IWS - The Information Warfare Site
News Watch Make a donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

    
____________________________________________________________

GUIDE TO (mostly) HARMLESS HACKING



Vol. 3 No. 9, Part 2



War Tools! Scan, Sniff, Spoof and Hijack

____________________________________________________________



Note:  This Guide is excerpted from the upcoming Second Edition of "The

Happy Hacker" book, available Sept. 31, 1998.



So now that we know it's time to fight intruders, let's start with free

anti-crime tools that are great not only for sysadmins, but also for casual

users who just want to have fun.  

Twinsen (hacker handle)  has written Port Dumper, which is a good program

for Unix type computers which will deal with snoopers like me.  He says "I

use this to play with my friends. This program is used to listen to a port

(any port), after it is connected with others, you can type something and

Port Dumper will send it. It is quite useful when you want to fake a

service, such http, smtp, etc... or even telnet (Evil Genius Tips: You know

it!) It is in my homepage, Channel X Security Information

(http://home.netvigator.com/~jcatchan/).

I may write a guide on using it to

do a specified mission (such as faking as an http server...) later.  Hope

you'll enjoy using it! Use at your own risk.. I'm not responsible for the

use of this stupid shell script....

Richard Thomas (Humble) has written RotoRouter., "a program for logging and

faking the standard Unix udp-based traceroute... . When someone is about to

do a DOS (denial of service attack), it is commonplace for them to

traceroute to the target, launch the attack, and traceroute again to see the

effect..., secure in the belief that their traceroute will never be noticed.

They commonly trace from their home machines (99% of packet warriors have

28.8k modems and bandwidth envy, right :P), or ... from the hacked machine

they are attacking with."  

RotoRouter is a great way to fake out those losers who think attacking

other people's networks is fun.  It sends fake Time Exceeded and Destination

Unreachable messages.  In Humble's words, other ways his program can fake

out people include:

· Lead those stupid smurf kiddies away from your vulnerable routers

· Lie to customers about your bandwidth...

· Scare your ... friends with odd routes, watch their heads explode

· Make the final hop reverse to "this.traceroute.has.been.logged.com"

However, to run RotoRouter, you must install it on a Unix type computer --

as root.  This is another reason to run Linux on your home computer.  If you

have what it takes to run RotoRouter and want to fake out people and fool

attackers, you can get it at http://www.bitchx.com/~humble/.

If you really want to have fun, and if you suspect someone has broken into

your system, there is a free program for Unix computers called TTY-Watcher

It is available from http://www.engarde.com.

TTY-Watcher lets you see

exactly what anyone is typing on their keyboard while they are logged on to

your computer.  You can even record their keystrokes and play them back at

the same speed the intruder typed them -- or play them back faster, if that

d00d is a slow typist.  

You can also download a free trial of the more advanced Windows version of

this program, T-sight, from the En Garde Systems web site.

I've seen some playbacks.  They make fabulous party entertainment.  On one,

someone had broken into a computer at Los Alamos Laboratories that actually

was a "bait" computer used to practice fighting computer criminals -- using

real unsuspecting computer criminals.  

This particular criminal was trying to send email from this computer

bragging of his (hah, hah) feat and demanding that Kevin Mitnick be released

from prison.  What was fascinating was that Mr. Computer Criminal kept on

entering MS-DOS commands on the hacked computer, which didn't work because

it was running Unix.  After about 20 tries he finally managed to send out

his email boast.  Then he tried to destroy the evidence of his crime by

erasing the entire hard disk.  However, he found this hard to do.  He kept

on giving various erase commands, then listing the directories, and the

stuff didn't seem to be disappearing.  You could almost feel his rising panic.

TTY-Watcher is ideal for when you and your friends are playing hacker

wargames where the attacker starts from a shell account on the victim

computer.  By seeing exactly what other people are doing to leverage

unprivileged shell access into root access, you can learn a lot about how to

detect and fight attacks.  You also can also better understand why it is so

hard nowadays to get a shell account on an ISP.

TTY-Watcher is outstandingly good at one thing: it allows you to control

your victim intruder.  I watched this happen once on a friendly hacker

wargame.  The guy running TTY-Watcher felt sorry for the other player, took

over the poor guy's session and fixed his commands.  If your intruder is

hostile, and you wanted to mess up his commands instead, you could make his

day profoundly bad.

The only weakness of TTY-Watcher is that it only runs on one machine.  It

isn't set up to defend an entire network.

If you just need a free program to watch what is flowing on your local

Ethernet, try Sniffit, available for free from http://www.rootshell.com.

It's boring compared to some of the above programs, but valuable for more

sophisticated users who need to understand the technical details of how an

intruder got in.   Its description, "A very flexible network sniffer that

has many interesting features (like curses)" suggests that it may be used by

your intruders to sniff your network.  Computer criminals love Sniffit.  If

you can become intimately familiar with its features, it will be easier for

you to find a hidden Sniffit in operation.

Another program for watching criminals at work on Windows computers is

TCPview.  It is available for free from http://www.sysinternals.com/.  It is

a GUI (graphical user interface) utility that tells you at any time what

connections are open to your box, and what is going on with each connection. 

If you are brave, or perhaps foolhardy, you could always try running Back

Orifice on your Windows computer.  The promotional material for this free

program make it sound useful for being able to keep your computer out of

trouble when you are away from it by logging into it from the Internet.

However, it is quite difficult to uninstall Back Orifice.  Also, it was

written by a member of the Cult of the Dead Cow, a gang notorious for an

excessive sense of humor.  Many computer security experts warn that Back

Orifice is a Trojan that will make it easy for strangers to get into your

computer. I don't recommend ever installing Back Orifice.  If you have

installed it and want to get rid of it, removal instructions are in the

chapter "How to Break into Windows 95/98 Computers."

Suppose you want to see whether someone is port scanning you or trying to

break into a port.  One useful utility is Nukenabber, available from

http://www.winfiles.com, in the Winsock area.

It watches up to 50 ports simultaneously.

Yes, it is a Windows program, and it's free.





Industrial Strength War Programs	



Now -- let's say you are responsible for a large LAN or an entire ISP.

Especially if you are responsible for a commercial Web site, this is a job

that calls for much more than the programs above can do.   According to an

International Computer Security Association report of April, 1997, about a

half of US Web sites are attacked or probed each month.  True, most of these

are probes from the clueless, but even the clueless get lucky sometimes.

You may well need security products that can handle a broad spectrum of

computer crime problems, that work across a network,  and that can spot the

most sophisticated attacks.  Most important, you need the power to fight back.

Since I don't like to take a company's word for the quality of their

security products, I will only discuss the two that I have tested:

EtherPeek 3.5 for MacOS, from AG Group at http://www.aggroup.com; and

IP-Watcher for Unix from En Garde Systems, http://www.engarde.com.  I picked

those two because they promised exceptional powers to detect attack, and in

the case of IP-Watcher, to fight back when under attack.  EtherPeek in

particular also gets high recommendations from sysadmins I know at the AGIS

Internet backbone, and Rt66 Internet, the largest ISP in New Mexico.  Both

AGIS and Rt66 have had more than their share of attacks by computer

criminals, so they have had real life experience with EtherPeek.

Another plus for EtherPeek and IP-Watcher is that they are both ideal for

testing other security products such as firewalls, router packet filters,

and wrappers, and to track down and gather the evidence needed to put

computer criminals behind bars.

Let's begin with EtherPeek.  Besides the Mac version, there is a version

that runs on Windows NT, and even Windows 95/98.  However, I recommend the

Mac version because not many hackers know how to compromise, disable or

crash Macs.  Windows, by contrast, is vulnerable to the many denial of

service attacks that kode kiddies think are 31337 (elite).  While you can

protect your Windows boxes from attacks from the Internet with a

well-configured router and firewall, what if the intruder is inside your LAN?



