How servers are cracked, by R a v e N. Session Start: Sat Jan 22 18:04:06 2000 [18:04] *** Now talking in #bsrf [18:04] *** Topic is 'Welcome to #bsrf | Our Website: http://blacksun.box.sk | Next IRC lecture: 'How Servers are Cracked' | See http://blacksun.box.sk/irc.html | Alright, I know the bot is down most of the time now, and that the channel is ultra insecure, so please don't abuse this... heh, yeah right' [18:04] *** Set by Raven on Wed Jan 19 07:22:58 [18:04] * #bsrf is being logged [18:04] okie [18:05] ready? [18:05] alright [18:05] is everyone ready? [18:05] yep [18:05] Yes sir... [18:05] yup [18:05] yup [18:05] 9 ppl overall [18:05] yeah [18:05] that good? [18:05] including me [18:05] :-) [18:05] alright [18:05] On your marks. [18:05] Get set. [18:05] Go! [18:05] okay, so today's topic is... [18:06] how servers are hacked [18:06] basically, of course [18:06] cracked [18:06] yeah, cracked [18:06] terminology... [18:06] hehe [18:06] :-) [18:06] that's what you wrote on your website ;p [18:06] :) [18:06] anyway, most of those website defacements... [18:06] dns cracks [18:06] email cracks [18:06] ftp cracks [18:06] etc' etc' [18:06] they're usually done in fairly easy and simple ways [18:06] that do not require much knowledge [18:07] they're usually done by little kids [18:07] mostly little kids in "hacking" groups [18:07] who want to show the world how smart they are [18:07] Phase I [18:07] -------- [18:07] oops... [18:07] ------- [18:07] DAMN! [18:07] lol [18:07] okay, all over again [18:07] Phase I [18:07] ------- [18:07] ahh... [18:07] that's better [18:07] any questions so far? [18:07] okay, so phase one is... [18:07] intelligence gathering [18:07] why is it so easy? [18:08] we'll get to that [18:08] because of ./i-0wn3d-u ;p [18:08] exactly [18:08] if some of u don't understand, don't worry [18:08] we'll get to that [18:08] so anyway, stage one is intelligence gathering [18:08] this is the most important stage [18:08] why? [18:08] ... [18:09] because otherwise you'll find yourself trying thousands of sunos 3.4 exploits [18:09] need to know what os [18:09] you have to know what exploits apply [18:09] while you're actually attacking an nt4.0 server [18:09] what os... [18:09] and what is the host running [18:09] *** c0c0_ has joined #bsrf [18:09] those are the two most important phases in intelligence gathering [18:09] damn i've disconnected [18:09] getting them is fairly easy [18:09] *** c0c0 has quit IRC (Ping timeout) [18:09] welcome c0c0_, we're in the middle of the lecture [18:09] *** c0c0_ is now known as c0c0 [18:09] poor soul [18:09] nmap? [18:09] :-) [18:10] that's two [18:10] nmap is too "advanced" for most script kiddies [18:10] advanced? [18:10] most people use really amateurish methods [18:10] such as reading daemon banners [18:10] (yes, it requires the "cracker" to have unix... ooh) [18:10] hehe [18:10] whats a daemon banner? [18:10] and to know how to install new software [18:10] ha [18:10] alright, i'll show u [18:10] oo me oo me! [18:10] everyone, do telnet mailgw.netvision.net.il [18:10] this is my isp's smtp server [18:11] smtp = simple mail transfer protocol [18:11] but daemon banner is trivial to be spoofed [18:11] for outgoing mail [18:11] yes, of course [18:11] first, let's explain to those who don't know what daemon banners are [18:11] what do u get when u telnet to mailgw.netvision.net.il? [18:11] oh, i think i know what you mean [18:11] Trying 194.90.1.14... [18:11] "could not connect" [18:11] :-) [18:11] telnet: connect to address 194.90.1.14: Connection refused [18:11] telnet: Unable to connect to remote host: Connection refused [18:11] oops [18:11] *** SnIpEr_WoLf_ has left #bsrf [18:11] telnet mailgw.netvision.net.il 25 [18:11] *** SnIpEr_WoLf_ has joined #bsrf [18:11] telnet mailgw.netvision.net.il 25 [18:12] port 25, this is important [18:12] smtp runs on port 25 [18:12] yea [18:12] I'm on... [18:12] we get like sendmail version etc... [18:12] running sendmail [18:12] 8.9.3 sendmail [18:12] yup [18:12] 220 alpha.netvision.net.il