hacking for fun and profit (or know thy enemy!) university of sunderland cit304 harry r. erwin, phd
TRANSCRIPT
Hacking for Fun and Profit(Or Know Thy Enemy!)
University of Sunderland
CIT304
Harry R. Erwin, PhD
What is Hacking?
• This discussion is based on Raymond and Steele, 1996, the New Hacker’s Dictionary, MIT Press, 3rd edition. Some material from the Qinetiq foundation course is also used.
• (n) a quick job that provides what is needed, but not well.
• (n) an incredibly good and perhaps very time-consuming, piece of work that produces exactly what is needed.
• (v) to interact with a computer in a playful and exploratory rather than goal-directed way.
What is a Hacker?
• Originally, someone who made furniture with an axe.• One who enjoys programming or is good at
programming quickly.• A person capable of appreciating hack value.• An expert at a particular program.
– Dr. Erwin used to hack TECO. http://scienceblogs.com/goodmath/2006/09/worlds_greatest_pathological_l_1.php http://www.pbm.com/~lindahl/real.programmers.html
• One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.
Hacker Humor
• Form versus content jokes
• Deadpan parodies of intellectual constructs
• Screwily precise reasoning from ludicrous premises
• Puns and wordplay
• Subversive humour that appears mindless
• Zen and Taoist ideas
Hack Mode
• “A zen-like state of total focus on The Problem.” This can be intense and habituating. Some of you may have seen me in hack mode, particularly in research discussions.
• Being yanked out of hack mode is often experienced as a physical shock.
• It is perfectly OK to hold up a hand to a visitor to avoid being interrupted while you’re holding a lot of delicate state in your head. A description is “juggling eggs”.
• I suspect hack mode is based on certain brain states.
Is Hacking Ethical?
• Hacking, like lock-picking or doing science, is neither ethical or unethical—it depends on what you’re doing.
• The malicious meddling and poking around in systems usually called ‘hacking’ is often termed ‘cracking’ instead.
• Cracking usually involves persistence and the dogged repetition of well-known tricks.
• Most crackers are mediocre hackers. (On the other hand, most spammers are good hackers.)
Some Terminology
• Hacker—someone who enjoys exploring computers.
• Samurai—a hacker who hires out for legal cracking jobs. See ronin.
• Cracker—a malicious meddler in computer systems. Also known as a dark-side hacker.
• Script kiddie—a cracker who relies on exploits developed by others. A loser with a room-temperature IQ.
• Warez d00dz—crackers who get illegal copies of copyrighted software. Usually a weenie or spod shunned by everyone.
TCP/IP Concepts (Now we get serious.)
• CONS
• CLNS
• How TCP/IP works
• Routing
• Boundary Mechanisms
• Connections
• Strengths and Weaknesses
CONS Protocol
• Like phone service
• Uses connections– Established, remain up for a while, and are
taken down.– Using messages consisting of packets
• Reliable, since each packet is numbered.
• Overhead is significant.
CLNS Protocol
• A broadcast protocol
• Unreliable
• Packets are sent out with no acknowledgement expected
• Not as vulnerable, since the receiver can ignore them, but still can be subverted.
TCP/IP Protocol
• Uses TCP packets in a CONS• Packets are sent between ports.• Port numbers 1-65535• IP addresses consisting of dotted quartiles: four
numbers, each between 0 and 254, separated by dots.
• Addresses are allocated statically or dynamically.• UDP and ICMP packets (also used in IP) are
CLNS.
TCP/IP Routing Logic
• Start with a packet created and sent.
• The local computer looks in its routing table for local addresses.
• Since the packet is going somewhere else, it is sent to the default gateway (a router).
• The router checks its routing tables and uses them to forward the packet.
• Packets are forwarded from router to router until they get to their destination, thus dealing with outages (and nuclear effects).
• If address is unreachable, ICMP packets are used to report back.
Boundary Mechanisms
• TCP ports (1-65535) may have services attached or be blocked.
• The more unblocked ports, the more vulnerabilities. This is bad.
• Boundary mechanisms should follow the golden rule:– That which is not explicitly permitted is denied.
TCP/IP Connections
• Process consists of:– Connection establishment– Data transfer– Connection closure– ACKs and NACKs manage this
• Creates a “Virtual circuit”• Resilient to interruption• Lost packets are simply resent• Allows routers to determine if packet traffic makes
sense (SYN versus SYN ACK)
TCP/IP Strengths and Weaknesses
• Hard to spoof
• Reliable
• Resistant to denial of service
But
• Computationally expensive
• Not designed to be secure
• Firewalls need to be stateful to be strong.
Cracker Tactics
• Case the Joint.
• Break In
• Gain Root Access
• Exploit the Access
Casing the Joint
• Start with the open literature (see www.samspade.org and use dig)
• Door-knocking
• War-dialing
• Mapping the network
• O/S analysis
Mapping a Network
• Basic network analysis tool is ping– Classic ping– TCP ping (works if ICMP blocked)
• Then traceroute to map the path to the target.• ethereal allows you to watch and stitch together the
packets used in a connection.• Then spot the clues that allow you to determine the
operating system of the target.• nmap (mapping tool)• tcpdump
Portscanning
• Classic ‘3 way’ portscanning
• Stealth portscanning
• Some routers let SYN packets through if they are from port 20. This allows you to drill through a router and portscan behind it.
Breaking In
• Methods:– By using a valid user ID/password combination. These
can be stolen using a sniffer. Or by breaking a weak user ID.
– By triggering a buffer overflow or other crash on an open port.
– Drilling in.– Physical access
• We will start with a discussion of password security.
Attacking Password Security
• The typical local login approach is– Provide a user ID– Then provide a password
• Remote logins are similar– telnet, rlogin, rsh, ssh (terminal sessions)– ftp, ncftp, sftp, rcp, scp (file transfer)– Avoid telnet, ftp, ncftp, rlogin, rsh, and rcp.
They transmit I&A data in the clear.
I&A Defense Considerations
• Passwords should not be stored in the clear. Store the encrypted password and compare to that.
• Password files should not be accessible to users. Hackers can run ‘crack’ against them in a dictionary attack. Consider running ‘crack’ regularly against your own password file.
• UNIX provides a ‘salt’ field in the password file unlike Windows. This is concatenated with the password before encryption (using DES), increasing the search space for ‘crack’.
Good Password Policies
• 6 or more characters• Change every 30-60 days• Passwords must be used for at least 2-7 days• Previous passwords cannot be reused.• Three or more different character types (upper
case, lower case, numbers, symbols)• Avoid weak passwords (names, addresses, phone
numbers, SSNs, common dictionary words or phrases, and simple variations on the above).
An Approach to Choosing Stronger Passwords
(Suggested by Qinetiq.)• Start with a phrase about a date.• Use the initials, lower case and upper case
alternating.• Insert a special character somewhere.• Remember September 11th, 2001!
rS1101!
• My birthday is February 29th!mBiF29!
Token-based Security
• Rather than something you know (password), you provide something you own.
• The usual approach is that you provide an identifier (the first factor), and
• The system then sends you a challenge that you respond to (the second factor).
• The response is generated by a device that you keep in your possession.
Biometric Security
• The system identifies you by something you are:– Fingerprint(s)– Retina pattern– Iris pattern– Facial pattern– Voice
• Demands good and expensive technology.• And if the identifier is stolen, there’s no way of
changing it.
Handling Special I&A Requirements (Example)
• FAA system administrators at an en-route control center work as a team, under the supervision of a NAS Operations Manager (NOM).
• Logging in would disrupt teamwork and delay response to emergencies.
• Hence I&A is handled procedurally, except at terminals away from the central operations area.
• In the central operations area, the team logs in using a team ID and password that is only good there. Elsewhere individual ID/PW are required.
I&A Conclusions
• Strong authentication is desirable.
• Costs are significant.
• Not really compatible with e-commerce.
• Vulnerable to social engineering and the general public availability of private data.
Buffer Overflow Attack
• An oversized packet can crash the program listening on a port or smash its stack.
• The packet payload can then be executed, (sometimes) giving the cracker access to the machine.
• A particular problem for the defense is that the cracker may be able to test his attack against a machine under his control.
• Read the Multics paper.
Drilling In
• If the server seen by the outside world does not carefully validate all inputs, the cracker may be able to ‘drill in’, attacking machines beyond that server.
• For example, POST packets need not contain valid data. That can produce buffer overflows or just invalid inputs to whatever database server the httpd server uses.
• If a WWW page can be created on the fly by a DBMS, this allows a cracker to query the DBMS by SQL injection.
• There is a related way to hack SSL.
Physical Access
• Start up with a CD or a boot floppy.
• Steal the hard drive.
• Install a password sniffer.
Gaining Root Access
• Root access allows you to become invisible.– Guess the password
• crack
• john
• L0phtcrack
– Exploit known OS vulnerabilities– Trojan horses– Buffer overflows
Operating System Vulnerabilities
• Not all software is designed to the same standards.• Some utilities ‘think’ they need root access.• Third-party software that insists on being given
root access is a particular vulnerability.• Failure to use a chroot jail when appropriate.• Various local exploits
My advice is to keep your patches up to date!
Windows Weaknesses
• Monoculture• Security was not a major concern• Overfeatured, with far too many vulnerabilities• Insecure by default.• Windows user community is historically naïve
about security.
Maintain a secure configuration and scan for viruses frequently. Use a personal firewall.
UNIX Weaknesses• Insecure by default, but more secure than Windows.• Originally UNIX was defined in opposition to Multics, a
secure operating system.• Many vendors involved, so patches can be slow.• Other than Apple and OpenBSD, security has not been a
major concern.• On the other hand, most of the user community is security-
aware, and Apple locks down MacOS X by default. OpenBSD is very secure.Less viruses, but you should maintain a secure configuration and run a personal firewall.
Trojan Horses
• Users sometimes post software for others to use.• Sometimes this software has ‘interesting’ side-
effects.• One might be the logging and reporting of user
authentication exchanges.• Another would be inserting a backdoor. Easter
eggs are in this category. Read the Multics paper.
Spotting Trojans
• In UNIX, watch the PATH variable, especially when you’re running root, since trojans play with it.
• In UNIX, watch the setUID bit for shells. – find / -perm +04000 -print
• More complex in NT– Back Orifice 2000– SubSeven– SOAP/.NET– PCAnywhere (legit)– malware in general (use www.adaware.com)
Buffer Overflow
• “Sometimes quantity has a quality all its own.”
• This approach forces an entry by deliberately crashing parts of the operating system or middleware.
• Overwrite large parts of memory with executable code and then smash the stack.
Exploiting Root Access
• The cracker now owns the machine. His options include:– Snooping
– Use the machine to launder attacks elsewhere.
– Use the machine to serve files (like illegal jpgs).
– Use the machine as a zombie in a distributed denial of service attack.
– Use the machine as a source for poisoned e-mail or spam. (Spammers are usually good hackers.)
Take-Home Message
• The more you know, the safer you are.– You know what to expect and– What to do about it.– Sometimes you can turn the tables on the
cracker.
• Keep your patches up-to-date,• Scan for viruses, and• Happy Hacking!