ch16.htm

Maximum Security (First Edition) 网络安全 英文版

<I>A directory gets hidden on the disk.</I>


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>Hidden files are generally created
	using the <TT>attrib</TT> command or by the key-capture utility itself (in other
	words, the programmer has included this feature in the software). 
<HR>


</BLOCKQUOTE>

<P>A number of key-capture utilities (or keystroke recorders) are available for DOS,
including the following.
<H4><FONT COLOR="#000077"><B>Keycopy</B></FONT></H4>
<P>Keycopy was reportedly released for the first time in 1990, but current distributions
report a date of 1993. The program was authored by Christopher E. BoVee. Keycopy
is capable of capturing 200 keystrokes at a time and not just from a prompt. It also
captures keystrokes executed in WordPerfect, MultiMate, and reportedly, Norton Editor.
The program also sports a nice collection of command-line options that assist in
setting the directory, the outfile, and other key elements. The author provides a
series of keystrokes commands that can be used to kill, pause, or otherwise alter
the behavior of the program. Using this program, crackers can capture login IDs,
passwords, and other data. It is located here:

<UL>
	<LI><A HREF="http://www.ais.org/~paxton/archive/keycopy.zip"><TT>http://www.ais.org/~paxton/archive/keycopy.zip</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Playback 1.9</B></FONT></H4>
<P>This product was released sometime in 1992. Its author apparently had no intention
of it being used as a cracking utility. Rather, it was to be used for the automation
of tedious and repetitive personal tasks. Playback records all the keystrokes of
a task and later plays them back. Some users may remember communication packages
that performed the same function. One of them was Qmodem. It would record keystrokes
of logins to BBS machines or other remote servers. This became a script that could
later be executed. Coupled with an old utility called <TT>tm</TT> that timed processes
for execution, one could run entire download sessions automatically without ever
being there.</P>
<P>One of the more extraordinary features of Playback is the way it handles the timing
of keystrokes. Everything is based on exactly the same tempo of the keystrokes recorded.
Say, for example, that the session recorded a login procedure. Many login procedures
require a waiting period between the moment the user enters his login ID and the
point at which he enters his password (this waiting period sometimes relates to a
buffer issue and sometimes simply involves a slow file server). In any event, Playback
plays back the keystrokes <I>precisely</I> as they are recorded. Therefore, it is
a suitable tool for simulating a real session with some remote or even local login
program. Based on these amenities, Playback became a favorite among crackers. It
is located here:

<UL>
	<LI><A HREF="http://www.plazma.net/users/weiner/PB19C.ZIP"><TT>http://www.plazma.net/users/weiner/PB19C.ZIP</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Phantom 2</B></FONT></H4>
<P>Phantom 2 is a tool similar to Playback, but far more comprehensive. One major
distinction between the two is that Phantom will record your keystrokes no matter
what program is running. Moreover, this program provides a control panel from which
to operate. This panel allows the user to set a multitude of options. It can record
keystrokes as well as sounds and tones. Few DOS-based keystroke recorders are as
elaborate. Much like Playback, Phantom plays back keystrokes precisely as they are
recorded. It is located here:

<UL>
	<LI><A HREF="http://www.ilf.net/~toast/files/keycopy/phantom2.zip"><TT>http://www.ilf.net/~toast/files/keycopy/phantom2.zip</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>DosLog 2</B></FONT></H4>
<P>DosLog 2 is a standard key-capture utility that captures all activity at the console.
The author reportedly wrote it because his younger brother failed to heed warnings
about using certain programs. Using this utility is a good way to monitor your employees
(or a good way for them to monitor you!). It is located here:

<UL>
	<LI><A HREF="ftp://uiarchive.cso.uiuc.edu/pub/systems/pc/simtelnet/msdos/security/dos-log2.zip"><TT>ftp://uiarchive.cso.uiuc.edu/pub/systems/pc/simtelnet/msdos/security/dos-log2.zip</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Keytrap</B></FONT></H4>
<P>Keytrap is an interesting utility that allows for user-specified time frames in
regard to when it will do its work. (This is expressed in terms of minutes. Because
you cannot exceed the number of minutes in a day, the outfile must be cleared and
you must start again at the beginning of each business day. If you fail to clear
out the file, it will be overwritten with a new one.) Otherwise, Keytrap is a standard
key-capture utility with a bit less functionality than its counterparts. It is located
here:

