GT(M)HH Beginners Serie 7 - The Exploit Files

____________________________________________________________

GUIDE TO (mostly) HARMLESS HACKING

Beginners' Series Number 7

The Exploit Files

____________________________________________________________

by keydet89@yahoo.com and Carolyn Meinel

How many times have you read hacker newsgroups or email lists and seen posts

that begged "teach me to hack," or asked "how do I hack this"? It often

looks as though the person asking the question just doesn't understand the

basics of vulnerabilities and their exploits. The purpose of this Guide is

to explain what vulnerabilities and exploits are, and how they relate to

computer security.

Let's start with an example. Suppose that you are trying to sell something

by phone. So you start by calling phone numbers, and you keep calling until

you get someone to answer, not an answering machine, but a real live person.

Then if the person who answers the phone speaks the same language as you and

can understand you, you try to sell your product. Lots of people will hang

up on you, but eventually, someone will buy something...bang! You've scored!

*****************************************************************

In this Guide you will learn:

* What is a vulnerability

* What is an exploit

* How to look for vulnerabilities

*****************************************************************

So what does this have to do with 'hacking'? Look at your dialing of phone

numbers as port scanning IP (Internet protocol) addresses on the Internet.

Some Internet host computers won't answer. Maybe a firewall is blocking the

ports that you're scanning. Some hosts will answer, and at that point

maybe, just maybe, you've found a vulnerable computer.

********************************************************************

Newbie note: What are these 'ports' we are talking about? This kind of

'port' is a number used to identify a service on an Internet host. For

this reason they are often called 'TCP/IP' (transfer control

protocol/Internet protocol) ports, to distinguish them from other kinds of

computer ports such as modems, ports to printers, etc. Each host computer

connected to the Internet is identified by an IP address such as

'victim.fooisp.com.' Since each host may have many services running, each

service uses a different port. To contact any of these ports across the

Internet, you use the host's IP address and port number -- it's kind of like

dialing a phone number.

********************************************************************

Now maybe you have connected to telnet, port 23. You get a login prompt,

but you don't know any valid username/password combinations. So the host

"hangs up" on you. After many hours of trying, you connect to a host on the

right port, and Shazam!! You're greeted with a login prompt, and you quickly

guess a valid username and password combination. The next thing you know,

you have a command prompt. You have discovered a vulnerability -- an easily

guessed password! So being the 'white hat hacker' that you are, you send an

email to the sysadmin of the site and leave quietly.

*****************************************************************

Newbie note: A 'host' is a computer connected to the Internet. A 'service'

is a program that is running on a port of an Internet host. Each service is

a program that will respond to certain commands. If you give it the right

command, you will get it to do something for you.

The simplest example of a service is 'chargen', or character generator (port

19). If you make a telnet connection on the chargen port to a server running

the chargen service, this program will react to this connection by sending a

string of characters which you will see being repeated across your telnet

screen. All you need to do is connect to the service.

Another example of a service is finger (port 79). If you run a finger

program to request information on a particular user from a specific host,

and the finger service (or 'fingerd') is running, and if the user has not

instructed the finger service to ignore requests about him or her, you will

get back information on that user.

*****************************************************************

What services are run from these ports, and how can we learn more about

them? Ports numbered from 1 to 1024 are called the 'well-known' ports.

These are listed in RFC 1700 (see http://www.internetnorth.com.au/keith/networking/rfc.html).

Many of the well-known ports are also listed in a file on your computer called

'services'. On Win95, it's c:\windows\services; on NT, it's

c:\winnt\system32\drivers\etc\services; on many Unix type computers (your

shell account) it's /etc/services.

These ports are called 'well-known' because they are commonly used by

certain services. For example, the well-known port for sending email is the

SMTP port, or port 25. Because it is 'well-known', anyone can send email to

anyone else. Because port 110 is the well-known port for checking email,

all email clients know that they have to connect to a POP server on port 110

in order to retrieve email.

An excellent FAQ (frequently asked questions) on TCP/IP ports can be found

at http://www.technotronic.com/tcpudp.html

*************************************************************

You can get punched in the nose warning: There are many port scanning

tools, and wannabe hackers use them ... a lot. But for what purpose? In

most cases all that happens is that a sysadmin or firewall administrator

goes through the logs that computer keeps of who has tried to hack that

site. He or she then decides whether to ignore your scan or call the

sysadmin of the site that your scan came from. Even though (in the US at

least) port scanning is legal, it makes systems administrators really mad at

you! To avoid getting kicked off your Internet provider, get permission to

scan first!

*************************************************************

What Is a Vulnerability?

A 'vulnerability' is anything about a computer system that will allow

someone to either keep it from operating correctly, or that will let

unauthorized people take it over. There are many types of vulnerabilities.

They may be a misconfiguration in the setup of a service, or a flaw in the

programming of the service.

An example of a setup misconfiguration is leaving the 'wiz' or 'debug'

commands operational in older versions of sendmail, or incorrectly setting

directory permissions on your FTP server so people can download the password

file. In these cases, the vulnerability is not how the program was written,

but with how the program is configured. Allowing file sharing on your

Windows 95 or 98 computer when it is not necessary, or failing to put a

password on file sharing, is another example.

