======What you don't know will hurt you====== //Larry W. Cashdollar// //Rev 1.9 10/19/2003// I. Overview The first stage to a successful network attack is the information gathering stage. The attacker will collect as much information possible on the target host in order to generate a vulnerability list. Relevant to this list will be OS type, OS version, services, service daemon versions, network topology*,network equipment, firewalls, intrusion detection sensors etc.. The purpose of this document is to outline two models of information gathering . The first model is "noisy" where the attacker uses all known resources with little reguard for what footprints* might be left on the target. The second is "stealthy". Wherein the attacker uses methods and packages designed to subvert logging facilities on the target. This approach minimizes administrator awareness and accountability. I will examine a few systems, ranging from Solaris 2.x Sparc systems to Linux/i386 architectures. I will then discuss how we can harden a system to minimize information leakage. II. Utilities and Packages The utilities we will use can can range from some common system commands to network information gathering packages like nmap. I will list a few below and give a brief description of each. In the resources section you will find sites and security indexes where search engines can dig up a myriad of network security tools. These are just a few. System Utilities. Utility Description finger Displays user information or current users logged into specified host rusers Same as finger but in more detail showmount Displays directories available for mounting via NFS. rpcinfo Makes a call to rpc server and displays information gathered. dig DNS information gathering tool. Very useful. whois internic database lookup program. snmpwalk Gather network information using the SNMP protocol. traceroute Show packet path to target host. nslookup Convert ip address to conical and visa versa mail bounce Use a bogus recipient to gain information on a target host. Tool packages Tool Description netgrep Netgrep scans an ip range for one specific port. sscan Scans multiple vulnerabilities and also uses host gathering techniques. nmap Stealth port scanner with stack fingerprinting ability and source spoofing techniques, does xmas,syn,fin and UDP scans. mscan older version of sscan, still kind of fun. NSS Narrow Security scanner its a perl script which makes it nice and portable. Searches for common vulnerabilities like msadc.pl and showcode.asp. I found it works very well. CIS Cerebrus internet scanner nessus Nessus is a security auditing program that can scan an entire class A subnet for multiple DoS attacks,exploits and mis-configurations. It runs in to parts a client and server type application is used where all scanning functions are done by the server which are controlled by the client. Nessus scans for many modern security issues such as Windows vulnerabilities and various Unix exploits. Common services. Service Description SSH Secure Shell an interactive encrypted shell session like telnet. NFS Network File System allow file systems to be exported across the network and mounted on a remote system. rlogin/rsh/rexec Remote login / Remote shell / Remote execute finger Display remote user information and current users logged in. FTP File transfer protocol, transfer binary and ASCII files between hosts. sendmail Mail delivery system between hosts. WWW World Wide Web a.k.a Hyper Text Tranport Protocol. You are looking at it now. netbios Protocol that allows MS networked machines to share resources. DNS Domain Name Service, used to resolve IP addresses to conical names and vise versa. telnet Start an interactive shell on a remote host using the TELNET protocol. QPOP Pop your email off the server to read off-line. portmap Maps sun rpc services to their respective ports (UDP) III. Information Just about any information on a target host is useful in creating a database of applicable vulnerabilities. What we are attempting to do is determine what services the target offers and if any of them can be exploited to leverage access to the system. For example knowing the version of the OS that your target host is using can help you find information on exploits or bugs specific to that OS. By limiting what services we are running and what information is available we decrease the window of opportunity for the cracker. IV. Information Gathering (Noisy) About all of the utilities mentioned above will disclose information about the target host. You can piece together parts of a targets network topology by bouncing a bad email off of the server. This can disclose whether the mail is relayed internally on another host and the type and version of software used to handle internet/exchanged mail. Using