Complete.Org: Mailing Lists: Archives: discussion: September 2001:
[aclug-L] FW: To stop an attacker, think like a cracker
Home

[aclug-L] FW: To stop an attacker, think like a cracker

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: "Aclug Discussion" <discussion@xxxxxxxxx>
Subject: [aclug-L] FW: To stop an attacker, think like a cracker
From: "Dale W Hodge" <dwh@xxxxxxxxxxxxxxxx>
Date: Tue, 18 Sep 2001 08:45:51 -0500
Reply-to: discussion@xxxxxxxxx


LINUX SECURITY --- September 18, 2001
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
________________________________________________________________________________

HIGHLIGHTS

* Whether they use network scanners to find vulnerabilities or they
  concentrate on stealing one of your passwords, attackers are looking
  to break into your network and you need know how they're doing it.
________________________________________________________________________________

Attacking Linux, Part 1
By Rick Moen

The movie Tron recently helped put me in the proper frame of mind for a
security discussion -- once you correct the movie's minor flaw of
depicting the wrong side as the heroes. In a nutshell, you (the system
administrator) are in the villain's role in that computerist's classic,
the Master Control Program. Your problem: How do you keep out Jeff
Bridges (the outside attacker)?

Sniff, sniff
The attacker may use specialized network-vulnerability scanners:
Nessus, the older SATAN and SAINT packages, Firewalk (which probes and
identifies a network's firewall ruleset), or proprietary scanners such
as Internet Security Systems' Internet Scanner and Axxent Technologies'
NetRecon -- as well as checking Websites on the target network for
known-exploitable CGI scripts.

Or the attacker may skip the fancy network scanners and concentrate on
stealing one of your passwords. In my experience, that is the bad guys'
usual way in and absurdly easy on most systems. If one of your users
uses Telnet or (nonanonymous) FTP, or POP3 to reach your system
remotely, the user's login name and password can be snagged with
trivial effort at any point between the two machines. Alternatively,
the malefactor may use as low-tech a means as shoulder surfing
(watching the login as it's being typed in), or a variety of social
engineering techniques. People are often astonishingly willing to give
their passwords over the telephone to a stranger with a plausible
reason for asking. Or they email passwords and other confidential data
across the open Internet, ripe for interception.1 At the minimum, the
attacker may telephone the firm to glean people's names and positions,
or get that information from the company Webpages. He may then be able
to predict valid usernames and try them with likely password
combinations.

Then there are the truly embarrassing password techniques that amount
to walking into an open, unguarded bank vault. There are still services
that ship with default remote administrative passwords, as evidenced by
Red Hat Software's recent Piranha gaffe, as well as sites reckless
enough to use null passwords, the username as the password, or the
username reversed (e.g., toor for the root account). Or the attacker
may use remote techniques to read a copy of /etc/passwd (on systems
without shadow passwords enabled). Many such past exploits have relied
on insecure CGI scripts provided by default with Web servers that are
also unnecessarily running with root authority. (The Apache Web server
most commonly used on Linux no longer ships with either of those
faults.)

Any attacker who can grab an unshadowed password file has hit the
jackpot because he can then crack your passwords in private, at his
leisure. That is done by automatically encrypting large lists of words
in various permutations and comparing the crypted versions against the
target password entries, looking for matches. The traditional tool for
that task, crack, now has a next-generation replacement, John the
Ripper, with better performance and a broader reach of target
passwords. But the real clincher is the advent of distributed password-
crackers such as mio-star, saltine-cracker, and slurpie, which can make
entire networks of machines work cooperatively on cracking your
password file via those dictionary attacks.

Mr. Insider
Why all that firepower concentrated on cracking your password files?
Because, once the attacker is on your machine, posing as a legitimate
shell user, vastly greater avenues towards total control of your
machine (root access) beckon: he can attempt that through manipulation
of any of your system's privileged programs, instead of just those
advertising remote network services. That is what I call Moen's First
Law of Security: "It's easier to break in from the inside."

If the attacker is not able to pose as a legitimate user, then his
avenues of attack are more limited but still numerous. Every month,
security advisories about new holes in network software are issued,
more often than not in the form of buffer overflows: examples of poor
input validation that permit running attacker-specified code as if it
were part of the program, abusing its authority. Some overflow-based
attacks directly open shells or other direct access mechanisms for the
attacker; others act more indirectly by yielding the contents
of /etc/passwd or /etc/shadow, creating a new account, changing the
password of an existing account, creating a custom .rhosts file, and so
on.

Next Week: Attacking Linux, Part 2


Notes

    1. In accordance with Moen's Second Law of Security: "A system can
       be only as secure as the dumbest action it permits its dumbest
       user to perform."

________________________________________________________________________________


About the author(s)
-------------------
Rick Moen is a recovering system administrator in the San Francisco Bay
Area, who served as primary Bay Area organizer for Windows Refund Day,
and has been one of the main troublemakers behind Silicon Valley Linux
User Group's Silicon Valley Tea Party, the Great Linux Revolt of '98,
and other Bay Area Linux PR events.
________________________________________________________________________________

ADDITIONAL RESOURCES

Network-vulnerability scanners:

Nessus
http://www.nessus.org/

SATAN
http://www.fish.com/~zen/satan/satan.html

SAINT
http://www.wwdsi.com/saint/

nmap
http://www.insecure.org/nmap/

Firewalk
http://www.packetfactory.net/Projects/Firewalk/

Internet Security Systems' Internet Scanner
http://www.iss.net/securing_e-business/security_products/security_assessment/int
ernet_scanner/

Axxent Technologies' NetRecon
http://www.axent.com/Axent/Public/Main?nav=Products


Dictionary attack tools:

crack
http://www.users.dircon.co.uk/~crypto/download/c50-faq.html

John the Ripper
http://www.openwall.com/john/

mio-star and saltine-cracker
http://www.packetstorm.securify.com/distributed/

slurpie
http://www.jps.net/coati/archives/slurpie.html
________________________________________________________________________________

CUSTOMER SERVICE

SUBSCRIBE/UNSUBSCRIBE:
- Go to: http://www.itworld.com/newsletters
- Click on "View my newsletters" to log in and manage your account
- To subscribe, check the box next to the newsletter
- To unsubscribe, uncheck the box next to the newsletter
- When finished, click submit

Questions? Please e-mail customer service at: mailto:support@xxxxxxxxxxx
________________________________________________________________________________


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]
  • [aclug-L] FW: To stop an attacker, think like a cracker, Dale W Hodge <=