Hackers by Y2w26Z



                   Clase 26

                 Javier Echaiz
               D.C.I.C. – U.N.S.
Seguridad en Sistemas: Seguridad en Redes

                          Seguridad en Redes

    “The network is the security problem”
    -- parafraseando a Sun :-)

Seguridad en Sistemas: Seguridad en Redes

- The Modern Roadwarrior-

   Seguridad en Sistemas: Seguridad en Redes
                            THE CHANGING WORLD
General Powell describes an historic meeting with
Gorbachev, who was becoming frustrated in trying to explain
how the old model of the world was unworkable. He finally
leaned across the table to Secretary Schultz and said." You
need to understand, Secretary Schultz; today I am ending the
cold war." He then turned to Powell and said," General, you
will have to find another enemy."
The bipolar world of the last half century has become a
multipolar economy dominated by the United States, Europe
and the Pacific Rim.
    - Economic competition has replaced military
    - Information and economic value have become
    - Personal and economic interests have merged with
   national interests.                                         4
   Seguridad en Sistemas: Seguridad en Redes
                         THE CHANGING WORLD CONTd

The breakdown of the old world order has lead to a rise in
nationalism, old hatreds and religious rivalries and the
formation of numerous nation-states each competing for
its own viable economy and identity.
The conflict of the superpowers has given way to regional
conflicts between comparatively small ethnic and political
The foundation of both the mature and the emerging
economies is based upon access to information that will
enhance a mature economy or propel a weak one into power.
The competition then among nations is one based upon
acquiring the latest and best economic information that
will give the corporation or the nation an economic advantage.

Seguridad en Sistemas: Seguridad en Redes

        - An Academic View -

Seguridad en Sistemas: Seguridad en Redes

                           HACKER HISTORY

 The original generation of Hackers has been said to be such
personalities as John Von Neuman, Alan Turing and Grace Hopper.
 The first use of the term "Hacker" is attributed to member of the
"Tech Model Railroad Club" from MIT in the late 1950s.
     This was originally a term of praise for the very best
    programmers and designers.
 Media coverage in the 1980s redefined the term to be synonymous
with "Computer Criminal".
 The visibility and rise of Hackers is the result of four major
    1. The proliferation of computers
    2. The dramatic rise and geographical expansion of networks.
    3. The dramatic rise in computer literacy.
    4. The dependence of organizations upon information.

Seguridad en Sistemas: Seguridad en Redes

                        PERSONAL BELIEFS

 Computers are tools for the masses. Computers should not be
private devices for the rich.
 Information belongs to everyone. Most hackers start at the
university which generates and distributes knowledge.
 Coding is community property. The status of all software should
be shareware, freeware or public domain.
 Coding is an art. A good program has a certain elegance and
beauty. In beauty there is creativity which is demonstrated by a
program that can penetrate others.
 The computer lives. Most hackers have a social and personal
relationship with their computer.

   Seguridad en Sistemas: Seguridad en Redes

                       The Hacker Ethic
Access to computers should be unlimited and total.
Always yield to the Hands-On Imperative
All information should be free.
Mistrust authority--promote decentralization.
Hackers should be judged by their hacking.
You can create art and beauty on a computer.
Computers can change your life for the better

 Seguridad en Sistemas: Seguridad en Redes
                           PERSONAL QUALITIES

 Mostly White. There seems to be a correlation between race and
 Mostly Male. Unknown why males seem to be prominate as hackers.
Although there have been examples of females serving as Hackers and
Hacker Leaders.
 Young. Most are under 30 and concentrated around colleges and
Bright. A good hack results from meeting a challenge which will
require in many cases exceptionally high intelligence.
Understanding, Prediction and Control. These three conditions
seem to bring a sense of competence, mastery, and self-esteem.
Computer fascination. For many of us the computer is simply a tool.
For the hacker it is an unendingly fascinating toy - a mystery wrapped in
an enigma to be explored and understood.
No malice. The good hack does no damage.

 Seguridad en Sistemas: Seguridad en Redes

                           Social Views on Hackers

  Misguided youths. Hackers are misguided youths and are
essentially harmless.
     Their intelligence and creativity should be encouraged but
    directed toward more constructive channels.
 Security specialists. Hackers know the corporate security
     They should be hired as security specialist and their expertise
    utilized to protect the corporate vital information resources.
 Scumbags. Hackers are the scum of the earth and should be treated
as varmints and hunted down with dogs and put away for life.
 Ordinary criminals. Hackers should be treated no different than any
other criminals.
     Human nature inevitably breeds predators and it is the
    responsibility of everyone to put in place the necessary controls to
    protect their valuables.

 Seguridad en Sistemas: Seguridad en Redes

                          HACKER COMMENTS
 "Hacking to me [is] to transcend custom and engage in creativity
for its own sake..."
 "For the most part, its simply a mission of exploration. In the
words of the captain of the starship Enterprise, Jean-Luc Picard, "Let's
see what's out there!"
 "Its like picking a lock on a cabinet to get a screwdriver to fix a radio.
As long as you put it back what's the harm?"
 "Although computers are part "property" and part "premises" ..... they
are supreme instruments of speech..... We must continue to have
absolute freedom of electronic speech."
 "Thousands of people legally see and use this ever-growing
mountain of data much of it erroneous. Whose rights are we violating
when we peruse the file. ...The invasion took place long before the
hacker ever arrived."
 "Crime gets redefined all the time. Offend enough people or
institutions and lo and behold, someone will pass a law."
 "At the risk of sounding like some digital posse comitatus, I say: Fear
The Government That Fears Your Computer."                                      12
Seguridad en Sistemas: Seguridad en Redes

                       HACKER DEFINITIONS

 A Hacker is someone who has achieved some level of expertise with
  A Cracker is someone who breaks into systems without permission.
  A Script Kiddie is someone who uses scripts or programs from
someone else to do his/her cracking.
     Other terms are leech, warez puppy, warez d00d, lamer and
  A Phreaker is a hacker who specializes in telephone systems.
  A White Hat is someone who professes to be strictly a good guy.
  A Black Hat is someone who is viewed as a bad guy.
  A Grey Hat is someone who falls in between White and black

