- HACKING UNIX - PART TWO: System Profiling ---------------- Completed on 10-19-01 (MM-DD-YY) By: XT - [DuHo] &** This is a multi-part tutorial, &** please check our website for other &** parts: &** http://duho.cjb.net & & Make sure you have read PART 1, if not download it at http://duho.cjb.net/ ****** INDEX: 0. - Forword 1. - Introduction 2. - Protocols 2.1 Network Protocols 2.2 Application Protocols 3. - Portscanning well-known network services 4. - Widely used Application Protocols - Detailed 4.1 FTP 4.2 SSH 4.3 TELNET 4.4 SMTP 4.5 DNS 4.6 HTTP 4.7 POP3 5. - OSI (network protocols - a deeper look) 5.1 The Application layer 5.2 The Presentation layer 5.3 The Session layer 5.4 The Transfer layer 5.5 The Network layer 5.6 The Data-Link layer 5.7 The Physical layer 6. - Back to system profiling 6.1 The importance of system profiling 6.2 "Planning" 6.2.1 Available Information 6.2.2 Active Server-oriented Information probing 6.2.2.1 PING 6.2.2.2 DNS & Zone Transfers 6.2.2.3 WHOIS 6.2.2.4 Scanning Services 7. - Last words **************************************************************** 0. Forword This is the second part of the 'Hacking Unix' tutorial project found at: http://duho.cjb.net/ -> projects -> Hacking Unix. This part is released two days after the first release (just had to add a few chapters). Don't be afraid of the size of this text, the text is designed so that you can skip parts that you already know. 1. Introduction Okay, i introduced you to vulnerabilities in the first part to keep the spirit of hacking with us. But not less important to understand is how we search for vulnerabilities. It may not be hard to find them, but it's important to not raise any alerts in this stage. We want to leave less than fingerprints rather than footprints in the logs. This step involves network services, network protocols and application protocols. You know that we want to attack applications in a remote system. So we should find out which applications run on the remote server that can be interacted with. Any software that is accessed remotely on the server can suffer a security hole. In this step we have no access to the server or whatsoever, so we need to take a good look at outside of the nut before cracking it. When we can only look from the outside of the server we only have it's network services* that possibly contain a hole somewhere. { * Client-Server model - The server is a host computer that employs particular service software to serve a client. The service passively waits for a client to call for it's service. There are standards towards how a client and a service should talk to each other (the protocol). } One thing we can do is use all kinds of clients for different network services like FTP, WWW (HTTP), email and stuff like that to see what services are running out there. But we could do better than that, but this requires us to know a little about network protocols and application protocols. 2. Protocols 2.1 Network Protocols The internet is a network of computers which all have an identifying number, the IP number (Internet Protocol Number). Every computer or other device connected to the internet has an Internet Protocol number. IP is build into the operating systems of these devices. Simply stated, all IP networked systems capture the IP data packets that are destined to theirselves, and try to forward those destined to other addresses (numbers). { All that IP is ought to do is reliably routing (for IP) unknown data to any address on the network. This is a shared responsibility of all IPs that reside on the network. } But in order to actually communicate information we use higher level protocols (on top of IP - Or: encapsulated in IP packets): Between the IP protocol and the application we have the transfer protocol. On the internet there are two major transfer protocols; UDP and TCP. When IP receives a datagram destined to it's own address, it forwards the packet to one of the transfer protocol modules in it's operating system. IP knows which module should handle it because the sender writes the destination (transfer) protocol number on the packet. Like '6' for TCP. The transfer protocol module has a series of addresses available (ten thousands of them) where communication applications can listen on (passive mode) or sent to (active mode). So the sender must also add information to the protocol header which port (address) the application should be listening on. For example: TCP states that we have to use two different applications; a service and a client. The client connects to the server's TCP port and the service will acknowledge the request and a connection is open. { When a TCP port is open there is almost always an application listening on that port to start a session with any client that connects. } TCP provides ports 1 through 65535 for connections. So how does a client know which TCP port to connect to? That's easy, for all known services like HTTP we have well-known ports. To make a service application publicly available you use the well-known port. HTTP has TCP port 80 to listen to. { NOTE: These well-known ports are not a standard defined in the TCP specification! As far as TCP is concerned, it would be happy to address ANY kind of service on ANY port, even well-known ports. Only, the application protocol specification recommends the use of a certain port. If you want to hide your webserver or FTP server, you could set it on a different port (if your software is configurable for it). This hiding ofcourse is 'security through obscurity' and it won't hide from curious people. } And when you type in an IP address in your browser which has a HTTP server running, you will receive the webpage through the connection. 2.2. Application Protocols: I'm going to introduce you to several well-known application protocols just a few pages ahead of you. First you should know what basically an application protocol is for. An application protocol is a language for requesting resources of any kind in a certain format. Resources may be; file transfer; information; news; sound transfer and mail. 3. Portscanning well-known network services In order to find out which network services are available on a remote computer, we could simply try out some different clients and see the results. But I think you can figure another way if you have read the former chapter. We can 'scan' for TCP ports (and UDP ports) simply by trying to connect to every possible port and see which ones are open. So see which port numbers are open and compare them to a list of well-known services. I have a list of the most well-known services and their ports here: 21 - FTP (File Transfer Protocol) 22 - SSH (Secure SHell) 23 - TELNET 25 - SMTP (sendmail server) 53 - DNS (Domain Name Service - Nameserver) 79 - FINGERd (finger daemon) 80 - HTTPd (Hyper Text Transfer Protocol Daemon) 110 - POP3 (Post Office Protocol version 3) 111 - SUNRPC Portmapper (SUN's Remote Procedure Call service port mapper) You can program your own scanner but i bet it won't be as l33t as Fyodor's nmap so give it up. Download Nmap from http://www.insecure.org/nmap/. Nmap has many features to stay undetected. For the following example i will use the old stealth scan option in nmap to scan myself kay?: bash# nmap -sS localhost Starting nmap V. 2.54BETA29 ( www.insecure.org/nmap/ ) Interesting ports on localhost (127.0.0.1): (The 1541 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 80/tcp open http 587/tcp open submission 1024/tcp open kdm 1988/tcp open tr-rsrb-p2 6000/tcp open X11 Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds bash5# Ewh damn, looks pretty insecure, should have installed firewall but who carez. We go on to the next chapter now, don't worry; you'll see alot of the use of portscanning techniques later. 4. Widely used Application Protocols - