ch25.htm

Maximum Security (First Edition) 网络安全 英文版

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 25 -- The Remote Attack</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch24/ch24.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch26/ch26.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">25</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">The Remote Attack</FONT></H1>
</CENTER>
<P>In this chapter, I will examine the remote attack. I will define what such an
attack is and demonstrate some key techniques employed. Moreover, this chapter will
serve as a generalized primer for new system administrators, who may have never encountered
the remote attack in real life.</P>
<P>The purpose of this chapter is to begin integrating the information that has already
been offered to this point. In other words, it is time to put the pieces together.
<H2><FONT COLOR="#000077"><B>What Is a Remote Attack?</B></FONT></H2>
<P>A <I>remote attack</I> is any attack that is initiated against a machine that
the attacker does not currently have control over; that is, it is an attack against
any machine other than the attacker's own (whether that machine is on the attacker's
subnet or 10,000 miles away). The best way to define a remote machine is this:

<DL>
	<DD>A <I>remote machine</I> is any machine--other than the one you are now on--that
	can be reached through some protocol over the Internet or any other network or medium.
</DL>

<H2><FONT COLOR="#000077"><B>The First Steps</B></FONT></H2>
<P>The first steps, oddly enough, do not involve much contact with the target. (That
is, they won't if the cracker is smart.) The cracker's first problem (after identifying
the type of network, the target machines, and so on) is to determine with whom he
is dealing. Much of this information can be acquired without disturbing the target.
(We will assume for now that the target does not run a firewall. Most networks do
not. Not yet, anyway.) Some of this information is gathered through the following
techniques:

<UL>
	<LI>Running a <TT>host</TT> query. Here, the cracker gathers as much information
	as is currently held on the target in domain servers. Such a query may produce volumes
	of information (remember the query on Boston University in Chapter 9, &quot;Scanners&quot;?)
	or may reveal very little. Much depends on the size and the construct of the network.<BR>
	<BR>
	
	<LI>For example, under optimal circumstances of examining a large and well-established
	target, this will map out the machines and IPs within the domain in a very comprehensive
	fashion. The names of these machines may give the cracker a clue as to what names
	are being used in NIS (if applicable). Equally, the target may turn out to be a small
	outfit, with only two machines; in that case, the information will naturally be sparse.
	It will identify the name server and the IPs of the two boxes (little more than one
	could get from a WHOIS query). One interesting note is that the type of operating
	system can often be discerned from such a query.<BR>
	<BR>
	
	<LI>A WHOIS query. This will identify the technical contacts. Such information may
	seem innocuous. It isn't. The technical contact is generally the person at least
	partially responsible for the day-to-day administration of the target. That person's
	e-mail address will have some value. (Also, between this and the <TT>host</TT> query,
	you can determine whether the target is a real box, a leaf node, a virtual domain
	hosted by another service, and so on.)<BR>
	<BR>
	
	<LI>Running some Usenet and Web searches. There are a number of searches the cracker
	might want to conduct before actually coming into contact with the target. One is
	to run the technical contact's name through a search engine (using a forced, case-sensitive,
	this-string-only conditional search). The cracker is looking to see if the administrators
	and technical contacts sport much traffic in Usenet. Similarly, this address (or
	addresses) should be run through searchable archives of all applicable security mailing
	lists.
</UL>

<P>The techniques mentioned in this list may seem superfluous until you understand
their value. Certainly, Farmer and Venema would agree on this point:

<DL>
	<DD>What should you do? First, try to gather information about your (target) host.
	There is a wealth of network services to look at: finger, showmount, and rpcinfo
	are good starting points. But don't stop there--you should also utilize DNS, whois,
	sendmail (smtp), ftp, uucp, and as many other services as you can find.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The preceding paragraph
	is excerpted from <I>Improving the Security of Your Site by Breaking Into It</I>
	by Dan Farmer and Wietse Venema. It can be found online at <A HREF="http://www.craftwork.com/papers/security.html"><TT>http://www.craftwork.com/papers/security.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Collecting information about the system administrator is paramount. A system administrator
is usually responsible for maintaining the security of a site. There are instances
where the system administrator may run into problems, and many of them cannot resist
the urge to post to Usenet or mailing lists for answers to those problems. By taking
the time to run the administrator's address (and any variation of it, as I will explain
in the next section), you may be able to gain greater insight into his network, his
security, and his personality. Administrators who make such posts typically specify
their architecture, a bit about their network topology, and their stated problem.</P>
<P>Even evidence of a match for that address (or lack thereof) can be enlightening.
For example, if a system administrator is in a security mailing list or forum each
day, disputing or discussing various security techniques and problems with fellow
administrators, this is evidence of knowledge. In other words, this type of person
knows security well and is therefore likely well prepared for an attack. Analyzing
such a person's posts closely will tell you a bit about his stance on security and
how he implements it. Conversely, if the majority of his questions are rudimentary
(and he often has a difficult time grasping one or more security concepts), it might
be evidence of inexperience.</P>
<P>From a completely different angle, if his address does not appear at all on such
lists or in such forums, there are only a few possibilities why. One is that he is
lurking through such groups. The other is that he is so bad-ass that he has no need
to discuss security at all. (Basically, if he is on such lists at all, he DOES receive
advisories, and that is, of course, a bad sign for the cracker, no matter what way
you look at it. The cracker has to rely in large part on the administrator's lack
of knowledge. Most semi-secure platforms can be relatively secure even with a minimal
effort by a well-trained system administrator.)</P>
<P>In short, these searches make a quick (and painless) attempt to cull some important
information about the folks at the other end of the wire.</P>
<P>You will note that I referred to &quot;any variation&quot; of a system administrator's
address. <I>Variations</I> in this context mean any possible alternate addresses.
There are two kinds of alternate addresses. The first kind is the individual's personal
address. That is, many system administrators may also have addresses at or on networks
other than their own. (Some administrators are actually foolish enough to include
these addresses in the fields provided for address on an InterNIC record.) So, while
they may not use their work address to discuss (or learn about) security, it is quite
possible that they may be using their home address.</P>
<P>To demonstrate, I once cracked a network located in California. The administrator
of the site had an account on AOL. The account on AOL was used in Usenet to discuss
various security issues. By following this man's postings through Usenet, I was able
to determine quite a bit. In fact (and this is truly extraordinary), his password,
I learned, was the name of his daughter followed by the number 1.</P>
<P>The other example of a variation of an address is this: either the identical address
or an address assigned to that person's same name on any machine within his network.
Now, let's make this a little more clear. First, on a network that is skillfully
controlled, no name is associated with root. That is because root should be used
as little as possible and viewed as a system ID, not to be invoked unless absolutely
necessary. (In other words, because <TT>su</TT> and perhaps other commands or devices
exist that allow an administrator to do his work, root need not be directly invoked,
except in a limited number of cases.)