Seguridad en Sistemas: Seguridad en Redes

                       HACKER MOTIVATION

          Psychological Need/Recognition.
           Desire to Learn/Curiosity.
           Revenge/Maliciousness.
           Experimentation.
           Gang Mentality.
           Misguided trust in other individuals.
           Altruistic reasons.
           Self-gratification.
           Desire to Embarrass.
           Joyriding.
           Scorekeeping.
           Espionage.
           Cyber-Warrior

Seguridad en Sistemas: Seguridad en Redes
                  TYPICAL HACKER ATTACKS
                Insider Attack.
                 Social Engineering.
                 Virus Infiltration.
                 Denial of Service.
                 Software Bug.
                 Password Infiltration.
                 Lack of Security Infiltration.
                 IP Spoofing.
                 Trojan Horse.
                 Stealth Infiltration.
                 Brute Force.
                 TCP/IP Protocol Flaw.
                 Worms and viruses

   49% are inside employees or contractors on the internal network.
   17% come from dial-up from inside employees.
   34% are from the Internet.
   The major financial loss is internal hacking.

Seguridad en Sistemas: Seguridad en Redes

                 WHAT MAKES A TARGET?

 Lax Security (Hard on the outside,soft on the inside!).
  Target of Extremist Group, e.g., Tamil Tigers.
  Target of a Radical Group, e.g., Animal rights.
  High visibility makes a good "Scorekeeper" site.
  High visibility makes a good "Embarrassment" site.
  Resources that are useful to the hacker.
  Destruction of ability to provide service to customer.
  Desire to make a statement, e.g., Free Kevin.
  You are a challenge,. e.g., Cheswick and Bellovin site.

 Seguridad en Sistemas: Seguridad en Redes

                              HACKER CATEGORIES
Semi-Professional Hacking. Performed part-time and does not
provide an income.
     They fit the classical hacker characteristics.,i.e. they work and play
    on the edge of society, have a gang mentality, strong negative
    responses to threats against his/her self-esteem,can have
    narcissistic personality disorders.
 Inter-City Hacking. Inner-city residence(any race,color, religion,
creed, etc,), exhibits anger at social condition, exhibits no social
conscience, jail is not a deterrent.
     Hacking gives them a sense of power and allows them to make
    their own rules.
 Eurohacking. More worldly , enlightened then US hackers and are
generally motivated by philosophical or political concerns.
     Generally thought of as a way of life and not a crime, thinks
    hacking is treating technology without respect; thinks its great sport to
    spin up intelligence communities.
 Professional Hacking. This encompasses any for profit activity such
as spies, industrial espionage, Narcoterrorist, White Collar criminals, etc.
  Seguridad en Sistemas: Seguridad en Redes
                               HACKER ATTACK CATEGORIES
Personal Attacks. Attacks against an individuals electronic privacy.
    This could take the form of exposure of TRW records, exposure of criminal records,
     changing correct to incorrect entries on your digital self, change your DMV record,
     change your telephone record, send explicit sex material across Internet in your
      [Instructors note: One reporter critical of hackers was reputedly to have been
     sentenced to "electronic death". Hackers had his telephone, gas, and electricity
     turned off, flooded him with unordered mail-order merchandise and posted his credit
     report on public BBS]
 Corporate Attacks. This attack primarily includes:
      industrial espionage on the part of competitive corporations (whether foreign or
      economic espionage such as insider trading information, plans of the Federal
     reserve System, and possible merges; and
      white collar crime such as electronic funds transfer, bank fraud, toll fraud, etc.
 Information Warfare. This attack is against a country, its politics and its sphere of
influence This primarily includes:
      Offensive Information Warfare against such infrastructures as Wall Street, the
     Federal Reserve System, the Internal Revenue Service, Air Traffic Control Systems,
     Manufacturing Systems, Communication Systems, etc.
      Defensive Information warfare to provide infrastructure assurance against attacks.

Note: These are attacks considered from an information perspective and from a very high
level.                                                                                      18
 Seguridad en Sistemas: Seguridad en Redes

                                  HACKER EXAMPLES

The Cuckoo's Egg discussed four hackers, Dirk Brzesinski, Peter
Carl, Markus Hess and Karl Koch, from Hannover, Germany, penetrated
or attempted penetration of at least 50 computers connected to MILNET.
     These systems included the Pentagon, Lawrence Livermore Labs,
    the Los Alamos Nuclear Weapons Systems and the National
    Computer Security Center.
     They exploited these systems by means of weaknesses in TCP/IP
    and the UNIX operating systems.
     One of their favorite techniques was to plant Trojan Horses to
    steal authorized passwords.

The German Chaos Computer Club brought "chaos" to the national
Aeronautics and Space Administration computer systems in the late
    They primarily planted Virus programs at the Goddard Space
   Flight Center in Greenbelt, Md.
    They gained access through a Unix flaw that the system
   administrator had failed to patch.                                    19
 Seguridad en Sistemas: Seguridad en Redes