<UL>
	<LI><A HREF="http://www.ilf.net/~toast/files/keycopy/keytrap1.zip"><TT>http://www.ilf.net/~toast/files/keycopy/keytrap1.zip</TT></A>
</UL>

<P>The main drawback of key-capture utilities is that the outfiles, though hidden,
must be removed at some point. Some of the previously listed key-capture utilities
will not write a file larger than X number of bytes. Therefore, the cracker must
retrieve his bounty and start again. Nevertheless, these tools are standard in the
average cracker's toolbox. They are old utilities, but exceedingly useful if one
needs to crack a network that harbors at least one DOS box.</P>
<P>At any rate, enough about techniques for cracking DOS. For a moment, I'd like
to concentrate on preventing crackers from cracking a DOS box. There are many tools
on the Internet designed expressly for this purpose and a majority are free for non-commercial
use.
<H4><FONT COLOR="#000077"><B>Secure 1.0</B></FONT></H4>
<P>Secure 1.0 restricts directory access. That is, it prevents any unauthorized user
from accessing a given directory. As the author is quick to point out in the documentation,
however, Secure 1.0 does not obscure the directory's existence; it merely prevents
unauthorized access to it. Unfortunately, the unregistered version only allows one
directory to be so restricted, so users must choose that directory carefully. It
is located here:

<UL>
	<LI><A HREF="http://underground.org/tools/dos/secure10.zip"><TT>http://underground.org/tools/dos/secure10.zip</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Secure File System</B></FONT></H4>
<P>This tool is not your average cheesy security tool for DOS. This is an excellent
DOS security application suite. The utility applies high-level encryption to DOS
volumes (reportedly, you can have as many as five encrypted disk volumes at one time).
What is most extraordinary about this utility is that it has enhanced stealth features
that prevent monitoring programs from collecting information about SFS's activity.</P>
<P>Clearly, the author of SFS wanted to make a serious contribution to DOS security.
Compliance with the Federal Information Processing Standard (FIPS) and several other
key standards are built into the program. Its compatibility with a host of disk-caching
and memory-management programs makes the program all the more mind boggling. Finally,
the documentation on this utility is superb. See the following:

<UL>
	<LI><A HREF="http://underground.org/tools/dos/sfs/sfs110.zip"><TT>http://underground.org/tools/dos/sfs/sfs110.zip</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Encrypt-It</B></FONT></H4>
<P>Encrypt-It amounts to DES encryption for DOS. This utility applies high-level
DES encryption to a single file or a series of them via batch processing. The program
suite also features a macro generator that accepts macros of lengths up to 1,000
keystrokes. The main amenity of this program (besides the level of encryption it
provides) is that it requires very little memory to run. It also contains a benchmarking
tool through which you can determine how well a particular file is encrypted. See
the following:

<UL>
	<LI><A HREF="http://www.sevenlocks.com/software/sca/eid200.zip"><TT>http://www.sevenlocks.com/software/sca/eid200.zip</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>LCK2</B></FONT></H4>
<P>LCK2 locks the terminal while you are away. When you leave your terminal, simply
issue the program's name at a prompt to lock the terminal. It is impervious to a
warm reboot or interrupt keystrokes (Ctrl+Alt+Delete, as well as Ctrl+Break). Reportedly,
the only way to defeat this program is to reset the entire machine. In network environments
where users are strictly forbidden to restart machines, this might be useful. See
the following:

<UL>
	<LI><A HREF="ftp://ftp.lib.sonoma.edu/pub/simtelnet/msdos/security/lck100.zip"><TT>ftp://ftp.lib.sonoma.edu/pub/simtelnet/msdos/security/lck100.zip</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Gateway2</B></FONT></H4>
<P>This is a powerful program that password-protects a system. It supports password
protection for 30 people. Some serious amenities include

<UL>
	<LI>Prevents Ctrl+Alt+Delete reboots
	<LI>Prevents F5 and F8 key routines from interrupting boot
	<LI>No local echo of passwords; instead, echo of garbage characters
	<LI>User-defined number of retries before lockout
</UL>

<P>This utility provides some excellent protection. The problem is it relies on you
changing the boot sequence in the CMOS. Thus, you disable the A: boot option (floppy
seek on boot). A cracker can override this by attacking the CMOS settings. In all
other respects, though, this is a very useful utility. Gateway2 can be found here:

<UL>
	<LI><A HREF="ftp://ftp.lib.sonoma.edu/pub/simtelnet/msdos/security/gatewy12.zip"><TT>ftp://ftp.lib.sonoma.edu/pub/simtelnet/msdos/security/gatewy12.zip</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Password Protect (PASSW204)</B></FONT></H4>
<P>Similar to Gateway2, PASSW204 relies on changing the boot sequence. This utility
loads the password routine in the <TT>config.sys</TT> file. This has some added functionality
because it is ready for network support. One very interesting feature is that you
can enable case sensitivity, which exponentially increases the strength of the passwords.
See the following:

<UL>
	<LI><A HREF="ftp://ftp.hkstar.com/pub/simtelnet/msdos/security/passw204.zip"><TT>ftp://ftp.hkstar.com/pub/simtelnet/msdos/security/passw204.zip</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Sentry</B></FONT></H4>
<P>You have to see it to believe it. For a shareware product, Sentry is quite complete,
allowing even the capability to secure individual files. It also has many features
commonly available in straight-on commercial products, including password aging and
some support for Windows. However, it, too, depends on you to change the boot sequence
in the BIOS. See the following:

<UL>
	<LI><A HREF="ftp://ftp.digital.com/pub/micro/pc/simtelnet/msdos/security/sentry57.zip"><TT>ftp://ftp.digital.com/pub/micro/pc/simtelnet/msdos/security/sentry57.zip</TT></A>
</UL>

<P>There are literally hundreds of such programs available, so I will refrain from
listing more of them. Instead, I will send you to a series of sites at which some
or all can be obtained. However, know this: MS-DOS was never meant to be a secure
system. If any of the workstations on your network are running pure DOS, you are
vulnerable to an inside attack. From such a machine installed on a network, a cracker
can easily grab your passwords.</P>
<P>Also be aware that many programming tools are available to circumvent your security.
Certain distributions of C++, for example, contain programs that allow MS-DOS users
to monitor system processes. These tools will also monitor network activity. Such
monitoring tools are not restricted to programming applications, either.</P>
<P>One such application is Pcwatch. This program is designed expressly to examine
the behavior of EXE files as they execute. Using this program, a cracker can accurately
determine the elements of a program and where its vulnerabilities might lie (for
example, where disk access occurs within the program, where memory swaps are performed,
and within what address registers these events occur). It is a common utility employed
by crackers when they need to crack a DOS file and is available here:

<UL>
	<LI><A HREF="http://bauxite.apricot.co.uk/ftp/bbs/area8/pcwatch.zip"><TT>http://bauxite.apricot.co.uk/ftp/bbs/area8/pcwatch.zip</TT></A>
</UL>

<P>For specific network problems, refer to the chapter that addresses your operating
system (Novell, UNIX, AS/400, and so forth). At this stage, I want to concentrate
more on Windows-based security issues. Thus, here are some sites at which you can
acquire security tools for the DOS environment:
<H4><FONT COLOR="#000077"><B>The Simtel DOS Security Index</B></FONT></H4>
<P>The Simtel DOS Security Index page offers material about password protection,
access restriction, and boot protection. It is located here:

<UL>
	<LI><A HREF="http://www.cpdee.ufmg.br/simtel/simtel_index_security.html"><TT>http://www.cpdee.ufmg.br/simtel/simtel_index_security.html</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>The CIAC DOS Security Tools Page</B></FONT></H4>
<P>This page contains serious information about access restriction and includes one
program that protects specific cylinders on a disk. See the following:

<UL>
	<LI><A HREF="http://ciac.llnl.gov/ciac/ToolsDOSSystem.html"><TT>http://ciac.llnl.gov/ciac/ToolsDOSSystem.html</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>DOS Security Tools at </B><TT>Cypher.net</TT></FONT></H4>
<P>This page offers material about password protection, access restriction, and boot
protection. It is located here:

<UL>
	<LI><A HREF="http://www.cypher.net/tools/dossecure.html"><TT>http://www.cypher.net/tools/dossecure.html</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>The Repository at </B><TT>Oakland.edu</TT></FONT></H4>
<P>This site contains information about password protection, access restriction,
and boot protection. It is located here:

<UL>
	<LI><A HREF="http://oak.oakland.edu"><TT>http://oak.oakland.edu</TT></A>
</UL>