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Attacking a network run on Windows
	NT is a different matter. In those cases, you <I>are</I> looking to follow root (or
	rather, Administrator) on each box. The design of NT makes this a necessity, and
	Administrator on NT is vastly different from root on a UNIX box. 
<HR>


</BLOCKQUOTE>

<P>Because root is probably not invoked directly, the system administrator's ID could
be anything. Let's presume here that you know that ID. Let's suppose it is <TT>walrus</TT>.
Let us further suppose that on the <TT>host</TT> query that you conducted, there
are about 150 machines. Each of those machines has a distinct name. For example,
there might be <TT>mail.victim.net</TT>, <TT>news.victim.net</TT>, <TT>shell.victim.net</TT>,
<TT>cgi.victim.net</TT>, and so forth. (Although, in practice, they will more likely
have &quot;theme&quot; names that obscure what the machine actually does, like <TT>sabertooth.victim.net</TT>,
<TT>bengal.victim.net</TT>, and <TT>lynx.victim.net</TT>.)</P>
<P>The cracker should try the administrator's address on each machine. Thus, he will
be trying <TT>walrus@shell.victim.net</TT>, <TT>walrus@sabertooth.victim.net</TT>,
and so forth. (This is what I refer to as a variation on a target administrator's
address.) In other words, try this on each box on the network, as well as run all
the general diagnostic stuff on each of these machines. Perhaps <TT>walrus</TT> has
a particular machine that he favors, and it is from this machine that he does his
posting.</P>
<P>Here's an interesting note: If the target is a provider (or other system that
one can first gain legitimate access to), you can also gain an enormous amount of
information about the system administrator simply by watching where he is coming
in from. This, to some extent, can be done from the outside as well, with a combination
of finger and rusers. In other words, you are looking to identify <I>foreign</I>
networks (that is, networks other than the target) on which the system administrator
has accounts. Obviously, if his last login was from Netcom, he has an account on
Netcom. Follow that ID for a day or so and see what surfaces.
<H2><FONT COLOR="#000077"><B>About Finger Queries</B></FONT></H2>
<P>In the previously referenced paper by Farmer and Venema (a phenomenal and revolutionary
document in terms of insight), one point is missed: The use of the finger utility
can be a dangerous announcement of your activities. What if, for example, the system
administrator is running MasterPlan?


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>MasterPlan is a utility I discuss
	in Chapter 13, &quot;Techniques to Hide One's Identity.&quot; Its function is to
	trap and log all finger queries directed to the user; that is, MasterPlan will identify
	the IP of the party doing the fingering, the time that such fingering took place,
	the frequency of such fingering, and so forth. It basically attempts to gather as
	much information about the person fingering you as possible. Also, it is not necessary
	that they use MasterPlan. The system administrator might easily have written his
	own hacked finger daemon, one that perhaps even traces the route back to the original
	requesting party--or worse, fingers them in return. 
<HR>


</BLOCKQUOTE>

<P>To avoid the possibility of their finger queries raising any flags, most crackers
use <I>finger gateways</I>. Finger gateways are Web pages, and they usually sport
a single input field that points to a CGI program on the drive of the remote server
that performs finger lookup functions. In Figure 25.1, I have provided an example
of one such finger gateway. (This one is located at the University of Michigan Medical
Center.)</P>
<A NAME="01"></A>
<P><B><A HREF="01.htm">FIGURE 25.1.</a></B> <I><BR>
An example of a finger gateway at the University of Michigan.</I></P>
<P>By using a finger gateway, the cracker can obscure his source address. That is,
the finger query is initiated by the remote system that hosts the finger gateway.
(In other words, not the cracker's own machine but some other machine.) True, an
extremely paranoid system administrator might track down the source address of that
finger gateway; he might even contact the administrator of the finger gateway site
to have a look at the access log there. In this way, he could identify the fingering