ch09.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,272 行 · 第 1/5 页

<P>
<TABLE BORDER="1">
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Resource</I></TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><I>Location</I></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Firewalls mailing list</TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><A HREF="mailto:Firewalls@GreatCircle.COM"><TT>Firewalls@GreatCircle.COM</TT></A></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Sneakers mailing list</TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><A HREF="mailto:Sneakers@CS.Yale.EDU"><TT>Sneakers@CS.Yale.EDU</TT></A></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">The WWW security list</TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><A HREF="mailto:WWW-security@ns2.rutgers.edu"><TT>WWW-security@ns2.rutgers.edu</TT></A></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">The NT security list</TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><A HREF="mailto:Ntsecurity@ISS"><TT>Ntsecurity@ISS</TT></A></TD>
	</TR>
	<TR ALIGN="LEFT" rowspan="1">
		<TD ALIGN="LEFT" VALIGN="TOP">Bugtraq</TD>
		<TD ALIGN="LEFT" VALIGN="TOP"><A HREF="mailto:BUGTRAQ@NETSPACE.ORG"><TT>BUGTRAQ@NETSPACE.ORG</TT></A></TD>
	</TR>
</TABLE>
</P>
<P>Dozens of such mailing lists now exist on the Internet (for a comprehensive list,
see Appendix A, &quot;How to Get More Information&quot;). These lists operate almost
completely free of human interaction or maintenance. List members forward their reports
via e-mail, and this e-mail is distributed to the entire list, which can sometimes
be many thousands of people worldwide. In addition, such lists are usually archived
at one or more sites, which feature advanced search capabilities. These search capabilities
allow any user, list member, or otherwise to search for inherent vulnerabilities
in every operating system known to humankind.</P>


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Joining a list: </B></FONT>Joining such a list is generally
	a simple process. Most lists require that you send an e-mail message to a special
	address. This address accepts commands from your first line of the e-mail message.
	The structure of this command may vary. In some cases, that command is as simple
	as <TT>subscribe</TT>. In other cases, you may be required to issue arguments to
	the command. One such argument is the name of the list. For example, the Firewalls
	mailing list at <TT>GreatCircle.com</TT> requires that you send <TT>subscribe firewalls</TT>
	as the first line of your e-mail.</P>
	<P>Please note that this must be the first line of the e-mail message, and not the
	subject line. This message is then sent to <A HREF="mailto:majordomo@greatcircle.com"><TT>majordomo@greatcircle.com</TT></A>.
	The address <TT>majordomo</TT> is a very common one for processing mailing list subscription
	requests. Of course, each list is different. To quickly determine the requirements
	for each security list, I suggest you use Eugene Spafford's Web page as a springboard.
	Mr. Spafford lists links on his page to most of the well-known security mailing lists.
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Spafford's page is at
	<A HREF="http://www.cs.purdue.edu/homes/spaf/hotlists/csec-top.html"><B>http://www.cs.purdue.edu/homes/spaf/hotlists/csec-top.html</B></A>.
	From Spafford's page, you can get to instructions on how to subscribe to any of the
	linked lists. 
<HR>
</P>

</BLOCKQUOTE>

<P>In the beginning, however, there were no such databases. The databases did not
exist largely because the knowledge did not exist. The process by which holes get
discovered inherently involves the exploitation of such weaknesses. More simply put,
crackers crack a machine here and a machine there. By and by, the weaknesses that
were exploited in such attacks were documented (and in certain instances, eradicated
by later, superior code). This process, as you might expect, took many years. The
delay was based in part on lack of knowledge and in part on the unwillingness of
many system administrators to admit their sites had been penetrated. (After all,
no one wants to publicize that he implements poor security procedures.)</P>
<P>So the stage is set. Picture a small, middle-class community with stately homes
and nicely trimmed lawns. It is near midnight. The streets are empty; most of the
windows in the neighborhood are dark, their shades drawn tight. One window is brightly
lit, though, and behind it is a young man of 15 years; before him is a computer (for
the sake of atmosphere, let's label it an old portable CoreData).</P>
<P>The boy is dialing a list of telephone numbers given to him by a friend. These
are known UNIX boxes sprinkled throughout a technology park a few miles away. Most
of them accept a connection. The common response is to issue a login prompt. Each
time the boy connects to such a machine, he tries a series of login names and passwords.
He goes through a hundred or more before finally, he obtains a login shell. What
happens then is up to him.</P>
<P>It is hard to believe that early cracking techniques involved such laborious tasks.
Depending on the operating system and the remote access software, one might have
to type dozens of commands to penetrate a target. But, as much as crackers are industrious,
they are also lazy. So, early on, the war dialer was developed.</P>
<P>A <I>war dialer</I> consists of software that dials a user-specified range of
telephone numbers searching for <I>connectables</I> (machines that will allow a remote
user to log in). Using these tools, a cracker can scan an entire business exchange
in several hours, identifying all hosts within that range. In this way, the task
of locating targets was automated.</P>
<P>Better yet, war dialers record the response they receive from each connect. This
data is then exported to a human-readable file. Thus, in neatly written tables, one
can tell not only which numbers connected, but also what type of connection was initiated
(such as modem, 2400 baud or fax machine).


