.insecure.org/nmap/nmap_manpage.html).
Listing 5.1 nmap -h Results
Nmap V. 2.54BETA7 Usage: nmap [Scan Type(s)] [Options] <host or net list> Some Common Scan Types ('*'options require root privileges)-sT TCP connect() port scan (default) * -sS TCP SYN stealth port scan (best all-around TCP scan) * -sU UDP port scan -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sR/-I RPC/Identd scan (use with other scan types) Some Common Options (none are required; most can be combined): * -O Use TCP/IP fingerprinting to guess remote operating system -p <range> ports to scan. Example range: '1-1024,1080,6666,31337' -F Only scans ports listed in nmap-services -v Verbose. Its use is recommended. Use twice for greater effect. -P0 Don't ping hosts (needed to scan www.microsoft.com and others) * -Ddecoy_host1,decoy2[,...] Hide scan using many decoys -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy -n/-R Never do DNS resolution/Always resolve [default: sometimes resolve] -oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile> -iL <inputfile> Get targets from file; Use '-'for stdin * -S <your_IP>/-e <devicename> Specify source address or network interface --interactive Go into interactive mode (then press h for help) Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
Listing 5.1 shows us
how easy NMAP is to configure and what options are available for scanning.
Let's take a look at a few switches, discuss what they do, and how they can be used in reconnaissance.
The –sT
switch is probably the loudest switch we will cover (not as stealthy as
others). This switch tells NMAP to make a complete connection with the
targeted computer. This type of scan is easy to detect and probably won't
be used if an attacker is serious about performing reconnaissance on a
computer system.
Note
In the summer of 2000, a group of SANS analysts put
together a book about intrusion detection signatures, called Intrusion Signatures and Analysis. Published by
New Riders (ISBN 0-7357-1063-5), this book is a great reference for anyone
who wants to dig deeper into intrusion detection and attack signatures.
The –sF
switch sends FIN packets to the targeted computer. How does this work? When
a computer receives a FIN, it has a few options in how to react:
·
If the port is in the LISTEN state, the computer will not
reply.
·
If the port is in the CLOSED state, the computer will respond
with a RESET.
·
If there has been a connection, the
computer will begin breaking the connection. (Hint: We don't care about
this option right now.)
The computer's response tells NMAP what ports are open
when using the –sF switch. Listing 5.2 shows us
the results of an –sF scan
from a user standpoint.
Listing 5.2 nmap -sF User Results
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.1.3): (The 4000 ports scanned but not shown here are in state: closed) Port State Service 47017/tcp open unknown TCP Sequence Prediction: Class=random positive increments Difficulty=3980866 (Good luck!) Remote operating system guess: Linux 2.1.122 - 2.2.16 Nmap run completed -- 1 IP address (1 host up) scanned in 5 seconds
This scan ran against a Linux machine that had the t0rn
rootkit (port 47017 is a dead giveaway) running, and these are the results:
[View full width] 20:00:48.813047 > 192.168.1.5.47257 > 192.168.1.1.473: F 0:0(0) win 1024 (ttl 48, id  31728)
4500 0028 7bf0 0000 3006 8b89 c0a8 0105 c0a8 0101 b899 01d9 0000 0000 0000 0000 5001 0400 6e1a 0000 20:00:48.813153 > 192.168.1.5.47257 > 192.168.1.1.663: F 0:0(0) win 1024 (ttl 48, id 56669) 4500 0028 dd5d 0000 3006 2a1c c0a8 0105 c0a8 0101 b899 0297 0000 0000 0000 0000 5001 0400 6d5c 0000 20:00:48.813188 > 192.168.1.5.47257 > 192.168.1.1.1458: F 0:0(0) win 1024 (ttl 48, id 23854) 4500 0028 5d2e 0000 3006 aa4b c0a8 0105 c0a8 0101 b899 05b2 0000 0000 0000 0000 5001 0400 6a41 0000
If a person was running a sniffer, they would see this code. What you don't see here are the resets
being sent back by the ports being scanned. This technique is used by many
crackers to perform reconnaissance against target(s). This scan is much
harder to detect then the –sT
switch covered earlier.
