ch09.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,272 行 · 第 1/5 页

<P>Finding WebForce models using a scanner was an easy task. A range of addresses
(such as <TT>199.171.190.0</TT> to <TT>199.171.200.0</TT>) would be picked out, perhaps
randomly, perhaps not. The cracker would specify certain options. For example, the
scan didn't need to have great depth (an issue we will be discussing momentarily).
All it needed to do was check each address for a Telnet connection. For each successful
connection, the scanner would capture the resulting text. Thus, a typical entry might
look something like this:</P>
<PRE><FONT COLOR="#0066FF">Trying 199.200.0.0
Connected to 199.200.0.0
Escape Character is &quot;]&quot;

IRIX 4.1
Welcome to Graphics Town!
Login:
</FONT></PRE>
<P>The resulting information would be written to a plain text file for later viewing.</P>
<P>Talented crackers would write an ancillary program to automate the entire process.
Here are the minimum functions that such a program would require:</P>

<UL>
	<LI>Start the scan, requesting the option to test Telnet connections for the <TT>lp</TT>
	login.<BR>
	<BR>
	
	<LI>Wait until a signal indicating that the scan is completed is received.<BR>
	<BR>
	
	<LI>Access the result file, exporting only those results that show successful penetration.<BR>
	<BR>
	
	<LI>Format these results into flat-file, database format for easy management.
</UL>

<P>The scan would run for several hours, after which the cracker would retrieve a
list of compromised Indy machines. Later, perhaps at night (relative to the geographical
location of the target host), the cracker would log in and being the process of grabbing
the password files.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>If you know of an SGI machine and
	you want to view the IP address of the last person who exploited this vulnerability,
	finger <TT>lp@the.sgi.box</TT>. This author traced down a person at Texas A&amp;M
	University who was compromising machines from Los Angeles to New York using this
	technique. This young man's originating address appeared on 22 machines. (Some of
	these were of well- known institutions. While we cannot identify them here, one was
	a graphic design school in New York City. Another was a prominent gay rights organization
	in Los Angeles. To this day, these machines may well be vulnerable to such an attack.
	Alas, many SGI users are gifted graphic artists but have little background in security.
	A renowned university in Hawaii missed this hole and had an entire internal network
	torn to pieces by a cracker. He changed the root passwords and destroyed valuable
	data.) 
<HR>
<BR>
	
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>If you currently have a WebForce
	model, you can test whether it is vulnerable to this simple attack. First, Telnet
	to the machine. When confronted with a login prompt, enter the string <TT>lp</TT>
	and press Enter. If you are immediately logged into a shell, your machine is vulnerable.
	If so, this can be quickly remedied by opening the file <TT>/etc/passwd</TT> and
	inserting an asterisk between the first and second fields for the user <TT>lp</TT>.
	Thus, the leading portion of the line would look like this:</P>
	<PRE><FONT COLOR="#0066FF">lp:*:4:7:lp:/var/spool/lpd: </FONT></PRE>
	<P>instead of like this:</P>
	<PRE><FONT COLOR="#0066FF">lp::4:7:lp:/var/spool/lpd:</FONT></PRE>
	<P>The idea is to create a locked login. If you fail to do so, the problem will remain
	because the system is configured to accept a line printer login without requesting
	a password. 
<HR>