traceroute you can discover network equipment like routers and switches. Portsan will give you a list of services available on the target host. These are all common methods adopted by system crackers to gain access to their target. Their are many packages out there that automate this process of poking, gathering, logging and sorting. For example Sscan is a utility for crackers and system admins to gather information on target hosts machines also. It scans the host or network for various security problems and checks for vulnerabilities. Nessus is another package that scans a network for problems as it also checks for DoS attacks and poorly configured network equipment like routers and manageable hubs. Just grabbing banners with telnet or netcat will divulge important information on your target. All of this is fine, but what about more sinister methods of information gathering? What about using information you meant to provide being used against you? What about the stuff your logs don't catch? V. Information Gathering (Stealth) This method uses the common public ports and specially designed utilities to gather host, user and system information. When I talk about common public ports I am referring to ports that are expected to be accessed by the everyday internet user (53*, 80, 25 , 21*). These services can be queried with little or no suspicion of the administrator. Some ports have varying degrees of noticeably, for example if you do a zone transfer of the target systems dns records. This may set off alarms that suspicious activity is at hand, perhaps more so then an anonymous ftp connection depending on the site and administrators awareness. These stealth utilities like nmap are designed to take advantage of the tcp protocol in order to circumvent logging. This can also be combined with protocols that are less common like snmp. An SNMP query can yield information like OS type, uptime and machine name*. Quite a few vendors enable SNMP by default and most administrators are unaware of the dangers. More common services for example anonymous ftp can be mined for information. It is amazing what one can find dumped in /pub on some sites, password files, old sensitive emails, product information, system information and user lists. I once found a Netscape Enterprise Digital Certificate for the site I was auditing sitting in /pub waiting for its owner to pick it up*. In cases like this attacker simply downloads every readable file hoping to find something interesting. Probably the number one reason to drive system admins to place closed networks on to the internet is the desire to implement a web site. In some cases the mad dash to get a web page up shoves proper security techniques aside. The old saying don't put all of your eggs in one basket applies to security as well, anyway back to the mad dash. This usually means that the hosting company will go through great lengths to provide a myriad of information to the WWW community. This can be a bad thing however, sometimes more information is too much information. VI. Procedures This is an overview of how to use each package. For more information see the man pages or the package documentation. Package Description brscan Broadscan is very simple to use, I plan to add more options to it later. The following will search the given ip range for port 80. $ ./brscan 192.168.2.1 192.168.3.254 80 smbclient List all shares on WWW, type smbclient for more information on options and usage. $lab-1> smbclient -L WWW -I 192.168.2.3 whois $ whois whitehouse.gov@whois.arin.net traceroute $ traceroute www.freebsd.org dig $ dig maine.edu @192.168.172.123 axfr snmpwalk Use snmpwalk to query the snmp server on a remote host. This protocol is probably less commonly thought of as an information gathering tool. It is a powerful one however. $lab-1> snmpwalk 192.168.2.3 public system nss Narrow Security Scanner. hostfiles is file containing a list of ip addresses that you are scanning. ./scanner hostfiles vulnerable-log Nessus Nessus is a security auditing program that can scan an entire class A subnet for multiple DoS attacks, exploits and mis-configurations. It runs in to parts a client and server type application is used where all scanning functions are done by the server which are controlled by the client. Nessus scans for many modern security issues such as Windows vulnerabilities and various Unix exploits. The command is as follows: # ./nessusd & # ./nessus & must issue an xhost command on connecting host. rpcinfo Display information on remote procedures being offered. $ rpcinfo -p hostname showmount Display information on remote NFS mounts. $ showmount -e hostname mail bounce An attempt to gather information on a remote host by bouncing a bad email off of the server and examining the header information. $ mail -s"test" jkhshjkd@hostname.com test message please ignore . nmap This is a network mapping package that is capable of stealth scanning and OS finger printing. I will attempt to explain these concepts to those of you who are unfamiliar with them. Stealth scanning: A normal TCP connection consists of a 3 way hand shake in order to connect to the other host, this software doesn't complete that 3 way hand shake in order to hide its attempts at information gathering. OS finger printing: Mangled packets are sent in different sequences at the target host and depending on the target hosts reaction a guess is made as to what that host is running for an OS based on a table of known reactions. # ./nmap -O -sS 192.168.0.* sscan Sscan is a rewrite of mscan. They are vulerability scanning tools that are capable of scanning a large block of ip addresses searching for known vulnerabilities like, Qpop, IMAP, DNS, cgi-bin/phf etc. # ./sscan -o 192.168.3.28 VII. Locking down the house Shut down all unneeded services. Remove all unwanted packages. Web server? don't need X, GCC, Sendmail etc... Mail server? don't need apache, GNOME, GCC etc... Look through vulnerability archives like packetstorm for existing exploits. Search for your OS/Software/Services/Packages etc.. Patch accordingly. Audit your setuid binaries. find / -perm -4000 > setuid-DATESTAMP store this off-line somewhere. Install tripwire but don't rely on this alone. Watch your logs keep a close eye on the system as a whole. Mount certain partitions Read only like /usr. Under linux you can do a mount /dev/hda2 /usr remount,ro see the man page for more details. Join Email lists like CERT, CIAC,Bugtraq and lists specific to your vendors. Limit local accounts to root and a manager account. Passwords really secure passwords. Something you can pronounce so you can remember it, but with no real words. minimum of 7 characters. Rudi^b@1 -->>> Rudy Carrot bat one. Limit services, don't run tons of plugs and proxies on your firewall. It soon becomes a proxy server once you add that AOL IM Proxy, Real audio and NNTP. Use filtering either tcp wrappers or like linux and freeBSD you can use ipchains and ipfw to drop unwanted packets. try to break into your own network. BUT make sure you have permission in writing, and notify networking personnel and management. This could even cause them to secure the boxes before hand. Which will not give an accurate security assessment but at least it moved you in the right direction. Always maintain patch levels and version levels of your services, like bind and sendmail. Only allow zone transfers and queries by your network and its trusted hosts (i.e. secondary DNS). VIII. Interpretation and Sorting This section is still being completed. In this section I have examples of output from various packages and I will point out significant tid bits of information. These are actual logs of what information I was able to find on some test systems. My comments are in red. # ./nmap -sT 192.168.18.6 Starting nmap V. 2.3BETA5 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on 192.168.18.6 Port State Protocol Service 7 filtered tcp echo 19 filtered tcp chargen 25 open tcp smtp 111 open tcp sunrpc 800 open tcp mdbs_daemon 844 open tcp unknown 1030 open tcp iad1 1521 open tcp ncube-lm 2001 open tcp dc 12345 filtered tcp NetBus 12346 filtered tcp NetBus Nmap run completed -- 1 IP address (1 host up) scanned in 13 seconds Looks like a database (port 800), so why run all of these other services? If you dont need them shut them down. $> snmpwalk 192.168.18.6 public system Timeout: No Response from 192.168.18.6 No snmp daemons running. [bewhaw ~] $ rpcinfo -p 192.168.18.6 program vers proto port service 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100024 1 udp 842 status 100024 1 tcp 844 status 100021 1 udp 2049 nlockmgr 100021 3 udp 2049 nlockmgr 100021 4 udp 2049 nlockmgr 391004 1 tcp 1025 391004 1 udp 1025 100001 1 udp 1026 rstatd 100001 2 udp 1026 rstatd 100001 3 udp 1026 rstatd 100008 1 udp 1027 walld 100002 1 udp 1028 rusersd 100011 1 udp 1029 rquotad 100012 1 udp 1030 sprayd 100026 1 udp 1031 bootparam 391011 1 tcp 1026 391002 1 tcp 1027 100083 1 tcp 1028 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 150001 1 udp 797 pcnfsd 150001 2 udp 797 pcnfsd 150001 1 tcp 800 pcnfsd 150001 2 tcp 800 pcnfsd Hmm lets check for nfs, I dont see mountd though. [brewhaw ~] lwcashd $ showmount -e 192.168.18.6 showmount: 192.168.18.6: RPC: Program not registered Nope, no exported file systems. Fix: Again shutdown all uneeded services. [muffin ~] $ telnet 192.168.18.6 25 Trying 192.168.18.6... Connected to 192.168.18.6. Escape character is '^]'. 