home *** CD-ROM | disk | FTP | other *** search
- HOW TO CRACK, by +ORC, A TUTORIAL
-
- ---------------------------------------------------------------------------
-
- Lesson A.1: Advanced Cracking: Internet Cracking (Unix)
-
- ---------------------------------------------------------------------------
-
- -------------> INTERNET CRACKING: FIREWALLS
- With each new company that connects to the "Information
- Superhighway" new frontiers are created for crackers to explore.
- Site administrators (Siteads) have implemented various security
- measures to protect their internal networks. One of these is
- xinetd, covered later. A more general solution is to construct
- a guarded gateway, called a [Firewall], that sits between a
- site's internal network and the wild and woolly Internet where
- we roam. In fact only one third of all Internet connected
- machines are already behind firewalls. Most information services
- have to deal with the same problem we have: getting OUT through
- a local firewall or GETTING INTO a service through their
- Firewall. There lays also the crack_solution.
- ------------> What is a Firewall?
- The main purpose of a Firewall is to prevent unauthorized
- access between networks. Generally this means protecting a site's
- inner network from the Internet. If a site has a firewall,
- decisions have been made as to what is allowed and disallowed
- across the firewall. These decisions are always different and
- always incomplete, given the multiplicity of Internet, there are
- always loopholes where a cracker can capitalize on.
- A firewall basically works by examining the IP packets that
- travel between the server and the client. This provides a way to
- control the information flow for each service by IP address, by
- port and in each direction.
- A firewall embodies a "stance". The stance of a firewall
- describes the trade-off between security and ease-of-use. A
- stance of the form "that which is not expressly permitted is
- prohibited" requires that each new service be enabled
- individually and is seldom used, coz very slow and annoying.
- Conversely, the stance "that which is not expressly prohibited
- is permitted" has traded a level of security for convenience. It
- will be useful to guess the stance of the firewall you are
- cracking when making probe decisions.
- A firewall has some general responsibilities:
- * First and foremost if a particular action is not allowed by
- the policy of the site, the firewall must make sure that all
- attempts to perform the action will fail.
- * The firewall should log suspicious events
- * The firewall should alert internal administration of all
- cracking attempts
- * Some firewall provide usage statistics as well.
-
- ------------> Types of Firewall
- In order to avoid head-scratching, it's a good idea to know
- the TOPOLOGY of "your" firewall -and its limitations- before
- attempting to get through it. Discussed below are two popular
- firewall topologies. Although other types exist, the two below
- represent the basic forms; most other firewalls employ the same
- concepts and thus have -luckily- the same limitations.
- 1) THE DUAL-HOMED GATEWAY
- A dual-homed Gateway is a firewall composed of a single
- system with at least two network interfaces. This system is
- normally configured such that packets are not directly routed
- from one network (the Internet) to the other (the internal net
- you want to crack). Machines on the Internet can talk to the
- gateway, as can machines on the internal network, but direct
- traffic between nets is blocked.
- In discussing firewalls, it's generally accepted that you
- should think of the inner network as a medieval castle. The
- "bastions" of a castle are the critical points where defence is
- concentrated. In a dual-homed gateway topology, the dual-homed
- host itself is called the [BASTION HOST].
- The main disadvantage of a dual-homed gateway, from the
- viewpoints of the users of the network and us crackers alike, is
- the fact that it blocks direct IP traffic in both directions. Any
- programs running on the inner network that require a routed path
- to external machines will not function in this environment. The
- services on the internal network don't have a routed path to the
- clients outside. To resolve these difficulties, dual-homed
- gateways run programs called [PROXIES] to forward application
- packets between nets. A proxy controls the conversation between
- client and server processes in a firewalled environment. Rather
- than communicating directly, the client and the server both talk
- to the proxy, which is usually running on the bastion host
- itself. Normally the proxy is transparent to the users.
- A proxy on the bastion host does not just allow free rein
- for certain services. Most proxy software can be configured to
- allow or deny forwarding based on source or destination addresses
- or ports. Proxies may also require authentication of the
- requester using encryption- or password-based systems.