                               HACKER EXAMPLES Contd
Eberhard Blum, part of the Bundesnachrichtendienst (BND), is reputed to
have instituted a program called Project Rehab composed of computer scientist
designed to penetrate the communications systems of the Eastern block.
     This organization since the fall of the Eastern block is reputed to have
    targeted the west.
 The Direction Generale de la Securite Exterieur (the French CIA) is
reputed to target foreign businesses.
     Their favorite US targets seems to have been IBM and TI.
     They are reputed to search visitor rooms looking for information on
    laptops and to bug Air France flights.
     The French are reputed to auction these industrial secrets to the highest
    corporate bidder.
 The Ministry for International Trade (MITI) is reputed to coordinate the
industrial espionage activities of Japanese corporations.
     These secrets are funneled through MITI which uses the information as
    part of their national industrial policy.
 China, the former Soviet Union, France, Japan, Israel, Sweden, Switzerland
and UK are reputed to be to be the most active in national industrial
   Seguridad en Sistemas: Seguridad en Redes
                                   HACKER EXAMPLES CONTd
Robert Morris Jr, Cornell University, brought the Internet to its knees in 1988 through the
"Internet Worm".
      The Worm consumed computer resources making them unavailable to others thereby
     either halting the computer or slowing it to a crawl. The worm primarily consisted of two
     attack programs.
           A program designed to exploit the backdoor DEBUG command in Sendmail,
           a Finger daemon program to inundate the Finger daemon's input buffer and a
          password guessing program.
 The Legion of Doom (LoD) and the Masters of Destruction(MoD) were two of the major
computer gangs in the late 80s and early 90s.
      They were from Brooklyn, the Bronx and Queens.
      They wiretapped, intercepted data transmissions, reprogrammed phone computer
     switches, stole and sold passwords, etc.
      The LoD were convicted in 1992 apparently turned in as a result of a falling out with
     other hackers.

Selected LoD Members                       Selected Known MoD Members
    Mark Abene (Phibr Optik)                           Chris Goggans( Eric Bloodaxe)
    Julio Fernandez(Outlaw)                            Scott Chasin(Doc Holliday)
    John Lee(Corrupt)
    Elias Ladopoulos(Acid Phreak)
    Paul Stira(Scorpion)

Seguridad en Sistemas: Seguridad en Redes

  A Typical Hacker Attack

      Seguridad en Sistemas: Seguridad en Redes
                               THE BOEING ATTACK - 1995
         November 1995
 1. A computer consultant noticed the
system was sluggish.                                   Hacker                  November 1995
      (a). He executed the top                                        5. The programmer used the tar
     command to determine what was                                   command to make a copy of the /var/.e,
     slowing down the system.                                        /bin and /etc directories.
      (b). A program called vs was                                         (a) He copied this to another
     consuming a large amount of                                          computer.
     system resources and was running                                 6. The programmer then shut down the
     as superuser.                                                   system.
 2. He next ran ps.                                                   7. He next examined the /bin/login file
      a). vs did not appear so he                                    and found it had been modified to allow
     suspected a break-in.                                           logging in with a special password.
 3. He executed the Emacs dired                   Modem Attack        8. This seemed to be an exceptionally
command and found the vs program in                                  sophisticated attack.
a directory called /var/.e/vs.
 4. He next did a chdir() to the /var
directory and did a ls -a command.               Boeing Computer

      (a). The directory /var/.e was not
                                                Trusted Connection
                           Trusted Connection                         Trusted Connection

                                                Education Computer                         Government Computer
     Commercial Computer

      Seguridad en Sistemas: Seguridad en Redes
                              THE BOEING ATTACK - 1995
         November 1995
 9. He found the /var/.e/vs was a               Hacker
password sniffer which passed copied
passwords to a remote computer.
 10. He found the /bin/ls and /bin/ps
command had been modified to not
display the directory /var/.e.
 11. He also found the /bin/ls, /bin/ps
and /bin/login file creation dates and          INTERNET
modification times had been reset to
the original dates and times.
 12. He found, in addition, that the
checksums for the modified commands
                                           Modem Attack
matched those of the original unmodified
      (a). A comparison of the modified
     programs with the backup version Boeing Computer
     revealed the differences.          Trusted Connection
                          Trusted Connection                        Trusted Connection

                                               Education Computer                        Government Computer
    Commercial Computer

  Seguridad en Sistemas: Seguridad en Redes

                             Attack Methodology

 What to Attack (selecting a network/target).
   1. Internet
        a. Access the Network Information Center. The
       InterNic provides Registration (rs.internic.net),
       Database (ds.internic.net) and Information
       (is.internic.net) Services.
        b. whois server to obtain public information on hosts,
       networks, domains and system administrators.
        c. WWW using the Uniform Resource Locator(URL
        d. DNS to acquire the dotted decimal address
        e. traceroute to determine intermediate networks.
        f. SNMP to dump a router table.
        g. Archie to establish the locations of files. Archie is a
       server with an index of filenames.
  Seguridad en Sistemas: Seguridad en Redes
                          Attack Methodology Contd

 What to Attack (selecting a network/target).

  2. Telecommunication/Modem
      a. Social Engineering.
      b. Dumpster Diving
      c. Demon Dialing(Scanning/Autodialing/WarDialing)
      c. Wiretapping
      d. Optical-spying
      e. Cheese box(unauthorized call forwarding)
      f. Piggybacking
      g. Call Forwarding
      h. Password Breaker
      i. Parking Lots
      j. Shoulder Surfing
      k. Socializing
      l. Stealing Laptops
   Seguridad en Sistemas: Seguridad en Redes
                      Attack Methodology Contd

 Who to Attack (selecting a host).
   1. Ping the address with an ICMP Echo Request. This can
  also be used to find the route of the packet to the address.
   2. DNS with a reverse name look-up to translate the
  numeric address into a domain name address.
   3. DNS HINFO records provide the hardware and operating
  systems release which will be helpful in formulating an
   4. Pinglist (a modification of traceroute with udp) to map
  the network.
   5. Netmappers are publicly available.
   6. Portmappers are publicly available.
   7. The Login Screen can be innovation
Note: Breadth is more important thanused to derive information
  about the target. vulnerability rather than expose a new one.
        Select a known
   Seguridad en Sistemas: Seguridad en Redes
                 Attack Methodology Contd
Testing the host (finding a weakness).
  Note: Weaknesses are generally specific to an operating system ,host
   hardware or due to old bugs that have not been patched.