Examples of errors in the programming of services are the large number of

buffer overflow vulnerabilities in the programs that run services on port of

Internet host computers. Many of these buffer overflow problems allow

people to use the Internet to break into and take control of host computers

(check out "Smashing the Stack", by Aleph One, at:

http://www.happyhacker.org/docs/smash.txt).

What Is an Exploit?

An 'exploit' is a program or technique that takes advantage of a

vulnerability. For example, the FTP-Bounce vulnerability occurs when an FTP

server (used to allow people to upload and download files) is configured to

redirect FTP connections to other computers. There really is no good reason

to allow this feature. It has become a vulnerability because this 'bounce'

feature allows someone to use it to port scan other computers on the same

local area network (LAN) as that FTP server. So even though a firewall may

be keeping port scanners form directly scanning other computers on this LAN,

the FTP server would bounce a scan past the firewall.

So really an exploit is any technique that takes advantage of a

vulnerability to enable you to carry out your own schemes, despite the

wishes of the sysadmin of your target. Exploits depend on operating systems

and their configurations, the configurations of programs running on computer

systems, and of the LAN they are on.

Operating systems such as NT, VMS and Unix are very different, and the

various versions of Unix have their differences, as well. (Examples of Unix

operating systems include BSD, AIX, SCO, Irix, Sun OS, Solaris, and Linux).

Even the various versions of the Linux form of Unix are different.

This means exploits that will work against NT systems will probably not work

against Unix systems, and exploits for Unix systems will probably not work

against NT. NT services are run by different programs from what you may find

on Unix type computers. Further, different versions of the same service

running on any particular operating system will probably not be vulnerable

to the same exploit, because each version of a service is run by a

different program. Sometimes this different program may have the same name

but only have a different version number. For example sendmail 8.9.1a is

different from 8.8.2. Many of the differences are that 8.9.1a has been

fixed so that none of the old sendmail exploit programs will work on it.

For example, the "Leshka" exploit explained in the GTMHH on advanced shell

programming clearly explains that it only works on versions 8.7-8.8.2 of the

SMTP service program called 'sendmail.' We observed a number of people who

were playing the hacker wargame trying to run the Leshka exploit against a

later, fixed version of sendmail.

So remember, an exploit for one operating system or service is unlikely to

work against another operating system. This isn't to say that it definitely

won't...it's just not likely. However, you are pretty much guaranteed that

any Win95 or NT exploit will not work against any kind of Unix.

How to Look for Vulnerabilities

Now let's start someplace where you are unlikely to get punched in the nose

by looking at some ports on your own computer. You can do this by typing

'netstat -a' at the command prompt.

You should see something such as:

Active Connections

Proto Local Address Foreign Address State

TCP localhost:1027 0.0.0.0:0 LISTENING

TCP localhost:135 0.0.0.0:0 LISTENING

TCP localhost:1026 0.0.0.0:0 LISTENING

TCP localhost:1026 localhost:1027 ESTABLISHED

TCP localhost:1027 localhost:1026 ESTABLISHED

TCP localhost:137 0.0.0.0:0 LISTENING

TCP localhost:138 0.0.0.0:0 LISTENING

TCP localhost:nbsession 0.0.0.0:0 LISTENING

UDP localhost:135 *:*

UDP localhost:nbname *:*

UDP localhost:nbdatagram *:*

Hhhmm...nothing much going on here. The 'Local Address' (ie, my local

machine) seem to be listening on ports 135, 137, 138, and 'nbsession' (which

translates to port 139...type 'netstat -an' to see just the port numbers,

not the names of the ports). This is okay...those ports are part of

Microsoft networking, and need to be active on the LAN my machine is

connected to.

Now we connect our Web browser to http://www.happyhacker.org and at the same

time run Windows telnet and connect to a shell account at example.com.

Let's see what happens. Here's the output of the 'netstat -a' command,

slightly abbreviated:

Active Connections

Proto Local Address Foreign Address State

TCP localhost:1027 0.0.0.0:0 LISTENING

TCP localhost:135 0.0.0.0:0 LISTENING

TCP localhost:2508 0.0.0.0:0 LISTENING

TCP localhost:2509 0.0.0.0:0 LISTENING

TCP localhost:2510 0.0.0.0:0 LISTENING

TCP localhost:2511 0.0.0.0:0 LISTENING

TCP localhost:2514 0.0.0.0:0 LISTENING

TCP localhost:1026 0.0.0.0:0 LISTENING

TCP localhost:1026 localhost:1027 ESTABLISHED

TCP localhost:1027 localhost:1026 ESTABLISHED

TCP localhost:137 0.0.0.0:0 LISTENING

TCP localhost:138 0.0.0.0:0 LISTENING

TCP localhost:139 0.0.0.0:0 LISTENING

TCP localhost:2508 zlliks.505.ORG:80 ESTABLISHED

TCP localhost:2509 zlliks.505.ORG:80 ESTABLISHED

TCP localhost:2510 zlliks.505.ORG:80 ESTABLISHED

TCP localhost:2511 zlliks.505.ORG:80 ESTABLISHED

TCP localhost:2514 example.com:telnet ESTABLISHED

So what do we see now? Well, there are the ports listening for Microsoft

networking, just like in the first example. And there also are some new

ports listed. Four are connected to 'zlliks.505.org' on port 80, and one to

'example.com' on the telnet port. These correspond to the client

connections that I set up. See, this way you know the name of the computer

that was running the happy Hacker Web site at this time.