**********************************************

Wizard tip:  If you have a cable modem, try EtherPeek on it.  You will

probably discover your cable modem is a node on an Ethernet -- and you can

see what everyone else on your cable system is doing!  That means, of

course, that the other guys can see you.  Even without EtherPeek, it could

be a great playground to test your ability to figure out the details of all

the hardware on your cable modem network.

**********************************************

**********************************************

You can get punched in the nose warning:  It probably won't be a good idea

to exploit what EtherPeek tells you to tease your next door neighbor about

his visit last night to bianca's Smut Shack.

**********************************************



EtherPeek is good for evaluating your security setup.  For example,

EtherPeek can be used to check the way people login to computers on your

network to find out whether these boxes are correctly configured to only

send encrypted passwords over your Ethernet.  This is necessary because,

amazingly enough, many network file servers, mail systems, and databases

automatically install in such a way that they send clear text passwords over

the network.  Once an attacker breaks into one box on a network like that,

he or she can install a program such as Sniffit and soon capture every password.

Here's an important note. If your network uses Microsoft Point-to-Point

Tunneling Protocol (PPTP) to encrypt passwords, and if you have a Solaris

box on your LAN, you are nevertheless heading for trouble.   There is a free

sniffer at http://www.l0pht.com/l0phtcrack which that runs on Solaris and

captures encrypted PPTP passwords.  Another free program at this site cracks

them.   By the time you read this, there may be versions of this sniffer

that run on other operating systems, too.  For a cryptographic analysis of

why it is easy to crack PPTP, see http://www.counterpane.com/pptp.html

However, back to EtherPeek.  It has a "Tools" menu that allows you to test

firewalls and routers.  For example, you can check to make sure the firewall

is blocking the computers on your LAN from replying with valuable

information to a port scan from someone on the outside.

The creator of EtherPeek and president of AG Group, Mahboud Zabetian, also

explains that his software can collect "messages looking for passwords."

EtherPeek has a  "File Transfer Protocol (ftp) application in the TCP/IP

suite has a PASSWORD embedded command in the command stream channel that is

ideal for filter writing. By setting up EtherPeek with a filter for PASSWORD

commands embedded in FTP, the security person can quickly examine why

systems are failing password connections or where high connection count

password attempts are coming from when trying to find the source of random

login hacking." 

OK, I agree with you, the kind of cracker who repeatedly attempts to get

into an ftp server by guessing at passwords is seriously lame.  However,

even lame hackers sometimes get lucky.  You would be surprised at how many

users choose a password that is the same as their user name, or even choose

to have no password at all (just hit "enter").  The best way to deal with

this problem is to run a program that forces users to choose secure

passwords.  Alec Muffet's cracklib will do this.  It's available for free at

http://www.nmrc.org/files/sunix/index.html.

Zabetian also has advice for how to spot the sophisticated break-in artist

at work.  "By looking for what 'does not belong' on the network connections

as well as what does..." one may spot "potential security issues before they

become problems. For instance, if there are a lot of connection attempts

from a specific address external to the authorized group, it's time to pay a

visit to the offender and find out what's going on before it gets serious."  

Yes, that's right, a hacker really can get punched in the nose, er, paid a

"visit," if he or she does too much port scanning and poking around

someone's network.

For best results, EtherPeek (or any good computer crime fighting software)

should be set up on one computer outside the firewall (you do have a

firewall, right?) and another inside to deal with the intruders who manage

to get inside anyhow.  Besides, almost half of all computer crime is

committed by people who are already users on the local area networks they

attack.

EtherPeek is shipped with a companion program, AGNetTools, which can port

scan your network while EtherPeek records its results.  As mentioned above,

one of the warning signs that you have an unexpected visitor is unauthorized

ports showing up.  Also, sometimes someone gets careless and accidentally

opens a Web or ftp port that has little or no security -- and opens the door

to invaders.