The –sS
switch uses SYN packets to determine whether a port or group of ports is
open. This scan is commonly referred to as the half-open
scan. Why? Well, NMAP sends a SYN packet to a port. If the port is open, it
will respond with a SYN|ACK. If NMAP receives the SYN|ACK, it will respond
with a RESET. Therefore, if you send half-open packets, your chance of being detected
decreases (in theory) Many crackers use this scanning technique to check
for open ports because, sometimes, this activity is logged. In today's
world, though, many firewalls and IDSs do log these attempts.
The final switch covered is the –sX switch, NMAP's "X-mas
tree" packet, in which NMAP sets the FIN, URG, and PUSH flags. Under
normal conditions, this is not a normal flag combination. Normally, a
person would see a FIN, URG, and ACK but not a FIN, URG, and PUSH
combination. The reason for this flag combination is simple: Crackers can
bypass some firewalls and intrusion detection systems with it.
How does this relate to reconnaissance? NMAP is a great
tool in performing reconnaissance. With all the switches and options
available, it is difficult for a firewall administrator or IDS analyst to
positively identify all the possible scans available
with NMAP.
Dying for more information on NMAP? See
the following URL: http://www.insecure.org.
HPING2
Another great port scanner used today
for reconnaissance is HPING2. This is probably one of my favorite tools to
have because it is very configurable. Table 5.1 shows us
many of the options available with HPING2.
Information on HPING2 to can be found
at http://www.kyuzz.org/antirez/hping2.html.
Table
5.1. HPING2 Options
|
|
Usage
|
HPING
Host
|
Options
|
|
-h
|
--help
|
Show this
help
|
|
-v
|
--version
|
Show
version
|
|
-c
|
--count
|
Packet
count
|
|
-i
|
--interval
|
Wait (uX
for X microseconds, for example, -i
u1000)
|
|
-n
|
--numeric
|
Numeric
output
|
|
-q
|
--quiet
|
Quiet
|
|
-I
|
--interface
|
Interface
name (otherwise, default routing interface)
|
|
-V
|
--verbose
|
Verbose
mode
|
|
-D
|
--debug
|
Debugging
info
|
|
-z
|
--bind
|
Bind Ctrl+Z
to ttl (default to dst port)
|
|
-Z
|
--unbind
|
Unbind
Ctrl+Z
|
|
|
|
Modes
|
|
Default
|
default
mode
|
TCP
|
|
-0
|
--rawip
|
RAW IP mode
|
|
-1
|
--icmp
|
ICMP mode
|
|
-2
|
--udp
|
UDP mode
|
|
-9
|
--listen
|
Listen mode
|
|
|
|
IP
|
|
-a
|
--spoof
|
Spoof
source address
|
|
-t
|
--ttl
|
ttl
(default 64)
|
|
-N
|
--id
|
id (default
random)
|
|
-W
|
--winid
|
Use win* id
byte ordering
|
|
-r
|
--rel
|
Relativize
id field (to estimate host traffic)
|
|
-f
|
--frag
|
Split packets in more frag (can pass weak acl)
|
|
-x
|
--morefrag
|
Set more
fragments flag
|
|
-y
|
--dontfrag
|
Set dont
fragment flag
|
|
-g
|
--fragoff
|
Set the
fragment offset
|
|
-m
|
--mtu
|
Set virtual
mtu; implies --frag if packet size > mtu
|
|
-o
|
--tos
|
Type of
service (default 0x00); try --tos help
|
|
-G
|
--rroute
|
Includes
RECORD_ROUTE option and display the route buffer
|
|
-H
|
--ipproto
|
Set the IP
protocol field, only in RAW IP mode
|
|
|
|
ICMP
|
|
-C
|
--icmptype
|
ICMP type
(default echo request), try --icmptype help
|
|
-K
|
--icmpcode
|
ICMP code
(default 0)
|
|
|
--icmp-help
|
Display
help for other ICMP options
|
|
|
|
UDP/TCP
|
|
-s
|
--baseport
|
Base source
port (default random)
|
|
-p
|
--destport
|
[+][+]<port>
destination port (default 0) Ctrl+Z inc/dec
|
|
-k
|
--keep
|
Keep still source port
|
|
-w
|
--win
|
winsize
(default 64)
|
|
-O
|
--tcpoff
|
Set fake
TCP data offset (instead of tcphdrlen/4)
|
|
-Q
|
--seqnum
|
Show only
TCP sequence number
|
|
-b
|
--badcksum
|
Send
packets with a bad IP checksum
|
|
-M
|
--setseq
|
Set TCP
sequence number
|
|
-L
|
--setack
|
Set TCP ack
|
|
-F
|
--fin
|
Set FIN
flag
|
|
-S
|
--syn
|
Set SYN
flag
|
|
-R
|
--rst
|
Set RST
flag
|
|
-P
|
--push
|
Set PUSH
flag