    Utilize Internet Security Scanner(ISS) or Security
   Analysis Tool for Auditing Networks(SATAN) to scan for
   various holes.
        a. Check for unprotected logins or mail alias( sync,guest,lp,etc.).
       Does not require a password.
        b. Connect to mail port with Telnet and logs mailer type and version.
        c. Attempts an anonymous FTP connection and trys to grab the
       /etc/passwd file by using the root account. May want a list of
       supported commands.
        d. rpcinfo to test for services running. This program prints out the
       current portmapper which details what Remote Procedure programs,
       ports, and protocols are active. Looking for NFS/mountd, yp/ms,
        e. ypx to attempt to grab the passwords through the Network
       Information System(NIS), originally called Yellow Pages, in order to  28
   Seguridad en Sistemas: Seguridad en Redes
                           Attack Methodology Contd
 Hacker goals after penetration
   Leave no evidence of the successful attack.
     The good hack retains a cloak of invisibility.
   Fetch and crack the /etc/passwd file.
   Obtain machine root(superuser) access.
   Install password sniffing tools to collect data
  for later retrieval.
   Install two or more security backdoors
  (security holes).
   Check the /etc/hosts or .rhosts files for trusted
   Check the mail alias database and log files.
   Run security auditing programs such as:
      –   COPS                                          29
Seguridad en Sistemas: Seguridad en Redes

               - A Hackers View -

   Seguridad en Sistemas: Seguridad en Redes

                    - A Hackers
Note: A hacker spends 60-70 hours/week Hacking!
                    View -
 Why?
   A challenge/A game of wits/skill and ingenuity.
   A sense of enjoyment/Accomplishment.
   Intensely interested in computers.

 Hacker Profile:
   Teens or early twenties.
   A fast learner.
   Academically advanced.
   Bored in school.
   Hackers grow up to become computer professionals.
       As many as 80% of all system operators claim to have hacked.
 Seguridad en Sistemas: Seguridad en Redes

                          Type of Hackers
 The Novice:
 12-14 years old.
 Live off more advanced Students.
 Hacking is fun and mischief.
 They will generally log on, look around, get bored and
 They can be unpredictable.
 They will normally identify themselves as a hacker
when confronted.
    The more experienced hacker will be ambiguous.
 Easily defeated by security

 Seguridad en Sistemas: Seguridad en Redes

                     Type of Hackers Contd
 The Student:
 Very bright but bored.
 Excited by learning more about computers.
    They will spend days examining files on a system.
 Hacking is a solitary pastime - not antisocial
 Generally adheres to good computer ethics.
     He wants to remain undiscovered so he can use the
     He wants to stay out of trouble.
     He respects the system/programmers and doesn't want to
    create additional work.
     He may seek employment with the company (at just the
    right time with just the right credentials).             33
 Seguridad en Sistemas: Seguridad en Redes

                     Type of Hackers Contd
 The Tourist:
 Likes adventure and a challenge.
 They break in, look around and then leave.
 The successful hack constitutes the thrill.
 They will normally plan their attack.
 They are meticulous and always figure the odds of
    The harder the target the less likely they will attempt a
 They normally trade information with other hackers.
    They may service other hackers.
 The best defense is to harden the system.

   Seguridad en Sistemas: Seguridad en Redes

                       Type of Hackers Contd
 The Crasher:
    A troublemaker.
    No obvious purpose or logic to their hacking.
    Makes themselves visible by creating as much
   trouble as possible.
    They are very patient and plan their attack to
   accomplish the most damage.
        Erases programs, files, etc
    Crashers don't have a good reputation with other
        They crash hacker bulletin boards, close down hacker
       accounts, etc.
    The Crasher must be stopped during the
   reconnaissance phase.                                        35
   Seguridad en Sistemas: Seguridad en Redes
                       Type of Hackers Contd
 The Thief:
  Not perceived as Hacking but as Computer
  They will spend hours in reconnaissance
  and planning the attack.
  They use bribes, blackmail, wiretaps,
  spying, etc.
  Normally works for the organization they are
  Rarely discovered.
  The best defense is in-depth security.
 Seguridad en Sistemas: Seguridad en Redes
                            Levels of Effort
 Level One.
 Targets of opportunity.
 Tests for basic flaws and if none are available moves on.
 Little or no effort.
 Level Two.
 Partial to a particular OS and will expend extra effort.
 Well known system defaults, loopholes and bugs.
 Level Three.
 More intense effort normally related to a specific host.
 Tries common passwords and normally succeeds.
 Level Four.
 Extreme effort that takes months.
 Successful about 90% of the time.
 These are Tourists that research and plan with great patience.
 Level Five.
 A Thief ("Show me the money").
 He expects payback for his time and effort.
Seguridad en Sistemas: Seguridad en Redes

                      Attack Methodology

The Beginning - Motivation: Decide why
 this system should be attacked.
  Financial gain.
  Peer respect.
  A challenge.
  Rattle the site.

   Seguridad en Sistemas: Seguridad en Redes

                          Attack Methodology
Step One - The Target Reconnaissance.
    Target Reconnaissance, sometimes called footprinting,
 is when the Hacker gathers information about the target
 system and the network.

   Search the Internet - Web sites, IRC, newsgroups, etc.
   Use the Domain Information Grouper(DIG) to attempt
   a Zone Transfer.
   Gather information on network users through the
   Web, newsgroups, telephone books, Social
   Engineering, Dumpster Diving, examine cars, etc.
     This will reveal password combination and the policy
    for determining user names.

    Seguridad en Sistemas: Seguridad en Redes
                         Attack Methodology Contd
 For example:
    whois navy.mil will find hosts on the navy.com network
    nslookup on navy.mil will return information contained in the
    navy.mil DNS.
    utilize a zone transfer program (DIG or named.xfer) to
    retrieve the DNS files from the primary DNS.
    Utilize the ping command to determine which systems are
    connected to the Internet.
    telnet navy.mil will determine the machine type and OS version.
    Utilize telnet to port 25 to determine the sendmail version and
    machine type.
    Utilize rpcinfo to scan for active ports and return a list of rpc
    programs running on the machine w/version numbers and port
    numbers. .
    Utilize finger to get a list of users on the system, etc.