220- mail Sendmail 950413.SGI.8.6.12/950213.SGI.AUTOCF ready at Tue, 7 Dec 1999 13:52:49 -0500 220 ESMTP spoken here vrfy root 250 Super-User expn root 250 Super-User Hmm IRIX 6.2 I'd guess as 8.6.12 is pretty old sendmail. It also is running with vrfy and expn functional they can be used to guess valid user accounts. Fix: Upgrade sendmail. Lets try another system, this time we will try to be sneaky. [pangea ]$ snmpwalk test-03 public system system.sysDescr.0 = Sun SNMP Agent, Ultra-Enterprise system.sysObjectID.0 = OID: enterprises.42.2.1.1 system.sysUpTime.0 = Timeticks: (13902714) 1 day, 14:37:07.14 system.sysContact.0 = System administrator system.sysName.0 = test-03 system.sysLocation.0 = System administrators office system.sysServices.0 = 72 #./nmap -sF 192.168.1.1 This snmp call was successful, sometimes we can discover the OS version and patch level this way. Fix: Disable snmp by removing the snmp daemon from your startup scripts. [pangea ~] lwcashd $ finger @192.168.7.21 [192.168.7.21] connect: Connection refused Hmm, finger is not running so we cant get a user list that way.. lets try another method. [pangea ~] lwcashd $ rpcinfo -p 192.168.7.21 program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind 100002 1 udp 32770 rusersd 100002 2 udp 32770 rusersd 100021 1 udp 32776 nlockmgr 100021 2 udp 32776 nlockmgr 100021 3 udp 32776 nlockmgr 100021 4 udp 32776 nlockmgr 100021 1 tcp 32772 nlockmgr 100021 2 tcp 32772 nlockmgr 100021 3 tcp 32772 nlockmgr 100021 4 tcp 32772 nlockmgr 1342177279 3 tcp 35567 1342177279 1 tcp 35567 1342177280 3 tcp 36146 1342177280 1 tcp 36146 Hmm rusers is running lets see what that gives us. [pangea ~] lwcashd $ rusers -l 192.168.7.21 www 192.168.7.21:tty0 Jan 18 11:22 5:54 www 192.168.7.21:tty0 Jan 18 15:09 5:54 We now know of one login on our target www which sometimes has easy to guess passwords for web maintenance. If a service is vital to your server be sure and get information on previous bugs and patches. Getting the latest version isnt always the answer as new features might introduce new bugs its better to keep track of the latest modifications to the new version and upgrade accordingly. For example if their are no known vulnerabilies and the latest version adds more bells and whistles you might want to wait a while before upgrading. This way the software package has time to be poked and prodded by system administrators and security personnel. Enough dry reading already lets see how much information we can gather on our target with these tools. Our target is a High School web server. The box is hosted by the school off of a state edu connection. The box is actually one of my lab machines that I configured in the same exact way the server I audited was. All of the examples in this paper will be lab machines setup to depict examples as I have seen them in the wild. Nmap Scan: For usage see the tools section. [root@Diabolic nmap-2.3BETA6]# ./nmap -O -sX 192.168.15.19 Starting nmap V. 2.3BETA6 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on dt065ndb.maine.rr.com (192.168.15.19): Port State Protocol Service 23 open tcp telnet 25 open tcp smtp 80 open tcp http TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) Remote operating system guess: Linux 2.0.35-37 Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds Our target host is running a web server and telnet for remote administration. They probably feel that the server is somewhat secure because they have shutdown most of the services. The next step is to fire up a web browser and see what they have for site content. What I am looking for is any information that will get me what accounts exist on the target and whom they belong to. I find to be what I consider half of the password file HTMLized and up for display, a contact page. I don't really know if the accounts on the contact page are local or alias to a mail server internally. I assume its all local accounts as most school admins aren't ready to setup a split horizon DNS with a smart relaying sendmail configuration. The contact page is generally a list of email addresses for that site of about ten to fifteen teachers, staff and even the webmaster. I guess that the principals secretary might be a good candidate for a password guessing attack and try the following. Trying 192.168.15.19... Connected to 192.168.15.19. Escape character is '^]'. Red Hat Linux release 5.2 (Apollo) Kernel 2.0.36 on an i486 login: jsmith Password:jsmith [jsmith@dt065ndb jsmith]$ Woops, they are local accounts and poorly passworded as I suspected. As nmap revealed this is a linux box. Redhat 5.2 to be specific and trivial to locate an exploit to get root. At this stage the game is all over. With minimal information gathering, nmap scan and web mining we were able to gain access to our target. If they had mail handled elsewhere, limited local accounts to root and 1 admin user with good passwords this wouldn't have happened. (entries in hosts.allow/deny wouldn't have killed them either) More electronic dumpster diving with ftp. [pangea /tmp] $ ftp 192.168.41.29 Connected to zig.internal.net. 220 zig FTP server (UNIX(r) System V Release 4.0) ready. Name (zig.internal.net:security): anonymous 331 Guest login ok, send ident as password. Password: 230 Guest login ok, access restrictions apply. ftp> cd etc 250 CWD command successful. ftp> get passwd 200 PORT command successful. 