But what is with the really high port numbers? Well, remember the

'well-known' ports that we talked about above? Client applications, such as

browsers and telnet clients (clients are programs that connect to servers)

need to use a port to receive data on, so they randomly select ports from

outside the 'well-known' port range...above 1024. In this case, my browser

has opened up four ports...2508 through 2511.

Now suppose you want to scan your friend's ports. This is the best way to

scan, as you won't have to worry about your friend getting you kicked off

your ISP for suspicion of trying to break into computers. How do you know

what your friend's IP address is? Ask him or her to run the command (from

the DOS prompt) 'netstat -r'. This shows something like this:

C:\WINDOWS>netstat -r

Route Table

Active Routes:

Network Address Netmask Gateway Address Interface Metric

0.0.0.0 0.0.0.0 198.59.999.200 198.59.999.200 1

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

198.59.999.0 255.255.255.0 198.59.999.200 198.59.999.200 1

198.59.999.200 255.255.255.255 127.0.0.1 127.0.0.1 1

198.59.999.255 255.255.255.255 198.59.999.200 198.59.999.200 1

224.0.0.0 224.0.0.0 198.59.999.200 198.59.999.200 1

255.255.255.255 255.255.255.255 198.59.999.200 0.0.0.0 1

Active Connections

Proto Local Address Foreign Address State

TCP lovely-lady:1093 mack.foo66.com:smtp ESTABLISHED

That 'gateway address' and 'interface' both give the current IP address of

your computer. If you are on a LAN, the gateway should be different from

your own computer's IP address. If you or your friend are on a LAN,

however, you should think twice before port scanning each other, or the

LAN's sysadmin may notice your activity. Warning, sysadmins have quite an

arsenal of larts to use on suspicious-acting users.

************************************************************

Newbie note: Lart? What the heck is a lart? It is a "luser attitude

readjustment tool." This is a generic class of techniques used by sysadmins

to punish lusers. What is a luser? A wayward user. To get a sampling of

popular larts, see http://mrjolly.cc.waikato.ac.nz. You want your sysadmins

to be your FRIENDS, right? Never forget this!

************************************************************

What are some of the vulnerabilities to win95 and NT, you ask? Check

previous GTMHHs for this information. Perhaps the most important thing to

remember about Windows is equal to root in Unix), can run a program that

uses any port it wants, even a well-known port. This vulnerability is

demonstrated by a program from Weld Pond of L0pht fame called 'netcat'. The

program can be obtained from:

http://www.l0pht.com/~weld/netcat

Read the documentation that ships with the program, or the Guides on (a)

win95 and telnet from:

http://www.happyhacker.org/gtmhh.shtml

or (b) NT security from:

http://www.infowar.com/hacker/hacker.html-ssi

...for information on uses of netcat.

Of course, various Windows applications, such as Internet Explorer, have

their own vulnerabilities.

By now, you're probably wondering where you can learn more about various

vulnerabilities and exploits for just about any computer you might find on

the Internet. Here is a list of sites:

ISS X-Force

http://www.iss.net/xforce

RootShell

http://www.rootshell.com

TechnoTronic

http://www.technotronic.com

Packet Storm Security Site

http://www.Genocide2600.com/~tattooman/index.shtml

Bugtraq archives:

http://www.netspace.org/lsv-archive/bugtraq.html

NTBugTraq

http://www.ntbugtraq.com

Aelita Software

http://www.ntsecurity.com

**This site has the RedButton program, which demonstrates the capability to

connect to an NT machine via a null session and retrieve registry

information. This is a relatively simple problem to fix...see the NT

security Guides at: http://www.infowar.com/hacker/hacker.html-ssi

NTSecurity

http://www.ntsecurity.net

Active Matrix's HideAway

http://www.hideaway.net/exploits.html

CERT

http://www.cert.org

________________________________________________________

Where are those back issues of GTMHHs and Happy Hacker Digests? Check out

the official Happy Hacker Web page at http://www.happyhacker.org.

We are against computer crime. We support good, old-fashioned hacking of the

kind that led to the creation of the Internet and a new era of freedom of

information. But we hate computer crime. So don't email us about any crimes

you may have committed!

To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless

Hacking, please email hacker@techbroker.com with message "subscribe

happy-hacker" in the body of your message.

post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you

leavethis notice at the end.

_________________________________________________________

Carolyn Meinel

M/B Research -- The Technology Brokers

http://techbroker.com