|
|
-A
|
--ack
|
Set ACK
flag
|
|
-U
|
--urg
|
Set URG
flag
|
|
-X
|
--xmas
|
Set X
unused flag (0x40)
|
|
-Y
|
--ymas
|
Set Y
unused flag (0x80)
|
|
|
--tcpexitcode
|
Sse last
tcp->th_flags as exit code
|
|
|
|
TS
|
|
-d
|
--data
|
Data size
(default is 0)
|
|
-E
|
--file
|
Data from file
|
|
-e
|
--sign
|
Add
'signature'
|
|
-j
|
--dump
|
Dump
packets in hex
|
|
-J
|
--print
|
Dump
printable characters
|
|
-B
|
--safe
|
Enable
"safe" protocol
|
|
-u
|
--end
|
Tell you
when --file reached EOF and prevent rewind
|
|
-T
|
--traceroute
|
(Implies
--bind) traceroute mode
|
You can see from the help file how configurable HPING2
really is. A cracker can modify almost any byte in the TCP/IP header. This
enables a cracker to really become creative with her scanning techniques in
performing reconnaissance. This tool also enables the cracker to insert
crafted data into the packet. This means that the cracker could insert
malicious code of any kind—buffer overflows, Trojans,
and so on— into a packet and use it to penetrate networks. If you don't
have HPING2, I recommend downloading it and giving it a test drive.
There are many more great port scanners out there then
what we have covered here. Port scanners provide the cracker with a tool that
"knocks" on the door of computer networks. This also gives the
cracker an idea of what operating system and services the targeted network
is running. With this type of information, the cracker can then proceed to
her favorite exploit toolkit and proceed to penetrate the targeted network.
These tools can be and should be used by the computer professional to
evaluate systems. By using these tools, a systems administrator can
identify vulnerabilities before an attacker does.
Passive Operating System Identification
Fingerprinting
Passive OS fingerprinting is a
technique that is gaining popularity in both the cracker world as well as
in the security world. Passive OS fingerprinting allows a person to
identify an operating system by analyzing its TCP/IP stack. This technique
is as stealth as stealth can get because all you need is a packet sniffer
and some time. An attacker using a sniffer does not have to worry about
sending strange packets to determine what OS he is up against.
Almost all operating systems have default settings,
including settings for TCP/IP. An example of this is Linux. If you look at /proc/sys/net/ipv4 in Listing 5.3, you'll
find a wide range of settings that contain default information that the
system uses in its daily task(s). Listing 5.3 shows the
TCP/IP parameters in Linux.
Listing 5.3 /proc/sys/net/ipv4
Conf icmp_destunreach_rate icmp_echo_ignore_all icmp_echo_ignore_broadcasts icmp_echoreply_rate icmp_ignore_bogus_error_responses icmp_paramprob_rate icmp_timeexceed_rate igmp_max_memberships ip_always_defrag ip_autoconfig ip_default_ttl ip_dynaddr ip_forward ip_local_port_range ip_masq_debug ip_no_pmtu_disc ipfrag_high_thresh ipfrag_low_thresh ipfrag_time neigh route tcp_fin_timeout tcp_keepalive_probes tcp_keepalive_time tcp_max_ka_probes tcp_max_syn_backlog tcp_retrans_collapse tcp_retries1 tcp_retries2 tcp_rfc1337 tcp_sack tcp_stdurg tcp_syn_retries tcp_syncookies tcp_timestamps tcp_window_scaling
Let's look at a few of these parameters and
determine what they do and how they affect the operating system.
·
ip_default-ttl:
This parameter sets the default time-to-live value to 64. It can be changed on a Linux box by
echo 128 >> ip_default_ttl.
·
ip_forward:
Although this parameter does not directly affect passive OS fingerprinting,
it does have a big effect on OS security. By default, ip_forward is set to 0, which disables IP forwarding.
Setting it to 1 enables IP
forwarding.
·
ip_local_port_range:
This parameter identifies the default source port range that Linux will
use. Normally, this is set to 1024-4999.