</BLOCKQUOTE>

<P>Of course, this is a very primitive example, but it illustrates how potential
targets are sometimes found with scanners. Now I want to get more specific. Momentarily,
you will examine various scanners currently available on the Internet. Before that,
however, you need to distinguish between actual scanners and network utilities that
are not scanners.
<H2><FONT COLOR="#000077"><B>Network Utilities</B></FONT></H2>
<P>Sometimes people erroneously refer to network utilities as <I>scanners</I>. It
is an easy mistake to make. In fact, there are many network utilities that perform
one or more functions that are also performed during a bona fide scan. So, the distinction
is significant only for purposes of definition.</P>
<P>Because we are focusing on scanners, I would like to take a moment to illustrate
the distinction. This will serve two purposes: First, it will more clearly define
scanners. Second, it will familiarize you with the rich mixture of network resources
available on the Internet.</P>
<P>The network utilities discussed next run on a variety of platforms. Most of them
are ported from UNIX environments. Each utility is valuable to hackers and crackers.
Surprisingly, garden-variety network utilities can tell the user quite a bit, and
these utilities tend to arouse less suspicion. In fact, many of them are totally
invisible to the target host. This is in sharp contrast to most scanners, which leave
a large footprint, or evidence of their existence, behind. In this respect, most
of these utilities are suitable for investigating a single target host. (In other
words, the majority of these utilities are not automated and require varying levels
of human interaction in their operation.)
<H3><FONT COLOR="#000077"><TT>host</TT></FONT></H3>
<P><TT>host</TT> is a UNIX-specific utility that performs essentially the same operation
as a standard <TT>nslookup</TT> inquiry. The only real difference is that <TT>host</TT>
is more comprehensive. Note, too, that various non-UNIX utilities discussed in the
following pages also perform similar or equivalent tasks.</P>
<P><TT>host</TT> ranks as one of the ten most dangerous and threatening commands
in the gamut. To demonstrate why, I pulled a <TT>host</TT> query on Boston University
(<TT>BU.EDU</TT>). The command line given was</P>
<PRE><FONT COLOR="#0066FF">host -l -v -t any bu.edu
</FONT></PRE>
<P>The output you are about to read is astonishing. A copious amount of information
is available, including data on operating systems, machines, and the network in general.
(Also, if you are deep into security, some preliminary assumptions might be made
about trust relationships.) Examine a few lines. First, let's look at the basic information:</P>
<PRE><FONT COLOR="#0066FF">Found 1 addresses for BU.EDU
Found 1 addresses for RS0.INTERNIC.NET
Found 1 addresses for SOFTWARE.BU.EDU
Found 5 addresses for RS.INTERNIC.NET
Found 1 addresses for NSEGC.BU.EDU
Trying 128.197.27.7
bu.edu    86400 IN    SOA    BU.EDU HOSTMASTER.BU.EDU(
            961112121    ;serial (version)
            900    ;refresh period
            900    ;retry refresh this often
            604800    ;expiration period
            86400    ;minimum TTL
            )
bu.edu    86400 IN    NS    SOFTWARE.BU.EDU
bu.edu    86400 IN    NS    RS.INTERNIC.NET
bu.edu    86400 IN    NS    NSEGC.BU.EDU
bu.edu    86400 IN    A    128.197.27.7
</FONT></PRE>
<P>This in itself is not damaging. It identifies a series of machines and their name
servers. Most of this information could be collected with a standard WHOIS lookup.
But what about the following lines:</P>
<PRE><FONT COLOR="#0066FF">bu.edu    86400 IN    HINFO    SUN-SPARCSTATION-10/41    UNIX
PPP-77-25.bu.edu    86400 IN    A    128.197.7.237
PPP-77-25.bu.edu    86400 IN    HINFO    PPP-HOST    PPP-SW
PPP-77-26.bu.edu    86400 IN    A    128.197.7.238
PPP-77-26.bu.edu    86400 IN    HINFO    PPP-HOST    PPP-SW
ODIE.bu.edu    86400 IN    A    128.197.10.52
ODIE.bu.edu    86400 IN    MX    10 CS.BU.EDU
ODIE.bu.edu    86400 IN    HINFO    DEC-ALPHA-3000/300LX    OSF1
</FONT></PRE>
<P>Here, we are immediately aware that a DEC Alpha running OSF/1 is available (<TT>ODIE.bu.edu</TT>).
And then:</P>
<PRE><FONT COLOR="#0066FF">STRAUSS.bu.edu    86400 IN    HINFO    PC-PENTIUM    DOS/WINDOWS
BURULLUS.bu.edu    86400 IN    HINFO    SUN-3/50    UNIX (Ouch)
GEORGETOWN.bu.edu    86400 IN    HINFO    MACINTOSH    MAC-OS
CHEEZWIZ.bu.edu    86400 IN    HINFO    SGI-INDIGO-2    UNIX
POLLUX.bu.edu    86400 IN    HINFO    SUN-4/20-SPARCSTATION-SLC    UNIX
SFA109-PC201.bu.edu    86400 IN    HINFO    PC    MS-DOS/WINDOWS
UH-PC002-CT.bu.edu    86400 IN    HINFO    PC-CLONE    MS-DOS
SOFTWARE.bu.edu    86400 IN    HINFO    SUN-SPARCSTATION-10/30    UNIX
CABMAC.bu.edu    86400 IN    HINFO    MACINTOSH    MAC-OS
VIDUAL.bu.edu    86400 IN    HINFO    SGI-INDY    IRIX
KIOSK-GB.bu.edu    86400 IN    HINFO    GATORBOX    GATORWARE
CLARINET.bu.edu    86400 IN    HINFO    VISUAL-X-19-TURBO    X-SERVER
DUNCAN.bu.edu    86400 IN    HINFO    DEC-ALPHA-3000/400    OSF1
MILHOUSE.bu.edu    86400 IN    HINFO    VAXSTATION-II/GPX    UNIX
PSY81-PC150.bu.edu    86400 IN    HINFO    PC    WINDOWS-95
BUPHYC.bu.edu    86400 IN    HINFO    VAX-4000/300    OpenVMS
</FONT></PRE>
<P>I have omitted the remaining entries for sake of brevity. The inquiry produced
a plain text file of some 70KB (over 1500 lines in all).</P>
<P>The point here is this: Anyone, with a single command-line, can gather critical
information on all machines within a domain. When crackers looks at the preceding
information, they are really seeing this:</P>

