|
Diary of a hack attack We go behind the scenes as a hacker for hire tests an e-business's security perimeter.
By DEBORAH RADCLIFF On a crisp, sunny November day in the nation's capital, in the sparsely furnished second-floor office of Para-Protect, "Bob the hacker" hunches over his monitor and fires off Unix command lines in short, machine gun blasts. Bob is testing the perimeter defenses of a certified Internet mail delivery company, which is paying for the privilege. The start-up e-business doesn't have the budget to pay for a full-blown assault on its network, which would involve Bob actually taking down the company's servers. And besides, it can't afford to have its e-business servers down for any length of time. But it has hired Para-Protect, an information security consulting company in Alexandria, Va., to conduct a scouting expedition. And they've agreed to allow me to tag along on the mission, code-named Alabama, as long as I keep Bob's identity and the name of the e-business secret. These paid-for front-line assaults are a good starting point for network protection because the tests (often referred to as "red teaming" or "penetration tests") can offer a baseline for information security policies and practices, industry professionals say. With networked systems under attack from every direction - the Internet, modems and even disgruntled employees - the need for such services is on the rise. By 2003, the security consulting services market will likely reach $14.83 billion, according to market research firm International Data Corp. Venture-funded e-business start-ups such as Para-Protect's client are especially vulnerable to attack. Because of the intense pressure to get to market quickly, these start-ups are often building their infrastructures too fast to give security the thought it deserves, information security practitioners say. "We have worked with companies that don't have a firewall. Most often, they are small start-ups that just got their venture money and have hired 50 people. Then they get hacked, and they realize they're suddenly more of a target than they used to be," says Ian Poynter, founding president of security consulting firm Jerboa in Cambridge, Mass. In our case, the e-business start-up's only line of defense is a Cisco 8000 router. If the router can deflect our probes, the company can use the supporting documentation from our report to show its customers that its public-key infrastructure (PKI)-based application is secure. But the folks at Para-Protect are skeptical. "We disagree that the company doesn't need a firewall. You don't protect your perimeter using just a router even if they are smarter [than they used to be]. Firewalls offer more filtering methods, and you need multitier security levels," says Robert Perholtz, enterprise account manager at Para-Protect. The battle lines drawn, the attack begins.08:00The bargain-basement desks and folding tables are a dead giveaway that Para-Protect's second-floor lab has been tossed together in a hurry. A fidgety Bob is already on his second Pepsi of the day. With his dark brown hair slung back in a long, messy ponytail and his beard growing to his waist, Bob fits the physical profile of the stereotypical subversive hacker. But don't let his looks fool you. Bob is a former U.S. Army sergeant and computer analyst for the Army, the Pentagon, and the Defense-Wide Information Systems Agency, which supports all of the U.S. Department of Defense. His last assignment was with the Defense Department's Computer Emergency Response Team (CERT). To hear Perholtz tell it, hacker Bob got out of the Defense Department and hasn't cut his hair or beard since. Bob tells me that the first order of business is to learn more about our target. We start by paying a visit to the victim's Web page, replete with information about its ethics, partners and history. "During discovery, we're looking for partner affiliates to find corporate links to the network," Perholtz says. "Often, fringe organizations aren't as secure as the main network." We find nothing that stands out. So we go to the InterNIC and ARIN registrars (services that assign and record domain information) and key in a "whois" command. It spits out the domain name of our client and verifies the IP addresses we're about to attack. Not only do these services give us the IP addresses of the target's three servers, they also give away other strategic information, such as company nicknames, and even the names and phone numbers of those administering the machines. With the information provided by these services, we can get an overall picture of our target's network configuration, Bob says. At this point, we're only looking to verify the domain information of our intended target. It would be a real bummer if we hit the wrong victim.09:36The next step is to run traceroute against our three target IP addresses. Traceroute is a utility within Unix and Windows NT used by administrators to trace packets traveling between a source and destination. In our case, traceroute shows us that the router is blocking our packets, so we deduce that the router is doing its job. But we were able to trace outgoing traffic to a specific port number, which our victim uses to connect to its ISP, UUNET. Bob makes note of this in his log. It's time to grab some hacker tools. Although Para-Protect keeps a database full of its favorite tools, Perholtz runs a Web search on "hacker tools" to show just how available these are to anyone. Our search turns up 2,070 hits, including tools such as the Shadow Advantis Administrator tool set, which sends timed pings to a specified range of ports. The pings are slow enough and small enough to fall beneath the radar of intrusion-detection software. Hacker Bob prefers network mapping (nmap), which does much the same thing. Nmap, also available from the Web, is an IP network discovery tool developed by a hacker named Fydor. But really, it's a port scanner on steroids. In addition to finding open ports, it can change the characteristics of outgoing packets to get past the router's IP filtering list. Throughout the day, Bob will run several types of nmap scans: (For more technical detail, visit insecure.org/nmap)