- The use of proxy software on the bastion host means that the
- firewall administrator has to provide replacements for the
- standard networking clients, a nightmare in heterogeneous
- environments (sites with many different operating systems
- platforms, PC, Sun, IBM, DEC, HP...) and a great burden for
- administrator and users alike.
- 2) THE SCREENED HOST GATEWAY
- A screened host gateway is a firewall consisting of at least
- one router and a bastion host with a single network interface.
- The router is typically configured to block (screen) all traffic
- to the internal net such that the bastion host is the only
- machine that can be reached from the outside. Unlike the dual-
- homed gateway, a screened host gateway does not necessarily force
- all traffic through the bastion host; through configuration of
- the screening router, it's possible to open "holes" in the
- firewall to the other machines on the internal net you want to
- get into.
- The bastion host in a screened host firewall is protected
- from the outside net by the screening router. The router is
- generally configured to only allow traffic FROM SPECIFIC PORTS
- on the bastion host. Further, it may allow that traffic only FROM
- SPECIFIC EXTERNAL HOSTS. For example the router may allow Usenet
- news traffic to reach the bastion host ONLY if the traffic
- originated from the site's news provider. This filtering can be
- easily cracked: it is relying on the IP address of a remote
- machine, which can be forged.
- Most sites configure their router such that any connection
- (or a set of allowed connections) initiated from the inside net
- is allowed to pass. This is done by examining the SYN and ACK
- bits of TCP packets. The "start of connection" packet will have
- both bits set. If this packets source address is internal... or
- seems to be internal :=) the packet is allowed to pass. This
- allows users on the internal net to communicate with the internet
- without a proxy service.
- As mentioned, this design also allows "holes" to be opened
- in the firewall for machines on the internal net. In this case
- you can crack not only the bastion host, but also the inner
- machine offering the service. Mostly this or these machine/s will
- be far less secure than the bastion host.
- New services, for instance recent WEB services, contain a
- lot of back doors and bugs, that you'll find in the appropriate
- usenet discussion groups, and that you could use at freedom to
- crack inner machines with firewall holes. Sendmail is a good
- example of how you could crack in this way, read the whole
- related history... very instructive. The rule of thumb is "big
- is good": the bigger the software package, the more chance that
- we can find some security related bugs... and all packages are
- huge nowadays, 'coz the lazy bunch of programmers uses
- overbloated, buggy and fatty languages like Visual Basic or
- Delphy!
- Finally, remember that the logs are 'mostly) not on the bastion
- host! Most administrators collect them on an internal machine not
- accessible from the Internet. An automated process scan the logs
- regularly and reports suspicious information.
-
- 3) OTHER FIREWALL TOPOLOGIES
- The dual-homed gateway and the screened host are probably the
- most popular, but by no mean the only firewall topologies. Other
- configurations include the simple screening router (no bastion
- host), the screened subnet (two screening routers and a bastion
- host) as well as many commercial vendor solutions.
-
- ------------> Which software should we study?
- Three popular unix software solutions allow clients inside a
- firewall to communicate with server outside: CERN Web server in
- proxy mode, SOCKS and the TIS Firewall toolkit.
- 1) The CERN Web server handles not only HTTP but also the other
- protocols that Web clients use and makes the remote connections,
- passing the information back to the client transparently. X-based
- Mosaic can be configured for proxy mode simply by setting a few
- environment variables.
- 2) The SOCKS package (available free for anonymous ftp from
- ftp.nec.com in the file
- /pub/security/socks.cstc/socks.cstc.4.2.tar.gz
- includes a proxy server that runs on the bastion host of a
- firewall. The package includes replacements for standard IP
- socket calls such as connect(), getsockname(), bind(), accept(),
- listen() and select(). In the package there is a library which
- can be used to SOCKSify your crack probes.