    Seguridad en Sistemas: Seguridad en Redes
                         Attack Methodology Contd

   Step One - The Target Reconnaissance Contd.
    Utilize whois to provide the following type information:
     Point of Contact
    The following type databases can provide this type information:
       InterNIC Database                       http://www.networksolutions.com
       American Registry for Internet Numbers http://www.arin.net
       European IP Addresses                   http://whois.ripe.net
       Asia pacific IP Addresses               http://whois.apnic.net
       U.S. Military                           http://whois.nic.mil
       U.S. Government                         http://whois.nic.gov

     With the following type tools:
      Whois Web Interface                        http://www.networksolutions.com
      Xwhois                                     http://www.goatnet.ml.org
    Seguridad en Sistemas: Seguridad en Redes
                         Attack Methodology Contd
 Step One - The Target Reconnaissance Contd.
    Examine the target organization Web pages for:
      Locations
      Related companies
      Organization w/phone numbers/E-Mail addresses.
      Privacy and Security policies
      Links to other sites.
      News articles
      Press releases
      Review the HTML source code.
    Utilize Internet Search Tools such as :
      FerretPRO to search IRC, USENET, E-Mail File databases.
      AltaVista, Hotbot, etc search engines to search for links
     back to the target, rogue web sites at home, etc.
      EDGAR database (Security and Exchange Commission) on
     the parent organization and subsidiaries.
   Seguridad en Sistemas: Seguridad en Redes
                        Attack Methodology Contd

 Step One - The Target Reconnaissance contd.
 The following type information should now be available:
   Host  name(s).
   Host address(es).
   Host owner.
   Host machine type.
   Host operating system.
   Network owner.
   Other hosts on network.
   Network configuration.
   Hosts trusted by network
   Hosts outside network.
   List of users.
   User-name assignment policy.
   Seguridad en Sistemas: Seguridad en Redes
                        Attack Methodology Contd
 Step Two - The Probe and the Attack.
   Remote Blind attack.
      The user knows the network address but not a valid account or
        Exploit a service weakness
        Exploit a protocol weakness
   Inside User Attack.
      The user/hacker has user-level/unprivileged access.
        Sniffed passwords.
        Traded accounts.
        Shoulder surfing.
        Remote blind attack.
        Cracked passwords.
        Social engineering.
        Default user Accounts.
    Physical Attack.
        Plug into the network
        Physical access to the host.                             44
   Seguridad en Sistemas: Seguridad en Redes
                        Attack Methodology Contd
Step Two - The Probe and Attack
 Probe the system for weaknesses and exploit a security weakness to gain
 system entry.
  Probe the system perimeter for potential weaknesses.This is a
    highly automated function and the most dangerous for the hacker.
         Security Administrator Tool for Analyzing Networks (SATAN).
         Internet Security Scanner (ISS).
         Strobe
  The probes provide a list of available services and ports.
  The services, depending upon their software version, will have
   known weaknesses that can be exploited.
     These weaknesses are normally documented by a CERT advisory.
  Exploit a security weakness and gain system entry. Typically, you
   want a login account and a password. Example:
     An encrypted password can be broken with Crack.
     Typical attacks would be :
       a phf attack on a web page.
       a fingerd buffer attack.
       a FTP bounce attack.
   Seguridad en Sistemas: Seguridad en Redes
                        Attack Methodology Contd

Step Two - The Probe and Attack (Scanning)
    Network Scanning
      Ping Sweep a range of IP addresses/Network blocks to
     determine if an individual systems is alive. The following tools
     are typical:
       ping w/TCP/IP
       fping is part of the TAMU tools
       nmap by Fyodor
       Pinger from Rhino9
       Ping Sweep from SolarWinds
       WS_Ping ProPack from ipswitch
        NetScanTools from Northwest Perfomance
    Network Scanning Countermeasures
      Utilize Intrusion Detection Systems (IDS) such as
       Network Flight Recorder
       BlackIce                                                        46
   Seguridad en Sistemas: Seguridad en Redes
                        Attack Methodology Contd

Step Two - The Probe and Attack (Scanning)
    Port Scanning
     Port Scanning is the process of connecting to TCP/UDP
     ports on the target system to determine what services are
     running. This is critical for the hacker to know the type of
     OS/Service in use. Typical port scan tools are as follows:
       Strobe by Julian Assange.
       Udp-scan that comes with SAINT (a newer version of
       netcat from Hobbit.
       PortPro from StOrM
       Portscan from Rhad of the 7th Sphere.
       Network Mapper (Nmap) from Fyodor (arguably the

   Seguridad en Sistemas: Seguridad en Redes
                        Attack Methodology Contd
Step Two - The Probe and Attack (Scanning)
 Port Scanning
   Typical port scans are as follows:
     TCP connect scan: The three-way handshake (SYN,
     SYN/ACK, ACK).
         The Scanner immediately sends an ACK/FIN packet to end the session.
     TCP SYN (Half-Open) scan: A full TCP connection is not
     made. Only a SYN packet is sent to the target port.
         If a SYN/ACK is received the target port it is LISTENING.
         A RST/ACK is immediately sent by the Scanner so that the connection is
        never established and therefore not logged.
         If a RST/ACK is received it usually means the port is not LISTENING.
     TCP FIN (Stealth) scan: Only a ACK/FIN packet is sent to
     the target port.
         Closed Ports tend to respond with a RST/ACK.
         Open ports tend to ignore the FIN packet.
     TCP Xmas Tree scan: A FIN/URG/PUSH packet is sent to the
     target port.
         The target port should send back a RST packet for all closed ports (RFC
                        Attack Methodology Contd
   Seguridad en Sistemas: Seguridad en Redes