ESMTP Sendmail 8.9.3/8.8.6; Sat, 22 Jan 2000 19:14:41 +0200 (IST) [18:12] a linux/unix? [18:12] this is what u get [18:12] *** Sniper_wolf__ has joined #bsrf [18:12] this is a daemon banner [18:13] hmmmm, oki [18:13] btw check blacksun.box.sk/ports.txt for a list of standard ports [18:13] now, what does it tell us? [18:13] ooh, sendmail [18:13] the dumbest daemon ever [18:13] it just gave us the version of the daemon that is running [18:13] it's a unix type sys [18:13] usually, in sendmail holes, the OS doesn't matter much [18:13] yup [18:13] now, suppose we're some script kiddie [18:14] so we have the version [18:14] of the daemon [18:14] now we go to, say, packetstorm.securify.com [18:14] or neworder.box.sk [18:14] and we search [18:14] bugtraq [18:14] technotronic [18:14] ;p [18:14] we use keywords such as "sendmail 8.9.3" [18:14] yes, bugtraq is good too [18:14] look for a crack/bug [18:14] yup [18:14] ntbugtraq.com [18:14] now, here is what we'll find [18:14] we could find: [18:15] that's pathetic! [18:15] a) advisories [18:15] these hardly mean anything to crackers [18:15] they only explain to u how to fix the hole [18:15] and a little technical backgruond [18:15] and a little technical background [18:15] which the common script kiddie won't be interested in [18:15] b) Text [18:15] Text will detail the hole [18:15] how to exploit it [18:16] and a workaround, if any [18:16] c) an exploit [18:16] BINGO! [18:16] an exploit is a premade program [18:16] that exploits a certain hole [18:16] all the cracker has to do is to compile it [18:16] (unless it's written in perl) [18:16] (or another interpreted programming language) [18:16] bash [18:16] ('cause they run in the form of source code) [18:16] So crackers are usally lazy punks... [18:16] yes, or a shell script [18:16] although u'll hardly ever found exploits in the form of shell scripts [18:16] pamslam.sh [18:16] heheh ;p [18:17] sniperwolf missed everything from phase one 'till "the dumbest daemon ever" [18:17] redhat and mandrake rooter [18:17] can anyone plz help him? [18:17] i'm kinda busy here with the lecture and everything [18:17] :-) [18:17] other daemons a cracker might want to look at: [18:17] ftp [18:17] by logging into ftp servers [18:17] when logging into ftp servers [18:17] u usually get technical information about the system [18:18] u could also try to issue the syst command [18:18] which will also give away some information [18:18] webservers [18:18] if u issue a bad url request [18:18] it'll give u some info [18:18] for example: try surfing to http://blacksun.box.sk/some-dead-link.html [18:18] like they are usun apache [18:18] it'll give u an error msg [18:18] and the name and version of the webserver program [18:18] fairly easy [18:18] all u need is a browser [18:19] crackers can also utilize newsgroups daemons [18:19] how bout pop mail? [18:19] and others [18:19] pop mail too [18:19] Apache 1.3.6 port 80 [18:19] pop3 usually reveals information [18:19] ftp port 21 [18:19] news port... [18:19] 119, i think [18:19] pop is... [18:19] telnet [18:19] uhh, damn [18:19] 110 = pop [18:19] 110 [18:19] yeah [18:19] telnet too [18:19] telnet to port 23 [18:19] yep 119 if it is not a secure connection [18:19] go ahead and telnet to blacksun.box.sk on port 23 [18:19] u'll get some info on the system [18:20] but what if we change this information? [18:20] *** Sniper_wolf__ has quit IRC (IL.Quit: I was using Ghost_Rider Script version 2.0) [18:20] most of today's server programs let u do it [18:20] most admins do it. [18:20] redhat linux 5.2 --- you learn the os [18:20] Kernel 2.0.36 on an i586 [18:20] and the system [18:20] so suppose we've changed the daemon banner [18:20] Red Hat Linux release 1.2 (Apollo) [18:20] but what if... [18:20] ... [18:20] we're dealing with a smarter script kiddie? [18:21] (ph33r) [18:21] they exist? [18:21] yeah [18:21] :) [18:21] there are some [18:21] nmap! [18:21] yes, unfortunately ;p [18:21] yup [18:21] www.insecure.org [18:21] download nmap [18:21] queso may be? [18:21] how does