- 3) The Firewall Toolkit
- The toolkit contains many useful tools for cracking firewall and
- proxy server. netacl can be used in inetd.conf to conceal
- incoming requests against an access table before spawning ftpd,
- httpd or other inetd-capable daemons. Mail will be stored in a
- chroot()ed area of the bastion for processing (mostly by
- sendmail).
- The Firewall toolkit is available for free, in anonymous ftp from
- ftp.tis.com in the file
- /pub/firewalls/toolkit/fwtk.tar.Z
- The popular PC firewall solution is the "PC Socks Pack", for MS-
- Windows, available from ftp.nec.com It includes a winsock.dll
- file.
-
- The cracking attempts should concentrate on ftpd, normally
- located on the bastion host. It's a huge application, necessary
- to allow anonymous ftp on and from the inner net, and full of
- bugs and back doors. Normally, on the bastion host, ftpd is
- located in a chroot()ed area and runs as nonprivileged user. If
- the protection is run from an internal machine (as opposing the
- bastion host), you could take advantage of the special inner-net
- privileges in hostp.equiv or .rhosts. If the internal machine
- "trusts" the server machine, you'll be in pretty easily.
- Another good method, that really works, is to locate your
- PC physically somewhere along the route between network and
- archie server and "spoof" the firewall into believing that you
- are the archie server. You'll need the help of a fellow hacker
- for this, though.
- Remember that if you gain supervisor privileges on a machine
- you can send packets from port 20, and that in a screened host
- environment, unless FTP is being used in proxy mode, the access
- filters allow often connections from any external host if the
- source port is 20 and the destination port is greater than 1023!
- remember that NCSA Mosaic uses several protocols, each on
- a different port, and that -if on the firewall no proxy Web
- server is operating- each protocol must be dealt with
- individually, what lazy administrators seldom do.
- Be careful for TRAPS: networking clients like telnet and ftp
- are often viciously replaced with programs that APPEAR to execute
- like their namesake, but actually email an administrator. A
- fellow cracker was almost intercepted, once, by a command that
- simulated network delays and spat out random error messages in
- order to keep me interested long enough to catch me. Read the
- (fictions) horror story from Bill Cheswick: "An evening with
- Berferd in which a cracked is lured, endured and studied",
- available from ftp.research.att.com in
- /dist/internet_security/berferd.ps
- As usual, all kind of traps can be located and uncovered by
- correct zen-cracking: you must *FEEL* that some code (or that
- some software behaviour) is not "genuine". Hope you believe me
- and learn it before attempting this kind of cracks.
-
- ------------> How do I crack Firewalls?
- Some suggestions have been given above, but teaching you how
- to crack firewalls would take at least six complete tutorial
- lessons for a relatively unimportant cracking sector, and you
- would almost surely get snatched immediately, 'coz you would
- believe you can crack it without knowing nothing at all. So, for
- your sake, I'll teach you HOW TO LEARN IT, not HOW TO DO IT
- (quite a fascinating difference): First Text, then the software
- above. For text, start with Marcus Ranum's paper "Thinking about
- Firewalls", available from ftp.tis.com in the file/pub/firewalls/firewalls.ps.Z
- and do an archie search for newer literature.
- Join the firewall discussion list sending a message to
- majordomo@greatcircle.com, you'll get a message with
- instructions, as usual, lurk only... never show yourself to the
- others.
- You can find for free on the web quite a lot of early
- versions of proxy software. Study it, study it and then study it
- again. The cracking efforts on your copies, and your machines,
- before attempting anything serious, are MANDATORY if you do not
- want to be immediately busted on the Internet. When you feel
- ready to try serious cracking, you must OBLIGATORY start with a
- small BBS which uses a firewall version you already studied very
- well (sysops are not firewall administrators, and many of them
- do not know nothing about the software they use). As soon as you
- gain access to the bastion host, remember to subvert entirely the
- firewall itself before entering the inner net.