12:30It's time for a break, so we head next door to the Vietnamese grill for a bite to eat. Bob's telling me how his next step would be to find vulnerabilities in the network, the operating systems and the applications running on the servers. But that's outside the scope of this job. Once discovery is completed, you'd be surprised just how easy it is to break into an NT or Unix machine. At an extreme hacking course at Ernst and Young in Houston that I attended over the summer, the class broke into NT and Unix machines with reckless abandon. For example, we started in on an NT machine by establishing a null session. Null is a Microsoft utility that allows services to communicate with one another without user passwords or identification. By logging on as null, we were able to see everything we wanted: password files, user accounts and network services that we could exploit. And none of this was logged. In null, we couldn't touch anything, but that didn't stop us from copying down user names. Then we logged back on under the user name "backup" and a guessed password "backup." At this point, we grabbed the password hashes (encoded passwords) and submitted them to l0phtcrack and John the Ripper, both of which are password-cracking tools freely available on the Web. It only took 15 minutes to crack 70% of the passwords, log on as a super user and gain root access. Then, for the final slap in the face, we hid our bag of hacker tools behind a readme.txt file on the victim's server to use again. NT passwords are the easiest to crack, according to my Ernst and Young instructor, Eric Shultz. That's because Microsoft's LAN Manager splits passwords into seven-character halves and uses a known constant to encrypt each half. Cracking tools are programmed for this and can thus decrypt the passwords very quickly. And the only way administrators can catch our bag of hacker tools hidden on the network is to set the log files to alert them when disk space changes significantly. Although we used different command lines and Unix-based tools, gaining root on Unix during the class was also pretty easy. In fact, we leapfrogged through four networked Unix machines in a game of capture the flag. We also had a little fun corrupting the DNS server to reroute traffic to a phony IP address. Then we installed Trojan horses such as Back Orifice so the machine would do our bidding and punched open back doors so we could telnet back in without the need for IDs or passwords. The Para-Protect folks do a fair amount of these kinds of full-blown attacks on a network, as well. And judging from his body language, Bob the hacker would really like to conduct further investigation into the vulnerabilities of his target. But he's fighting some internal networking problems of his own well into the day.Day 2In fact, the next morning we run fragmentation scanning against the target host. Bob finds a number of open ports vulnerable to packet fragment attacks. It would also be possible to modify an attack tool to get past the router, Bob says. Thus, Bob's report recommends the client buy a firewall. The client would also be wise to do further testing on its entire network infrastructure. Of course, any more work depends partially on the client's ability to justify the expense. But the client shouldn't count on Para-Protect's report to scare funding out of executive management. Rather, it should sell information security to management in a way that shows the added security brings value to the business, says Gregory White, chief technology officer of San Antonio, Texas-based Secure Logix, while speaking at a November Computer Security Institute conference in Washington, DC. "If you're going to try and justify expenses based on risk analysis alone, you're going to have an uphill battle," White explained. "You need to sell security as a business enabler." Related links
Radcliff is a freelance writer in northern California. She can be reached at [email protected].
Insecure.Org
Buyer's guide and review: Intrusion-detection software
Hacker alert
Network World Fusion Focus on Security
The security specialist
Defending against cyberattack
Security Alert
|
Radcliff is a freelance writer in northern California. She can be reached at [email protected].
Insecure.Org
Buyer's guide and review: Intrusion-detection software
Hacker alert
Network World Fusion Focus on Security
The security specialist
Defending against cyberattack
Security Alert
Feedback
Today's breaking news
Gates steps aside as Microsoft airs new vision
|
|
|||
Feedback |
Network World, Inc. |
Advertiser Index
Home | News | Reference | Newsletters | Forums | Opinions Copyright, 1995-1999 Network World, Inc. All rights reserved. |