Step Two - The Probe and Attack (Scanning)
 Port Scanning.Typical port scans contd:
     TCP Null scan: A packet is sent with no flags set
         The target host should send back a RST for all closed ports (RFC 793).
     UDP scan: The scanner sends a UDP packet to the target port.
         A closed port responds with an "ICMP port unreachable" message.
         An open port will typically not respond with this message.
     Fragmentation Scan: This is a combination of techniques.
         Typically, the SYN and FIN scan is used but is broken into tiny fragments
        prior to sending.
     Ident scan: This is also a combination of methods.
         A full TCP connection is established to port 113.
         The Ident Protocol (RFC 1413) is then used to determine the owner of the
        process connected to that port.
 Port Scanning Countermeasures
    Intrusion    Detection Systems such as
      NFR
      RealSecure
      NetProwler
     Seguridad en Sistemas: Seguridad en Redes
                          Attack Methodology Contd
Step Two - The Probe and Attack (Stack Fingerprinting)
 Stack Fingerprinting
   This technique allows the hacker to determine the host's operating system.
   Vendors interpret the RFC guidance differently when writing their TCP stack.
   TCP Stacks can be probed to determine these differences.
      FIN Probe: The stack should not respond, however, many
     will respond with a FIN/ACK.
      Bogus Flag Probe: An unidentified TCP flag is set in the
     header of a SYN packet.
      ISN Probes: Stacks may differ as to how they determine the
     Initial Sequence Number.
      DF Bit Monitoring: Some stacks set the DF bit to enhance
      TCP Initial Window Size: The window size on some stacks
     are unique.
      ACK Value: Stacks differ on the ACK value, e.g., some
     return Seq + 1 while others will simply return the same Seq
     number received.                                                              50
     Seguridad en Sistemas: Seguridad en Redes
                          Attack Methodology Contd
Step Two - The Probe and Attack (Stack Fingerprinting)
Stack Fingerprinting
   This technique allows the hacker to determine the host's operating system.
   Vendors interpret the RFC guidance differently when writing their TCP stack.
   TCP Stacks can be probed to determine these differences.
     ICMP Error Quencing: Stacks may send error messages at
     different rates.
     ICMP Message Quoting: Stacks will differ in the amount of
     information quoted in ICMP errors.
     ICMP Error Message Integrity: Some stacks may alter the
     IP header when sending back ICMP error messages.
     Type Of Service (TOS): The TOS for "ICMP Port
     Unreachable" messages should be zero, however, this may vary
     by stack.
     Fragmentation Handling: Stacks handle overlapping
     fragments differently.
     TCP Options: Stacks may handle multiple options such as
     No Operation, Max Seq Size, Window Scale Factor, and                          51
                         Attack Methodology Contd
    Seguridad en Sistemas: Seguridad en Redes

Step Two - The Probe and Attack (Enumeration)
 Enumeration
   The process of extracting identifying network
   resources/shares, extracting users/groups, identifying
   applications and banner grabbing.
  Once enumeration takes place it is simply a matter of
   time before a password is guessed or a system weakness
   is identified.
  Enumeration techniques are OS specific. The following
   are typical UNIX techniques.
     Network Resources and Shares:
        Look for NFS export file systems with the command
       showmount which can extract shared directories.
        Utilize pscan by pluvius to explore NIS (Internet Yellow
        Utilize the snmpwalk utility to explore the objects in a MIB.
                     Attack Methodology Contd
Seguridad en Sistemas: Seguridad en Redes

 Users and Groups
    Utilize the finger utility to identify the users on a system.
    Utilize rwho or rusers to display users currently logged into
   the system.
    Utilize the VRFY command (SMNP) to confirm names of
   actual E-Mail users or EXPN command (SNMP) to reveal alias
    Utilize the TFTP protocol to get /etc/passwd
 Applications and Banners
    Utilize rpcinfo to enumerate RPC applications listening on
   remote hosts.
    NAI CyberCop Scanner is arguably the best commercial
   RPC scanning tool.
    Utilize netcat to grab banners or explore HTML code.

    Seguridad en Sistemas: Seguridad en Redes
                         Attack Methodology Contd
Step Two - The Probe and Attack (Enumeration) Contd
 Sam Spade for Blighty Design is a favorite hacker tool for
 enumerating entire sites. it is a mixed bag of tools.
   ping: Check to see if a host is alive.
   nslookup: find the IP address from a host name or vice
   whois:Used to find a domain name.
   IP Block Whois: Used to find who owns a block of IP
   dig: Queries a DNS server for all the information it has on
    a host.
   traceroute: To find the route a packet takes between a
    sending and a remote host.
   SMTP VRFY: Determine if an email address is real and
    its forwarding address.
     Seguridad en Sistemas: Seguridad en Redes
                          Attack Methodology Contd

 Sam Spade Contd.
   web browser: A utility to view the raw HTTP traffic rather than
    rendered HTML.
   keep-alive: Keeps a dial-up link alive.
   DNS zone transfer: Queries the DNS server for all the
    information it has on a domain.
   SMTP relay check: Relays mail back to the hacker site through
    an intermediate email server. This is a check on the security of
    that server.
   usenet cancel check: Looks for cancelled messages in a group
    of messages.
   website download: copies a website to disk.
   website search: search a website for a matching pattern.
   email header analysis: Checks a header for consistency to help
    track down forged mail.
   Blacklist lookups: Checks the relayed spam source list.
   Seguridad en Sistemas: Seguridad en Redes
                         Information Identified

 Internet/Intranet/Extranet
   Network protocols.
   Domain Names.
   Network Blocks.
   IP Addresses reachable via the Internet/Intranet/Extranet.
   TCP/UDP Services running on each system.
   System Architecture.
   Access Control Mechanisms.
   Intrusion Detection Systems.
   User/Group names, Systems Banners, Routing tables and
    SNMP information
 Remote Access
   Analog/Digital Telephone numbers.
   Remote System access types (Modems/Faxs/Voice).
   Authentication mechanism
   Seguridad en Sistemas: Seguridad en Redes
                        Attack Methodology Contd