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>The term <I>war dialer</I> reportedly
	originated from the film <I>WarGames</I>. The film's plot centered around a young
	man who cracked his way into American military networks. Some people believe that
	the film was inspired by the antics of the now-famous cracker, Kevin Mitnik. Mitnik
	was a young teen when he cracked a key military network.<BR>
	
<HR>

<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>If you want to check
	out a war dialer in action, I suggest getting Toneloc. It is freely available on
	the Internet and is probably the best war dialer ever made. It was written to run
	in DOS, but it also runs in Windows 95 via command prompt (though perhaps not as
	smoothly as it should). It is available at <A HREF="ftp://ftp.fc.net/pub/defcon/TONELOC/tl110.zip"><B>ftp://ftp.fc.net/pub/defcon/TONELOC/tl110.zip</B></A>.
	
<HR>


</BLOCKQUOTE>

<P>In essence, scanners operate much like war dialers with two exceptions:</P>

<UL>
	<LI>Scanners are used only on the Internet or other TCP/IP networks.<BR>
	<BR>
	
	<LI>Scanners are more intelligent than war dialers.
</UL>

<P>Early scanners were probably very simplistic. I say <I>probably</I> because such
programs were not released to the Internet community the way scanning tools are today
(I therefore have no way of knowing what they looked like). Thus, when I write of
early scanners, I mean basic programs written by system administrators for the purposes
of checking their own networks. These were most likely UNIX shell scripts that attempted
to connect on various ports, capturing whatever information was directed to the console
or <TT>STDOUT</TT>. <TT>STDOUT</TT> refers to the output that one sees on the console
or at a command prompt. In other words, it is the output of a given command. The
<TT>STD</TT> refers to <I>standard</I>, and the <TT>OUT</TT> refers to <I>output</I>.
<TT>STDOUT</TT>, therefore, is the standard output of any given command. The <TT>STDOUT</TT>
result of a directory listing, for example, is a list of filenames and their sizes.
<H2><FONT COLOR="#000077"><B>The Attributes of a Scanner</B></FONT></H2>
<P>The primary attributes of a scanner are</P>

<UL>
	<LI>The capability to find a machine or network<BR>
	<BR>
	
	<LI>The capability, once having found a machine, to find out what services are being
	run on the host<BR>
	<BR>
	
	<LI>The capability to test those services for known holes
</UL>

<P>This process is not incredibly complex. At its most basic, it involves capturing
the messages generated when one tries to connect to a particular service. To illustrate
the process step by step, let's address these attributes one at a time.
<H3><FONT COLOR="#000077"><B>Locating a Potential Target</B></FONT></H3>
<P>The Internet is vast. There are literally millions of potential targets in the
void. The problem facing modern crackers is how to find those targets quickly and
effectively. Scanners are well suited for this purpose. To demonstrate how a scanner
can find a potential target, determine what services it is running, and probe for
weaknesses, let's pick on Silicon Graphics (SGI) for the remainder of this section.
Here, you will see how scanners are regularly employed to automate human cracking
tasks.
<H3><FONT COLOR="#000077"><B>A Hole Is Discovered</B></FONT></H3>
<P>In late 1995, Silicon Graphics (SGI) shipped a large number of WebForce models.
These were extremely powerful machines, containing special software to generate media-rich
WWW pages. They ran IRIX, a proprietary form of UNIX, specifically designed for use
with SGI graphics workstations.</P>
<P>Certain versions of IRIX retained a default login for the line printer. That is,
if a user initiated a Telnet session to one of these SGI boxes and logged in as <TT>lp</TT>,
no password would be required.</P>
<P>Typically, the cracker would be dropped to a shell prompt from which he or she
could execute a limited number of commands. Most of these were standard shell commands,
available to any user on the system. These did not require special privileges and
performed only basic functions, such as listing directories, displaying the contents
of files, and so forth. Using these commands, crackers could print the contents of
the <TT>passwd</TT> file to the screen. Once they had obtained this display, they
would highlight the screen, clip the contents, and paste them into a text editor
on their local machine. They would save this information to a local file and subsequently
crack the encrypted passwords from the SGI system.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>A number of automated password-cracking
	utilities exist. Most often, these are designed to crack DES-encrypted passwords,
	common to UNIX systems. I will cover these utilities in <A HREF="../ch10/ch10.htm">Chapter
	10</A>, &quot;Password Crackers.&quot; 
<HR>


</BLOCKQUOTE>

<P>News of this vulnerability spread quickly. Within days, the word was out: SGI
WebForce machines could be attacked (and their security compromised) with little
effort. For crackers, the next step was to find these machines.
<H3><FONT COLOR="#000077"><B>Looking for WebForce Models</B></FONT></H3>
<P>To exploit this hole, crackers needed to find WebForce models. One way to do so
was manually. For a time, search engines such as <TT>altavista.digital.com</TT> could
be used to locate such machines en masse. This is because many of the WebForce models
were administrated by those with strong knowledge of graphic arts and weak knowledge
of security. These administrators often failed to institute even the most basic security
measures. As such, many of these machines retained world-readable FTP directories.
These directories were therefore visible to search engines across the Internet.</P>
<P>The FTP directories of these SGI models contained standard, factory-default <TT>/etc/passwd</TT>
files. Contained within these were the login names of system users. The majority
of these login names were common to almost any distribution of UNIX. However, these
<TT>passwd</TT> files also included unique login names. Specifically, they contained
login names for several utilities and demo packages that shipped with the software.
One of these was a login called <TT>EZSetup</TT>. Thus, a cracker needed only to
issue the following search string into any well known search engine:</P>
<PRE><FONT COLOR="#0066FF">EzSetup + root: lp:
</FONT></PRE>
<P>This would return a list of WebForce models. The cracker would then take that
list and attempt to crack each machine. It was a quick and dirty way to collect a
handful of potential targets. However, that trend didn't last long (about a month
or so). Advisories were posted to the Net, explaining that world-readable directories
were responsible for the compromise of SGI security. So crackers turned elsewhere.</P>
<P>Some used the InterNIC database to find such machines (the WHOIS service). The
WHOIS service, housed at <TT>internic.net</TT>, is a database of all registered machines
currently on the Internet. One can query this database (to find out the network numbers
or the owner's address of a given machine) by issuing a <TT>WHOIS</TT> instruction
at a UNIX command prompt. The structure of such a command is <TT>whois mci.net</TT>.
For those who do not use UNIX, one can either Telnet directly to InterNIC (<TT>internic.net</TT>)
or use one of the utilities described later in this chapter.</P>
<P>Many hosts included words within their registered names that suggested at least
a fleeting probability that they owned an SGI, such as</P>

<UL>
	<LI><TT>Graphics</TT>
	<LI><TT>Art</TT>
	<LI><TT>Indy</TT>
	<LI><TT>Indigo</TT>
</UL>

<P>The terms <TT>Indy</TT> and <TT>Indigo</TT> commonly appear on either the Web
site or the directory structure of an SGI workstation. That is because the product
line is based on the Indigo model, which is often referred to as the <I>Indy</I>
product line.</P>
<P>Some InterNIC entries also include the operating system type being run on the
host. Thus, a search for the string <TT>IRIX</TT> could reveal a few machines. However,
these methods were unreliable. For example, many versions of IRIX did not suffer
from the lp bug (neither did every WebForce model). So, instead, many crackers employed
scanners.
<H3><FONT COLOR="#000077"><B>Using Scanners to Uncover WebForce Models</B></FONT></H3>