nmap work? [18:21] winfingerptint.exe [18:21] queso too [18:21] winfingerprint too [18:21] winfingerprint is for windows [18:21] the others are for unix [18:21] get them all at packetstorm.securify.com [18:21] windows nt [18:21] how do they work? [18:21] pretty simple [18:21] each OS has what we call tcp/ip fingerprints [18:21] why? [18:22] it trys all these same techniques don't it? [18:22] because each os implements tcp/ip in a different way [18:22] kinda [18:22] yeah [18:22] basically, nmap and the others are just port scanners [18:22] ya now I remember [18:22] but they do more [18:22] they can detect these fingerprints [18:22] and give definitive information [18:22] this irc server gives a lot if advertising msgs.. [18:22] the win tcp/ip stack is easy to detect [18:22] yes, it's the easiest [18:22] windows is the easiest to detect [18:23] detecting the difference between two similar unix distributions is harder [18:23] detecting the differences between, say, some unix and windows [18:23] or mac and windows [18:23] is fairly easy [18:23] could you spoof fingerprints? as an admin i mean [18:23] so our smart and elite script kiddie grabs his copy of nmap [18:23] how bout between linux distro or *bsd? [18:23] but nmap uses a combo of all the techniques. [18:23] technically, u can, but it takes a lot of messing around with code and stuff [18:24] and u probably won't be able to do it well [18:24] nor hide from all techniques [18:24] also, nmap does other things [18:24] it's a portscanner that can also scan through firewalls [18:24] but do your really have too hide? [18:24] more on nmap's website and nmap's man pages [18:24] (it installs a manpage) [18:24] (so u type man nmap after u install it) [18:24] (and it explains everything) [18:24] www.insecure.org/nmap [18:25] arent your lost in say ftp trafic when ftping? [18:25] well, if u reveal critical information about ur system [18:25] u might be helping a cracker [18:25] TheJoker: say again plz? [18:25] does the cracker have to worry about hiding? [18:26] yes [18:26] so the cracker would implement some techniques [18:26] wont' he/she be lost in trafic? [18:26] such as the ones described in blacksun.box.sk/anonymity.txt [18:26] generally, yes [18:26] but there are IDSs [18:26] IDS = Intrusion Detection System [18:26] dynamic IPs now days [18:26] they go over traffic [18:26] and highlight several parts in the logs [18:26] is a proxy enough to hide? [18:26] which might mean a cracking attempt [18:26] *** c0c0 has quit IRC (Ping timeout) [18:26] bouncing ur connection would usually suffice [18:27] okay, that's it. if u miss something, just wait for the logs to come out [18:27] if the proxy party cooperate w/ us ;p [18:27] or... [18:27] suppose we telnet to nether.net [18:27] and get a free shell account [18:27] and then break out [18:27] and manage to get root [18:27] (suppose we do it from a public place so they can't trace us back home) [18:27] now we have a root shell on nether.net [18:27] and we can run exploits and hack from them [18:27] http://freebooks.hypermart.net/proxy/proxiesn.htm [18:28] :-) [18:28] free proxies worldwide [18:28] nether.net is the best free shell provider [18:28] okay, so these were phase one and two [18:28] phase one - info gathering [18:28] two - searching online databases [18:28] now, suppose we're in [18:28] now comes phase three [18:28] no, not defacing the website! [18:28] or dns database [18:28] we have some other things to worry about [18:29] first we need to clean out presence from the logs [18:29] logs? [18:29] or the admin might realize he got cracked [18:29] thats what i'm doing right now [18:29] and put more effort into security [18:29] :) [18:29] :-) [18:29] this is where rootkit comes in ;p [18:29] not these logs! [18:29] hahaha [18:29] yeah, rootkits automate such processes [18:29] :p) [18:29] *** INTJ has quit IRC (No route to host) [18:29] * Chaotic_Thought grins [18:29] fun for the whole family [18:29] how does a rootkit actaully work? [18:29] so now that we've cleaned our presence from the logs [18:30] it's just an automated script [18:30] it automates some tasks for u [18:30] they only work on specific configurations [18:30] *** INTJ has joined #bsrf [18:30] of course, if we only clean the standard logs like klog (kernel logger) and syslog (system logger) [18:30] shoot, israel.net closed me [18:30] it might now be enough [18:30] don't worry, just get someone to give u the logs at the end of the lecture [18:31] okay, so if we only cleaned syslog and klog [18:31] we might have still left some trace [18:31] maybe the admin is using an external logging system? [18:31] could be... [18:31] in being rooted? [18:31] hey, when ur done with the lecture, plz send the logs to tplec@zipmail.com.br (sniper wolf) and to me (barakirs@netvision.net.il) [18:31] now, suppose we're a cracker [18:31] and we've cleaned syslog and klog [18:32] but the admin was using some external logger [18:32] WHOOPS! [18:32] we've left some presence [18:32] dead [18:32] wed be screwed.. [18:32] now, phase 4 [18:32] Do u want logs edited somewhat? [18:32] *** SnIpEr_WoLf_ has quit IRC (IL.Quit: 12Delta 3.4 15,1- 14Dark15 Il16lu15mina14tion 15- - [ http://delta.cjb.net ]) [18:32] how do you get around that? [18:32] so u need to do some research on the machine [18:32] browse around in it's directories [18:32] see what u can find [18:32] and of course, u must have a lot of experience [18:32] can one practice that? [18:32] install some log cleaners on urself [18:33] mess around with external logging programs [18:33] etc' etc' [18:33] skript kiddies dont though [18:33] rootkit [18:33] that's right [18:33] u can practice that on ur own box [18:33] script kiddies hardly ever practice [18:33] the average script kiddie would skip phases 3 and 4 [18:33] phase 3 - deleting urself from the logs [18:33] rootkit can make logging exclude our doings [18:33] phase 4 - installing a backdoor [18:33] (we'll get to that) [18:34] btw, DO NOT just delete the logs! [18:34] this will surely get the admin to notice [18:34] DUH!! [18:34] that's the dumbest thing u could possibly do [18:34] just your intries! [18:34] exactly [18:34] u can also change ur entries [18:34] and make them look like something more legitimate [18:34] of course, u have to make sure they look authentic [18:34] skript kiddies would'nt know thier entries form others would they? [18:35] yup - experience with loggers [18:35] yeah [18:35] okay, let's move on [18:35] suppose this whole process of cracking into the machine and cleaning the logs [18:35] took u... [18:35] 5 minutes... [18:35] 30 minutes... [18:35] maybe a couple of hours [18:35] a day? [18:35] ;-) [18:35] *g* [18:35] u wouldn't want to repeat that whenever u step in, would u? [18:36] this is what backdoors are for [18:36] hell no [18:36] no [18:36] ya! [18:36] the most basic one is: [18:36] useradd my-backdoor [18:36] password my-backdoor my-new-pass [18:36] we've just added a new user [18:36] passwd [18:36] oops [18:36] you would'nt use my-backdoor! [18:36] passwd my-backdoor my-new-pass [18:36] sorry [18:36] yes, of course [18:37] adduser [18:37] or useradd [18:37] haha [18:37] :-) [18:37] depends on the system [18:37] and on... [18:37] nevermind! [18:37] off-topic [18:37] hehe [18:37] it really doesn't matter [18:37] you wanna do clickings in win ;p [18:37] now we edit the passwd file [18:37] and give the new account uid 0 and gid 0 [18:37] user id 0 = root access! [18:37] access to ANYTHING [18:37] not always [18:37] group id 0 = root's group [18:38] yes, of course [18:38] but usually [18:38] u can change anything on unix boxes [18:38] SuSE has extreme restrictions, then you cant do some stuff [18:38] the admin would notice a new god mode user! [18:38] exactly! [18:38] that's why it's the most obvious backdoor [18:38] there's a program for unix that can restrict uid 0 guid 0 permissions [18:38] a new god user would fire up some alarms, now wouldn't it? [18:38] that's also true [18:38] ya! [18:39] so no smart cracker would use this method [18:39] another possible method: [18:39] taking some backdoor noone uses [18:39] and trojan it [18:39] oops, i mean daemon [18:39] taking some daemon [18:39] and trojaning it [18:39] what about cracking the passwd file? [18:39] no, we already have root access [18:39] sshd daemon is a good one [18:39] usually u won't need root's password [18:40] u'll just run an exploit and get a root shell [18:40] but after your in [18:40] another possible backdoor: [18:40] trojaning some daemon [18:40] crack it and then you'll be able to get back in [18:40] so the daemon would appear to be working just fine [18:40] and will do everything naturally [18:40] but will also allow the cracker to get a root shell [18:40] but... [18:40] what if the admin is running checksum checks? [18:41] tripwire [18:41] change them too... only problem left: time stamps [18:41] there are programs out there, such as tripwire, which check the file sizes of files [18:41] and let's the admin know when they're changed [18:41] critical files [18:41] that's true too [18:41] the file's "last changed date" would also change [18:41] sure, u can go around all of this... [18:41] but this only means more variables [18:41] more places where u can fail [18:41] or make a mistake [18:41] you could change sys time before you mod the file :p) [18:42] and reveal urself [18:42] of course, but that would be noticed [18:42] *** [S]hun has joined #bsrf [18:42] this is one of the main reasons that u need to make sure the admin is not present when u crack [18:42] using finger [18:42] if finger is available [18:42] finger @target-host.com [18:42] not much anymore. [18:42] yeah [18:42] it's hard to find an admin [18:42] that is dumb enough [18:42] to run finger! [18:43] who [18:43] suppose netvision.net.il (my isp) was running fingerd (finger daemon) [18:43] run 'who' [18:43] ppl would just be able to do finger barakirs@netvision.net.il [18:43] and get tons of information about me [18:43] yes, of course, once you're in, u can use commands such as who [18:43] you would have to be on the system to use who [18:43] ps aux [18:43] exactly [18:43] ps -aux [18:43] this will show ALL running processes [18:43] useful too [18:43] sometimes to find loggers [18:44] but the admin can change the process names of the loggers [18:44] we can send the admin xxx passwd to distract him ;p [18:44] now, here's another method [18:44] using the r services [18:44] especially rlogin [18:44] go read rlogin's man page [18:44] wait, lemme quote it [18:44] okay, nm, lemme write something of my own [18:45] rlogin is based on trust systems [18:45] for example: [18:45] suppose u require anyone who comes over to ur house to give a password [18:45] three knocks or something [18:45] some password... [18:45] but suddenly, ur best friends comes over [18:45] 4 is better [18:45] and he doesn't know the password [18:45] :-) [18:45] will u let him in? [18:45] of course u will! [18:45] no [18:45] u trust him [18:45] lol [18:45] heck no! [18:45] u wouldn't [18:45] trust systems would [18:46] they suck! [18:46] they're also good for more user-friendlyness [18:46] I don't want my ps to be friendly [18:46] send me the log please i must go [18:46] so dumb clerks won't have to type in passwords all the time [18:46] sorry pc [18:46] micro$oft? *eg* [18:46] *** squiler has quit IRC (IL.Quit: Leaving) [18:46] now, trust systems are also serious security hazards [18:47] go to blacksun.box.sk/books.html and read 'IP Spoofing Demystified' later [18:47] now, let's take rlogin for example [18:47] it was good. [18:47] suppose u put a file: [18:47] called /etc/rhosts [18:47] put a file called rhosts in /etc [18:47] which will look like this: [18:48] somehost.com someuser [18:48] the user someuser from somehost.com will be able to do: [18:48] loggers would catch it? [18:48] just a sec [18:48] he'll be able to use rlogin [18:48] to remotely login to this bx [18:48] to remotely login to this box [18:48] as ANY user [18:48] or if u put an .rhosts file in a user's home directory [18:48] he'll be able to log in as that user [18:48] ANOTHER POSSIBLE BACKDOOR! [18:48] but wait... [18:49] that's fairly noticable, isn't it? [18:49] ya [18:49] most backdoors are [18:49] so we need to put a lot of thought into it [18:49] and some luck [18:49] and make sure the admin is as dumb as possible [18:49] should you make backup back doors? [18:49] yes [18:49] always [18:49] on the other hand [18:49] more backdoors [18:49] would mean more chances [18:49] that the admin will notice something wrong [18:49] suppose u were an admin [18:50] like a stupid one to make them think that they got you? [18:50] and u would have suddenly noticed a backdoor [18:50] u would panic, right? [18:50] and put a lot more effort into security [18:50] download every scanner u can find [18:50] roam your system for backdoors and holes [18:50] perhaps [18:50] but they might find the stupid backdoor [18:50] and then go crazy [18:50] search the system [18:50] and find ur other backdoors [18:50] ya it's all luck, [18:50] but a very smart admin had setup a honeypot ;p [18:50] exactly [18:50] yup [18:50] honeypots are kewl [18:51] he would attract a cracker [18:51] and then... [18:51] KABOOM!! [18:51] <[S]hun> Whats honeypot ? [18:51] ;P) [18:51] or something... [18:51] boobie trap [18:51] a honeypot is a host or a certain situation that will attract crackers [18:51] KABOOM? the mail bomber? ;p hahaha [18:51] the admin will monitor his honeypot [18:51] see if there are any bees trapped inside [18:52] and then, once he sees something... [18:52] he would realize that he's being attacked [18:52] and maybe call the police [18:52] or Robert Frost!! [18:52] MWHAHAHAHA!! [18:52] (the poet) [18:52] nevermind, forget it [18:52] :) [18:52] private joke [18:52] sounds like a personal problem [18:52] so that was phase 4 [18:53] now, we're in [18:53] we've cleaned the logs [18:53] we have a backdoor [18:53] now we only have one thing left to do: [18:53] inflate ego in irc [18:53] utilize the box [18:53] perhaps for mailbombing someone [18:53] perhaps for installing bots on it [18:53] or flooding [18:53] vhost [18:53] or defacing the website on the box [18:53] hack another box [18:53] *** rekaerf has joined #bsrf [18:53] yup, u can also set a virtual host on this box [18:53] hey [18:54] yes, or start other attacks against other hosts from this newly cracked one [18:54] or just screw the system and kill a business [18:54] yes, that's also true [18:54] or... [18:54] corporate espionage [18:54] yummy! [18:54] if ur a corporate spy [18:54] credit card numbers ;p [18:54] u could get info and stuff [18:54] *** blu3h4z3 has joined #bsrf [18:54] or maybe acccess credit card databases [18:54] or other sensitive information [18:54] so that was phase 5 [18:55] which is... [18:55] well, the last phase [18:55] LOL [18:55] thank u all for coming over to the lecture [18:55] <[S]hun> hmm, I think I missed the first few parts [18:55] <[S]hun> where can I get the logs ? [18:55] argh, I missed the whole thing@ [18:55] it was cool [18:55] ouch [18:55] <[S]hun> on blacksun/ ? [18:55] na ni na na boo boo! [18:55] it was good yes [18:55] someone send me his logs plz [18:55] hahaha [18:55] interesting [18:55] nice job Raven [18:56] RaveN, u want logs sorta edited? [18:56] edit the personal joke!!! hahaha ;p [18:56] sorta edited? [18:56] whaddya mean? [18:56] Like, I was talking before lecture [18:56] seeker, u didn't miss any parts of the lecture, right? [18:56] no uncut and unedited [18:56] Want that out? [18:56] nm, seeker is sending me his logs [18:57] *** rekaerf has quit IRC (IL.Quit: I was using Ghost_Rider Script version 2.0) [18:57] in a whopping 0.6429k per second speed [18:57] <[S]hun> haha [18:57] # ³ Type ³ Nick ³ Percent Complete ³ K/s ³ File [18:57] ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ [18:57] 1# GET seeker ±²Û²±° °±° 94.6% 00:02 0.6395 #bsrf_20000122.log [18:57] ùíù DCC Warning: incoming file is larger than the handshake said [18:57] ùíù DCC Warning: GET: closing connection [18:57] * Seeker grins [18:57] send again plz Session Close: Sat Jan 22 18:57:32 2000