150 ASCII data connection for passwd (192.168.12.2,33793) (523 bytes). 226 ASCII Transfer complete. local: passwd remote: passwd 538 bytes received in 0.0059 seconds (89 Kbytes/s) Ok, grabbing the password file isnt so steathly. But I want to check to see if they screwed up at all. $> tail -n1 passwd ftpadm:x:1113:1000::/home/ftpadm:/bin/csh Yes, they have screwed up this is possibly (if the passwd file is not out of date) a local user account with a vaild shell. [muffin /tmp] $ ftp 192.168.41.29 Connected to zig.internal.net. 220 zig FTP server (UNIX(r) System V Release 4.0) ready. Name (zig.internal.net:security): ftpadm 331 Password required for ftpadm. Password: (ftpadm1) 230 User ftpadm logged in. ftp> First try. Probably the second worst password you could have besides ftpadm. **Dangerous combinations** SSH and NFS, if you are exporting a home directory to the world which is a big no-no an attacker can append their identity.pub file in your authorized_keys file. This will allow them to login with their login password. You really shouldnt need to export a file system off of a system on the internet. I would move the NFS server into the internal network and share out the filesystem to a specific list of hosts or networks. Also besides clamping down on NFS add tcp wrappers to your SSH daemon, it can be run from inetd with sshd's -i option. WWW with telnet/ssh. Be sure if you list contacts and email addresses that none of them reside locally on the web server. If they do then you just gave out half of your password file. A list of contacts is a list of logins. An anonymous ftp site with write able directories and / or sensitive material. This is becomes an electronic form of dumpster diving. Old emails, software packages, sensitive files etc.. snmp and samba, snmp can be used to get the netbios/machine name. Then samba can be probed for shares. Sharing an uploadable ftp directory with a webserver. Scripts can be uploaded and executed remotely through the webserver. (PHP,ASP,PERL,SHTML etc..) **Sorting / Organization** Logs are normally kept in flat text files, this make them easy to manage and sort. Depending on how savvy you are you might want to create database or store them in comma delimited format. I organize log files using the following directory structure. Network -----> Hostname -----> nmap_output -----> showmount -e output -----> snmpwalk_output ..etc.. I suggest logging problems by network, OS, Vulnerability, hostname. 192.168.0 ------> IRIX ------> open_lp_account 192.168.0.23 192.168.0.64 192.168.0.203 This way with each directory change you get more detail. X. Resources Web. Security mailing list and announcements http://www.cert.org Massive security site, hosts bugtraq and other security forums. http://www.securityfocus.com Probably the biggest security archive out there. http://packetstorm.securify.com Underground news and information http://www.hackernews.com A searchable index of RFCs, FAQs and electronic books. http://www.faqs.org/ IBM Bookmanager Book server. http://www.s390.ibm.com:80/bookmgr-cgi/bookmgr.cmd/print?book=bk8p7001 The nessus project (free network security scanning tool ) http://www.nessus.org nmap OS detecting scanner. http://www.insecure.org Papers Holbrook. P, (1991). Site Security Handbook [Online], Available: http://www.cis.ohio-state.edu/htbin/rfc/rfc1244.html [1997, December 20]. Pethia. R, (1991). Guidelines for the Secure Operation of the Internet [Online], Available: http://www.cis.ohio-state.edu/htbin/rfc/rfc1281.html [1997, December 20]. Farmer. D and Venema. W, (No Date). Improving the security of your site by breaking into it [Online], Available:http://www.deter.com/unix/papers/improve_by_breakin.html [1998, January]. Bellovin. S. M, (1993). Packets found on an internet [Online],Available: http://www.deter.com/unix/papers/packets_found_bellovin.ps.gz [1998, January]. Bacic. E. M, (No Date). UNIX & Security [Online], Available: http://manitou.cse.dnd.ca/papers/Unix_Sec.html [1998, January]. Smith. N. P, (1997). Stack Smashing Vulnerabilities in the UNIX operating system [Online], Available: http://millcomm.com/~nate/machines/security/stack-smashing/[1998, Febuary]. Fydor, (1998) Remote OS detection via TCP/IP Stack Finger Printing [Online], Available: http://www.insecure.org/nmap/nmap-fingerprinting-article.html