Step Three - Advance the attack, hide the attack and install a
  Advance the attack by gaining root access.
    Utilize COPS, Tiger and Crack.
  Hide the attack.
     Modify the system logs(syslog, utmp, and wtmp files ).
     Eliminate all records of the activity.
  Install a backdoor.
    A modified, drop-in replacement of a critical system binary
    code that provides authentication and system reports.
       For example, rootkit comes with the source code for ps,
      ls, sum and who.
     Provide continued, unlogged use of the system.
     Hide suspicious processes and files.
     Report a false system status.
     Report false checksums for modified programs.
   Seguridad en Sistemas: Seguridad en Redes
                        Attack Methodology Contd

Step Four - Establish a Listening Post.
  Install a Sniffer, Snooper and Auditing program. This
    information Is used to further the attack.
     Sniffer. A program to monitor and log network data.
        Data is normally not encrypted on an internal network.
        Looks for name/password pairs, financial information,
       private data, etc.
     Snooper. A program to monitor a user's activities by
    looking at keystrokes, monitoring process memory, etc.
     Host Static Auditing tool. A program to report
    system security vulnerabilities
        Computer Oracle and Password System (COPS)
        Texas A&M Univ Tiger(TAMU Tiger)

  Seguridad en Sistemas: Seguridad en Redes
                       Attack Methodology Contd

Step Five - Exploitation.
  Expand control from a single host to multiple
   Renew the attack on other hosts by
    Exploiting passwords.
    Exploiting trusted hosts.

    Seguridad en Sistemas: Seguridad en Redes
                         The DataStream Cowboy and Kuji

               AFB                         United
    l                                                    Latvia


 JPL                                                                       South
NASA                                                                       Korean
                                      Chili                                Atomic
                                    Columbia                               Research

                                       Rome Labs Attack
                             Two Hackers - Datastream and Kuji.
                             Attack lasted 26 days.
                             Activities were monitored for 20 days.
                             Over 150 intrusions into the Rome Labs.
                             7 Sniffers compromised 30 Rome Systems.
                             At least 8 countries were used as conduits.
    Seguridad en Sistemas: Seguridad en Redes
                            Rome Lab Attacks

 On 28 March 1994 the Rome Labs Sysadmins detected a
password Sniffer.
    The Sniffer had collected so much information that it had
   filled a disk and crashed the system
 Defense Information Systems Agency (DISA) was notified
who, in turn, notified AFOSI. Air Force Information Warfare
Center (AFIWC) was notified and SA Jim Christi was assigned
the case.
 The investigators, after reviewing the logs and interviewing
the Sysadmins, found that:
    The penetration was made on March 23 by two hackers.
    They penetrated seven computers and planted sniffers.
    100 accounts on 30 systems were compromised.
    Rome Lab had been used as a jumping off point for
   hack attacks on other military, government and research
   facilities around the world.                                  61
    Seguridad en Sistemas: Seguridad en Redes
                            Rome Lab Attacks Contd

 The investigative team established a snooper program that
began key stroke monitoring on the systems left open and
discovered the hacker handles Datastream Cowboy and Kuji .
 The majority of the attacks were traced back to:
     cyberspace.com, Seattle Washington and
     mindvox.com, New York City.
 On 5 April, an Internet informant provided AFOSI an EMail
address and home Telephone number (Datastream) in the UK of
a hacker who had been bragging about the exploit.
 Scotland Yard initiated a pen register on the hackers
telephone while AFOSI continued to monitor Datastream's online
activity. During this time, based upon sniffed passwords, he :
     Attacked systems at the Jet Propulsion Lab in California
     Attacked systems at the Goddard Space Flight Center,
    Greenbelt ,Md                                              62
    Seguridad en Sistemas: Seguridad en Redes
                            Rome Lab Attacks Contd
 On April 14/15, 1994 the investigative team observed Kuji
initiate attacks from Latvia against:
    Goddard Space Flight Center
    Wright-Patterson AFB
    NATO Headquarters
 In the meantime Datastream was busily attacking the
Korean Atomic Research Inst. Alarm bells started going off
until it was discovered to be South Korea.
 In May, 1994 Scotland Yard executed a search warrant and
arrested 16 year old Richard Pryce. His tool was a 25 Mhz,
486SX, 170 Mb machine.
 During the interview Datastream indicated:
    He communicated with Kuji only through the Internet or Telephone.
    He provided the information he stole to Kuji.
    Kuji had been his
 Pryce pleaded guilty and was fined 1,200 pounds.
 In June 1996 21 year old Matthew Bevan, A.K.A. Kuji, was
    Seguridad en Sistemas: Seguridad en Redes
                            TYPICAL HACKER ATTACKS

 VIRUS. A self-replicating, malicious program segment
that attaches itself to legitimate application programs,
operating system commands or other executable system
components and spreads from one system to another.
    Each reproduced virus code then grows independently of the other.
    The virus grows geometrically.
   Boot Sector. A virus that replaces the boot sector of a
   floppy or hard drive.
   System File. A virus that infects system files.
   Stealth. A virus that hides itself and actions from the
   operating system.
   Polymorphic. A virus that changes itself each time it infects
   a file or disk. This virus hides itself and its actions from the
   operating system.
   Multi-Parite. This virus infects both files and boot sectors.
   Macro Virus. This virus is written in a macro language and            64
   Seguridad en Sistemas: Seguridad en Redes
                           TYPICAL HACKER ATTACKS

WORM. An independent program that replicates
from machine to machine across network connections
and that clogs networks and computer systems as it
   It is designed to search for idle computer memory and
  then to copy itself repeatedly until the memory is exhausted
  and the computer crashes.
   A worm is not a virus although they are sometimes
   A virus must infect other programs with a copy of itself.
   The most famous is the Internet Worm by Robert Morris.