This is good information to know if you are attempting to determine whether
a packet is good or bad.
·
tcp_sack: This
parameter lets the operating system know whether it supports the Selective
Acknowledgment standard (RFC 2883). By default (Linux), this is set to 1 (supports this
standard).
·
tcp_timestamps:
This parameter lets the operating system know whether it supports the
timestamp function. By default (Linux), this is set to 1.
·
tcp_window_scaling:
This parameter lets the operating system know whether it supports the
window scaling function. This option is used to decrease congestion. By
default (Linux), this is set to 1.
Listing 5.3 shows
only the parameters that are related to passive OS fingerprinting. Although
we have only covered Linux default settings so far, every OS has its own
set of default settings. A good example is the Windows platform; Windows
98, NT, and 2000 all use default TTL of 128.
There is, however, a whole world using
ICMP. To check this out go to http://www.sys-security.com.
Let's look at a few other operating systems and their default TCP/IP settings:
·
Microsoft (98, NT)
Packet
size (just headers) = 44 bytes (default)
SYN or
SYN|ACK packets = Sets the Don't Fragment flag and the Maximum
Segment Size (MSS)flag
TTL
= 128
·
Microsoft (2000)
Packet
size (just headers) = 48 bytes (default)
SYN or
SYN|ACK packets = Sets the Don't Fragment (DF)flag, Maximum Segment
Size (MSS)flag, two (2) NOPs, and the Selective Acknowledgment flag.
TTL
= 128
·
Linux (Red Hat 6.2)
Packet
size (just headers) = 60 bytes (default)
SYN or
SYN|ACK packets = Sets the Don't Fragment (DF)flag, Maximum Segment
Size (MSS)flag, NOPs, Selective Acknowledgment flag, Timestamp, Window
Scaling (wscale). These hold true for initial SYN. SYN|ACK Linux responds
according to the computer that made the initial SYN.
TL
= 64, on a RESET packet the TTL is 255
Knowing this, you can identify operating systems by
looking at network traffic. One thing to keep in mind is that, if a
sys-admin or cracker changes any of the parameters, it will throw off your
analysis. Therefore, passive OS fingerprinting is not 100% accurate, but,
then again, nothing is. Listing 5.4 shows two
packets and will help us identify an OS, using passive fingerprinting.
Listing 5.4 Identifying Operating Systems
[View full
width]
15:59:52.533502 > my_isp.net.1100 > 134.11.235.232.www: S 325233392:325233392(0) win 32120 <mss 1460,sackOK,timestamp 88950 0,nop,wscale 0> (DF) (ttl 64, id 505) 4500 003c 01f9 4000 4006 0522 xxxx xxxx 860b ebe8 044c 0050 1362 aaf0 0000 0000 a002 7d78 7887 0000 0204 05b4 0402 080a 0001 5b76 0000 0000 0103 0300 16:00:14.188756 >my_isp.net.1105 > 134.11.235.232.www: R 346737591:346737591(0) win 0 (ttl 255, id 544) 4500 0028 0220 0000 ff06 860e xxxx xxxx 860b ebe8 0451 0050 14aa cbb7 0000 0000 5004 0000 973c 0000
In Listing 5.4, you see
two packets. The first is a SYN packet, and the second is a RST packet. Looking
at the SYN packet, notice some important indicators:
·
The SYN has a TTL of 64.
·
The SYN sets its mss,
sackOK, nop, and wscale parameters and the DF flag. Also, pay close attention to
the header size (3c = 60 bytes).
·
Look at the source port as well. Port 1100 falls with in the
default source port range of 1024 through 4999.
These indicators point to…LINUX. That's right, the OS we
were looking at in Listing 5.4 is coming
from a Linux machine. Let's take a brief look at the RST packet. First,
look at the TTL (255). When Red Hat Linux sends an RST, it will use a
default TTL of 255, whereas, when it is trying to establish a connection,
it uses a TTL of 64. Another characteristic of Linux RST packets is their
size. Normally, a Red Hat packet is 60 bytes in length. When setting the
RST flag, RH Linux has a packet length of only 40 bytes.
How does OS fingerprinting and Linux tie back into
reconnaissance? If a cracker uses any of the previously mentioned
techniques, he can obtain very valuable information about a computer
network. That type of information includes network mapping, IP addresses,
patch levels, and discovery of different operating
systems.
|