EtherPeek is a great hacker research tool, too.  It can detect the

corrupted packets of exploits such as  Land and Teardrop that disable

vulnerable computers.  It can save these packets for you to resend against a

test computer so you can learn how they do their dirty work.  Besides,

sometimes there is a hardware glitch that accidentally manufactures

destructively corrupt packets.  One time when Rt66 Internet was suffering

from corrupt packets, EtherPeek helped a sysadmin find the offending

hardware within minutes.

Occasionally you may be attacked by a truly sophisticated opponent.  For

example, one trick is to run a denial of service attack such as syn flood in

which each packet has a different origination IP address.  This will trick

many router and firewall defenses into not realizing they are under an

attack which will soon shut them down.  EtherPeek, however, can analyze (but

not deflect) this attack.

As mentioned above, EtherPeek easily identifies the sender of so-called

stealth port scans.  It also detects the true IP address of someone setting

up a spoofed IP connection.  The attacker is sitting there sending messages

to the victim computer thinking that the identity of his computer is hidden.

Yet on the other end a sysadmin is looking on the screen of his Mac G3 at

the IP address, laughing as he unleashes a Teardrop attack to crash the

attacker's computer.  

Sorry, EtherPeek doesn't strike back.  You have to go to a site such as

http://www.rootshell.com to get denial of service software such as Teardrop

to strike back at the bad guys.



*******************************

You can go to jail warning:  What if the attacker is on a hacked account of

an innocent victim?  You might get into trouble if you retaliate with a

denial of service attack. 

*******************************



*******************************

Wizard tip: If you can determine that your attacker is on a dynamically

assigned IP address, you might be able to fight back with impunity.  A good

way to see whether an IP address is dynamically assigned is the command

"nslookup hostname" where you substitute the attacking IP address for

"hostname".  If you get back an answer "Non-existent host/domain," it may be

time to fight back!  However, if this gets you in trouble anyhow -- remember

I warned you.

*******************************



So what do you do when the bad guys attack?  EtherPeek can set off a pager

when it detects suspicious activity.  When the day comes that you are under

serious attack, you need to be physically at the network, even if it means

being rousted out of bed.  Sometimes the only thing you can do to halt your

attacker is to physically disconnect your network from the Internet.  If you

have modem access to your network, you also have to make certain you know

where all the modems are, and disable dial-ins.  (Use a wardialer to check

for secret modem connections to your LAN.)

EtherPeek is also useful for logging the evidence you need to put your

attackers behind bars.  

IP-Watcher, written by Mike Neuman, president of En Garde Systems

(http://www.engarde.com) is in some ways an even more powerful tool for

putting computer criminals behind bars.  Neuman has worked closely with

several customers to get arrests and convictions of these destructive

intruders.  This gives him the real-world experience needed to design a tool

that will gather evidence that will stand up in court.  While gathering

evidence, IP-Watcher has the power to protect your network by letting you

hijack the attacker's IP session.  You can secretly divert the attacker into

a "jail" computer where he or she will think they are still at the IP

address of the computer they originally broke into.  If it turns out this is

a malicious intruder, you can record his or her activities in order to prove

criminal intent, while not risking anything outside the jail computer.

This software was written, according to Neuman, with "our philosophy of

manual intrusion detection ... based on the fact that an intruder must

establish connections with other computers to accomplish his or her goal.

These connections are an intruder's footprints, and the best way to catch the

intruder is to have an advanced visualization of those footprints."

The Windows version of IP-Watcher, T-sight, is, according to Neuman, even

more advanced than IP-Watcher.

Like EtherPeek, Neuman's products have an option to page you when they

detect that someone has broken in.