    Seguridad en Sistemas: Seguridad en Redes
                      TYPICAL HACKER ATTACKS CONTd

 IMPERSONATION. An attempt to gain access to a system by
posing as an authorized user. Synonymous with
masquerading and mimicking.
Example: using another person's access code to log on.

 BOMBS. A computer program residing in a computer that is
executed at appropriate or periodic times to determine
conditions or states of a computer system and that facilitates
the perpetration of an unauthorized act.
Example: a program that causes the system to erase all
financial files when it discovers that a particular person has
been removed from the personnel files. Writing Logic Bombs is
very easy but difficult to detect.
     A Time Bomb has a time trigger.
     A Logic Bomb has a computer state trigger.

   Seguridad en Sistemas: Seguridad en Redes
                     TYPICAL HACKER ATTACKS CONTd

TRAP DOOR. A breach created intentionally in an
ADP system for the purpose of collecting, altering or
destroying data.
   Generally done through putting extra code in a software
  program which acts as a testing aid for programmers during
  construction, testing or program maintenance.

TROJAN HORSE. A computer program that is
apparently or actually useful but that performs
another function.
   The Trojan can modify databases, write checks, send
  electronic mail, destroy File Allocation Tables, directories or
   The Trojan Horse can be embedded by a programmer or
  down loaded from a BBS.
   Seguridad en Sistemas: Seguridad en Redes
                     TYPICAL HACKER ATTACKS CONTd
 SOFTWARE PIRACY. The illegal copying of
software (and repackaging it for sale).
   Software piracy is being fought by the Software
  Publishing Association.
   Indications are that this amounts to between 4-7$ billion
  loss in sales.
   This results from individual copying, Pirate BBS,
  country piracy(China, Taiwan, Singapore, etc)and try
  before buying rental/loans.

 SNIFFING. The installation of protocol analyzer
software program (Sniffer) to gather surreptitiously
gather user passwords and
   log them into and unused space under an innocuous
  name, such as "..".
   The hacker at some time in the future will return and       68
   Seguridad en Sistemas: Seguridad en Redes
                     TYPICAL HACKER ATTACKS CONTd

 BROWSING. Searching through storage to locate
or acquire information, without necessarily knowing of
the existence or the format of the information being
 DATA DIDDLING. The unauthorized changing of
data before or during their input to a computer system
resulting in increased paychecks, extra leave,
overtime pay, etc.
 EMBEZZELING. Using a computer to prepare
false financial reports.
 FORGERY. The illegal creation of documents or
records which are intended to be construed as real,
officially produced documents or records.
   Seguridad en Sistemas: Seguridad en Redes

 FRAUD. The exploitation of information systems in
an attempt to deceive an organization and/or to take
its resources.
 DENIAL OF SERVICE. This is performed by
trashing a system, tying up ports, placing garbage on
screens, changing file names, and erasing program
   This type attack is becoming more common( Spamming,
  SYN Attack, etc).
 SPOOFING. The deliberate inducement of a user or
a resource to take incorrect action.
   Example: a user writes a program that gives "system like"
  responses to someone trying to log on the system; thus, the
  person trying to log on will unwittingly give his password to   70
   Seguridad en Sistemas: Seguridad en Redes
SUPERZAPPING. The unauthorized use of a utility
computer program that violates computer access controls to
modify, destroy, copy, disclose, insert, use , deny use or
expose data in a computer.
   The name derives from an IBM utility program called "Superzap"
  which permitted an operator to start, stop or modify a procedure that
  has been misbehaving.
   The equivalent in a microcomputer would be something like PC
  Tools or Norton Utility.
SALAMI TECHNIQUES. The unauthorized, covert process
of taking small amounts (slices) of money from many sources
in and with the aid of a computer.
   An example is the round down fraud, whereby remainders from the
  computations of interest are moved to the attackers account instead of
  being systematically distributed among accounts that were rounded up.

  [The story is told of a Russian worker who left the factory each night
  with a wheelbarrow full of sawdust and every night the guard poked the   71
   Seguridad en Sistemas: Seguridad en RedesATTACKS CONTd
                     TYPICAL HACKER

PIGGY BACKING. Unauthorized access that is gained to an
ADP system via another user's legitimate connection.
   A method of gaining unauthorized physical access to guarded areas
  when the attacker does not possess the required authorization to pass.
   Electronic piggybacking occurs when a computer or terminal
  covertly shares the same communication line as an authorized user.
  The host computer, to which they both transmit, is unable to distinguish
  the signals of the authorized user from those of the unauthorized user.
EAVESDROPPING. The unauthorized interception of
information-bearing emanations through the use of methods
other than wiretapping(TEMPEST).
SCAVENGING. Searching through residue for the purpose
of unauthorized data acquisition.
   A covert, unauthorized method of obtaining information that may be
  left in or around a computer system after the execution of a job.
   Included here is a physical search (trash barrels, carbon copies,
  ribbons, diskettes, etc) and a search for residual data within the
  computer storage areas, temporary storage tapes, and the like.
   This, for example, encompasses dumpster diving, unerasing
   Seguridad en Sistemas: Seguridad en Redes
                    TYPICAL HACKER ATTACKS CONTd

 BUMBLING. Sometimes called "accidents", "errors of
omission", or "errors of commission".
    Indications are that this amounts to 50-60% of annual dollar loss.
   This is the result of clumsy fingers, big thumbs, and improper training,
 DATA LEAKAGE. The covert copying of computer
information and its removal from the organization.
    For example, this could be as simple as the copying of a software
   program for home use.
    This can be accomplished through diskettes, tape or hard copy.
   Very rarely do guards perform body checks or open brief cases.
 WIRETAPPING. Normally accomplished at the wiring
    Passive Wiretapping with electrical induction can
   easily be accomplished with a tape recorder, microphone,
   AM/FM portable radio, a modem and a printer. The
   cassette recorder, through induction picks up the signal,
   amplifies it through the radio, perhaps acoustic coupling it               73

To top