- If you feel ready and everything went well so far, if your zen-
- cracking abilities are working well... then take a moment for
- yourself... prepare yourself a good Martini-Wodka (you should
- only use Moskovskaia), take a deep breath and by all means go
- ahead! You will then be able to try your luck on the Cyberspace
- and get quickly busted (if you did not follow my admonitions and
- if you cannot zen-crack) or, may be, fish quite a lot of
- jewels... :=)
-
- -------------> INTERNET CRACKING: XINETD
- [Xinetd] a freely available enhanced replacement for the
- internet service daemon inetd, allows just those particular users
- to have FTP or Telnet access, without opening up access to the
- world. Xinetd can only protect the system from intrusion by
- controlling INITIAL access to most system services and by logging
- activities so that you can detect break-in attempts. However,
- once a connection has been allowed to a service, xinetd is out
- of the picture. It cannot protect against a server program that
- has security problems internally. For example, the finger server
- had a bug several years ago that allowed a particularly clever
- person to overwrite part of its memory. This was used to gain
- access to many systems. Even placing finger under the control of
- xinetd wouldn't have helped.
- Think of the secured firewall system as a fortress wall:
- each service that is enabled for incoming connections can be
- viewed as a door or window in the walls. Not all these doors have
- secure and reliable locks. The more openings are available, the
- more opportunities are open for us.
- -------------> What xinetd does
- Xinetd listens to all enabled service ports and permits only
- those incoming connection request that meet authorization
- criteria.
- - Accept connections from only certain IP addresses
- - Accept connections only from authorized users
- - Reject connections outside of aithorized hours
- - Log selected service when connections are accepted or
- rejected, capturing following informations:
- * Remote Host Address
- * User ID of remote user (in some cases)
- * Entry and Exit time
- * Terminal type
- Support login, shell, exec and finger
-
- -------------> SERVICES TO CRACK &
- UNWITTING INSIDE COMPLICES
- In this order the easy services:
- FTP TELNET LOGIN (rlogin) SHELL (rcmd) EXEC
- In this order the more difficult ones:
- MOUNT TFT FINGER NFS(Network File System)
- DNS(Domain Name Service)
- Remember that sendmail (SMTP), by default, accepts a message from
- any incoming connection. The "sender" of such a message can
- appear to have originated anywhere, therefore your claim of
- identity will be accepted! Thus you can forge a message's
- originator. Most of the recipients inside the protected
- (firewalled) net will take your claim at face value and send you
- (to the "return address" you provide) all the sensitive
- information you need to crack the system. Finding unwitting
- inside complices is most of the time pretty easy.
- By far the best method, for entering xinetd, is to get the
- real version from panos@cs.colorado.edu, modify the system files
- in order to have some backdoors, and then distribute them to the
- mirror servers on the WEB. Each time a new administrator will
- download "your" version of xinetd, you'll have an easy access to
- the "protected" system.
- On the Nets, it's important to conceal your identity (they
- will find you out pretty quickly if you do not). The best method
- is to obtain the IP address of a legitimate workstation during
- normal hours. Then, late at night, when the workstation is known
- to be powered-off or disconnected from a dialup PPP link, a
- different node on the network can be configured to use the
- counterfeit IP address. To everyone on the network, it will
- appear that the "legitimate" user is active. If you follow this
- strategy, you may want to crack somehow more negligently... the
- search for the cracker will go on -later- in the false confidence
- that a sloppy novice (the legitimate user) is at work, this will
- muddle the waters a little more.
-
- Well, that's it for this lesson, reader. Not all lessons of my
- tutorial are on the Web.
-
- You 'll obtain the missing lessons IF AND ONLY IF you mail
- me back (via anon.penet.fi) with some tricks of the trade I may
- not know that YOU discovered. Mostly I'll actually know them
- already, but if they are really new you'll be given full credit,
- and even if they are not, should I judge that you "rediscovered"
- them with your work, or that you actually did good work on them,
- I'll send you the remaining lessons nevertheless. Your
- suggestions and critics on the whole crap I wrote are also
- welcomed.
-
- E-mail +ORC
-
- +ORC an526164@anon.penet.fi
-