IP-Watcher would be a deadly tool in the hands of criminals.  In order to

prevent its abuse, En Garde Systems will only sell your copy of the software

pre-compiled for your particular network on which you plan to run it, and

enabled to only sniff and control IP sessions on your LAN.  Neuman points

out a number of ways IP-Watcher can be abused:



· IP-Watcher can create network traffic with spoofed source and destination

  addresses.  This makes it possible to kill any user's connection.  While

  this is essential for stopping attackers, it also could be used to deny

  access to a legitimate user.

· When IP-Watcher terminates a user's connection while trying to log in, it

  looks to the user like the network merely had a fault. Normally the user

  will try to log in again, at which point IP-Watcher can divert his

  connection so that it steals the user's password.  

· If a sysadmin uses the "su" command to enter a root account, IP-Watcher

  will sniff the cleartext password through its ability to log keystrokes.

· This software also can be set to log what it sniffs in many small files.

  This is useful because it makes it hard for an intruder to edit log files.

  However, if IP-Watcher is in the hands of an attacker, this feature prevents

  the sysadmin from discovering a hidden sniffer by the technique of looking

  for unexplained large files.

· Even one-time password systems are vulnerable to IP-Watcher.  It can be

  used to hijack a connection by a trusted user.  While the user is going

  about his or her business, the intruder can be secretly using the same

  connection to install back doors.



**********************************

You can go to jail warning: Computer criminals may be tempted to attempt to

break into the En Garde Systems' LAN in hopes of stealing the source code

for T-sight and IP-Watcher.  This is probably the best place to go if one

sincerely wants to get convicted of a computer crime.

**********************************



Conclusion



Self defense against computer criminals is a topic hat has long been

neglected. This is because you have to think like an attacker and be

intimately familiar with his or her tools and tactics.  However, many

systems administrators rely solely on commercial computer security products

to keep the bad guys out.  The problem is: no firewall is perfect!  

By contrast, if you use some of the software and techniques of this chapter

to watch for and battle intruders, you have a fighting chance even if your

firewall fails to stop the bad guys.  Also, it can be fun to detect and

fight your attackers.  Be sure to save those TTY-Watcher logs so you can

play back your latest hacker battle at parties!



#		#		#



Guess what?  "The Happy Hacker Book" has almost sold out its First Edition,

published March 31, 1998.  So American Eagle Publications is putting out a

Second Edition, due to come off the presses Sept. 31, 1998.  It has several

all-new chapters as well as updates to cover Windows 98 and the major

changes that are happening in email forging and spam fighting. 



How's that -- only six months between editions?  This is partly because

people were so quick to buy out he First Edition -- and partly because the

hacking scene is changing so fast.  So instead of going to a second

printing, the publisher agreed to spend the extra money to create a Second

Edition so we could keep you as up to date as possible.



If you want to buy one of the few remaining copies of the First Edition of

"The Happy Hacker" (soon to be a collector's item), you can order it from me

($34.95 for Priority mail shipping in the US; $35.95 airmail in Canada and

Mexico; email me for quotes outside the US) by sending a check or money

order to PO Box 1520, Cedar Crest NM 87008.  Since I only have a few left

today, if your order comes in too late, be sure to tell me whether I should

just return your money or if you want me to hold on to it and be among the

first to get a Second Edition. Oh, yes, I autograph all books bought

directly from me.



_______________________________________________________________________

Where are those back issues of GTMHHs and Happy Hacker Digests? Check out

the official Happy Hacker Web page at http://www.happyhacker.org.

We are against computer crime. We support good, old-fashioned hacking of the

kind that led to the creation of the Internet and a new era of freedom of

information. So don't email us about any crimes you have committed!  And

don't expect us to come to your rescue if you crash 100 million computers

with some new Java virus you just unleashed.

To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless

Hacking, please email hacker@techbroker.com with message "subscribe

happy-hacker" in the body of your message. 

Copyright 1998  Carolyn Meinel.  You may forward, print out or post this

GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave

this notice at the end.

_________________________________________________________



Carolyn Meinel

M/B Research -- The Technology Brokers

http://techbroker.com