|Home » Learning Curve
Hacking Unix 101
An elementary outline of the task of getting root. For a thorough discussion of this topic, see Hacking Exposed by Scambray, McClure, Kurtz and Extreme Exploits by Oppleman, Friedrichs, Watson.
The Golden Rules of Hacking
First the basics: the golden rules of hacking.
- You can't break in if no one is listening.
- A successful attacker is neither caught nor found out.
And now onto the outline. Most of the work in a successful hack is preliminary. If the attack is prepared properly, most of the other pieces will, relatively speaking, 'fall into place'. Only idiots spread buckshot around - only idiots get caught.
The '123' of Hacking
It is necessary to complete three preliminary steps - three systematic phases of preparation - before beginning an attack.
- Footprinting - 'casing the joint'.
- Scanning - 'knock knock'.
- Enumeration - 'the weakest links'.
The first step in any successful intrusion is the process of fingerprinting the target - building a profile. There are many aspects to this task. Finding external domain names, network blocks, reachable IP addresses, available TCP and UDP services, access control mechanisms, user and group names, system banners, routing tables, and SNMP information; finding internal networking protocols, domain names, and network blocks; finding intrusion detection systems; finding telephone numbers - all are part of a successful footprinting.
Footprinting must include finding physical locations, related organisations, merger and acquisition news, contact names and email addresses, published privacy and security policies, and links to other servers connected with the organisation.
Those involved with footprinting should also scour available HTML source for clues, especially in comment fields. Having a good site crawler like wget can be essential.
Even Google and especially Google Groups can come in handy.
Public companies in the US will be found at 'Edgar', another rich source of information. Look especially for the 10-Q and 10-K publications, the quarterly and yearly summaries, and search for phrases and words like 'subsidiary' and 'subsequent events'. When mergers and acquisitions take place, security often lapses.
Use whois to scour the Internet for available blocks and associated networks. Always follow this up by correlating physical location. Different types of information are available; one of the most important is the ARIN database.
Once you have all the target's domains, look for incorrectly configured DNS information. Zone transfers can be especially helpful. Good tools here are dig and nslookup. Even finding the target's MX records is crucial: this can provide a clue where the target has its firewall network. Both host and traceroute are useful tools in this regard.
Ping sweeps come into play here: finding which IP adresses are 'alive'. A tool such as nmap can be indispensable if the target does not seem to respond; port scanning can also be necessary. Again nmap comes in handy: nmap is capable of performing much more sophisticated sweeps such as the so-called 'TCP ping scan' which hits servers only on port 80 - the web HTTP port. Many sites allow port 80 through their DMZs and firewalls. If a target responds to nmap's ACK packet (a packet with a better chance of getting by a firewall than many) with a RST packet, the target is alive.
ICMP queries do not only indicate if an IP address is alive. You can send a type 13 message to find the local time on the target; and you can send a type 17 message to get the target's netmask - with the netmask in your possession you can calculate all the subnets being used; and with knowledge of the subnets, you can avoid being detected by staying away from broadcast addresses.
Port scanning then determines what services are running on the target and/or are in a listening state. Common port scans include the standard TCP connect scan, the TCP SYN scan, the TCP FIN scan, the TCP Xmas Tree scan, the TCP Null scan, the TCP ACK scan, the TCP Windows scan, the TCP RPC scan, and the UDP scan.
Valuable tools in this phase of the preparations include strobe, udp_scan, netcat, and of course nmap.
Another important step is stack fingerprinting - determining the target's operating system. This is possible because there are subtle nuances in how systems implement their TCP/IP stacks. Probes used to fingerprint a stack include the FIN probe, the Bogus Flag probe, the ISN sampling, the 'don't fragment' monitor, the TCP initial window size, the ACK value, the ICMP message quench, the ICMP message quote, the ICMP message echo integrity, the TOS, the fragmentation handling, and the TCP options. All but two of these are employed by nmap which uses its continually updated signature list to identify unknown targets.