<UL>
	<LI><TT>ODIE.bu.edu</TT> is a possible target for the <TT>mount -d -s</TT> bug, where
	if two successive <TT>mount -d -s</TT> commands are sent within seconds of one another
	(and before another host has issued such a request), the request will be honored.<BR>
	<BR>
	
	<LI><TT>CHEEZEWIZ.bu.edu</TT> is a potential target for either the <TT>lp</TT> login
	bug or the Telnet bug. Or maybe, if we're on site, we can exploit the floppy mounter
	bug in <TT>/usr/etc/msdos</TT>.<BR>
	<BR>
	
	<LI><TT>POLLUX.bu.edu</TT> is an old machine. Perhaps Sun Patch-ID# 100376-01 hasn't
	been applied. Maybe they put in a fresh install of SunOS 4.1.<I>x</I> and the SPARC
	integer division is shredded.<BR>
	<BR>
	
	<LI>I see that <TT>PSY81-PC150.bu.edu</TT> is running Windows 95. I wonder whether
	the SMB protocol is running and if so, are any local directories shared out? Using
	Samba on a Linux box, perhaps I can attach one of the shared out directories from
	anywhere on the Internet simply by specifying myself as a guest.
</UL>

<P>As you can easily see, even minor information about the operating system can lead
to problems. In reality, the staff at <TT>BU.EDU</TT> has likely plugged all the
holes mentioned here. But that doesn't mean that every host has. Most haven't.</P>
<P>A <TT>host</TT> lookup takes less than three seconds, even when the network is
under heavy system load. It is quick, legal, and extremely revealing.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>CAUTION:</B></FONT><B> </B>There are various ways to protect
	against this. One way is to run a firewall. Another is to restrict queries of name
	servers to a particular set of addresses. Another is to completely disallow outside
	access to your name servers. 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Traceroute</B></FONT></H3>
<P>Traceroute's name is quite descriptive. In short, it traces the route between
two machines. As explained in the man (manual) page:

<DL>
	<DD>Tracking the route one's packets follow (or finding the miscreant gate way that's
	discarding your packets) can be difficult. Traceroute utilizes the IP protocol `time
	to live' field and attempts to elicit an ICMP TIME_EXCEEDED response from each gateway
	along the path to some host.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Man pages are manual pages on the
	UNIX platform. These are the equivalent of help files. They can be called from a
	command prompt or from a windowed system. On a full install of UNIX, these man pages
	cover help on all commands one can issue from a prompt. They also cover most programming
	calls in C and C++. 
<HR>


</BLOCKQUOTE>

<P>This utility can be used to identify the location of a machine. Suppose, for example,
that you are trying to track down an individual who posted from a box connected to
his or her ISP via PPP. Suppose that the posting revealed nothing more than an IP
address that, when run through a WHOIS search, produces nothing (that is, the address
is not the address of a registered domain). You can find that machine by issuing
Traceroute requests. The second to last entry is generally the network from which
the activity originated. For example, examine this Traceroute trace going from a
machine in France (<TT>freenix.fr</TT>) to mine:</P>
<PRE><FONT COLOR="#0066FF"> 1  193.49.144.224 (193.49.144.224)  3 ms  2 ms  2 ms
 2  gw-ft.net.univ-angers.fr (193.49.161.1)  3 ms  3 ms  3 ms
 3  angers.or-pl.ft.net (193.55.153.41)  5 ms  5 ms  5 ms
 4  nantes1.or-pl.ft.net (193.55.153.9)  13 ms  10 ms  10 ms
 5  stamand1.renater.ft.net (192.93.43.129)  25 ms  44 ms  67 ms
 6  rbs1.renater.ft.net (192.93.43.186)  45 ms  30 ms  24 ms
 7  raspail-ip2.eurogate.net (194.206.207.18)  51 ms  50 ms  58
 8  raspail-ip.eurogate.net (194.206.207.58) 288 ms311 ms 287 ms
 9  * Reston.eurogate.net (194.206.207.5)  479 ms  469 ms
10  gsl-sl-dc-fddi.gsl.net (204.59.144.199) 486 ms 490 ms  489 ms
11  sl-dc-8-F/T.sprintlink.net (198.67.0.8)  475 ms *  479 ms
12  sl-mae-e-H2/0-T3.sprintlink.net (144.228.10.42)498 ms  478 ms