Passive stack fingerprinting involves monitoring network activity instead of actively probing the target. siphon is a tool commonly used in this context.
Automated discovery tools are also available. cheops integrates ping, traceroute, port scanning, and stack fingerprinting in one package. Another popular tool is tkined.
If steps one and two are successful and are not detected by the target, the task can now proceed with the enumeration: the process of identifying user accounts and poorly protected resource shares. As enumeration involves active connections and directed queries. The success of the previous steps is crucial to the success of the enumeration: the attack is only successful if it is not caught or found out.
Even though it is much more difficult to enumerate a Unix target than a Windows target, it is not impossible. An enumeration of a Unix target will include network resources and shares; users and groups; and applications and banners. showmount can be used to find NFS exported file systems on a network; finger used to be a good tool for finding logins, users, and groups in the 'innocent' days of the Internet; rusers and an interactive SMTP connection (EXPN, VRFY) can be tried; and getting the 'real' password file is the ultimate.
Finally, rpcinfo can be used to enumerate RPC applications.
Hacking the System
Once all the above steps are completed, the attack proceeds - the system is hacked. On Unix systems this often takes place in two phases: getting in; then getting root.
The target system is manually mapped against publicly available vulnerability information from sources such as Bugtraq, Full Disclosure, and CERT. Public exploit code posted to security mailing lists is used to determine with a high degree of accuracy where the target's real vulnerabilities lie. Finally, automated vulnerability scanning tools such as Internet Scanner, CyberCop, Nessus, and SAINT are also used.
Hacking the system will proceed either with remote or local access.
The three primary methods of compromising the remote access of a Unix system are as follows.
- Exploit a listening service such as TCP or UDP.
- Rout through a Unix system that provides security for other networks.
- Remote execution attacks such as hostile websites and trojan mail.
If there's a listening service involved; if the system performs routing; or if a user's software executed commands that jeopardised the security of the target, then the hack is possible.
Brute force password attacks are used on services such as telnet, FTP, rlogin, rsh, ssh, SNMP, POP, and HTTP(S). Popular tools in this category are brutus, brute_web, pop, middlefinger, and TeeNet.
Data driven attacks attempt to compromise software running on the target. Buffer overrun attacks and input validation attacks are common.
Ultimately a remote attacks will proceed to shell access: interactive sessions are established with either telnet, rlogin, or ssh; individual commands can be run with rsh, ssh, and rexec. So called back channels, where the target is made to initiate the session, are also used.
Common remote attack vectors include TFTP, FTP, sendmail, RPC services, NFS, the X Window System, and DNS.
The goal of the remote access attack is most often to establish local access - getting in.
Gaining local access normally is accomplished in two steps: getting in and getting root. Programs such as Crack and John the Ripper are used for automated dictionary attacks. Local buffer overrun attacks are also possible. Even symlinks can be exploited, as can file descriptors, race conditions, signal handlers, kernel flaws, and setup configurations with faulty directory and file permissions (empty files and directories, SGID files, SUID files, world-writable files, et al). Environment variable attacks such as the classic IFS attack are also used.
No attack is complete without root, and getting there is where the real work begins: root access on the target machine is the most closely guarded of its resources.
Once the intruders are on the inside, they'll begin data mining - sniffing traffic (telnet, FTP, POP, SNMP, et al) for passwords and poking at each and every configuration (system setup) weakness until they're finally able to achieve their goal.
The Inside Job
Most attacks even today can circumvent preliminary steps 1-3 and the step of gaining local access; these attacks are instigated within the corporation and have as their sole goal to 'get root' - which is another reason the root account must be well protected.
Enabling the default root account along with remote login is a sure-fire way to invite disaster: the name of the account is already known, leaving only the brute force dictionary attack.
Even with a disabled root account a system can be compromised unless it is regularly checked for configuration weaknesses, weak passwords, and file system vulnerabilities.
Hacking Exposed by Scambray, McClure, Kurtz
Extreme Exploits by Oppleman, Friedrichs, Watson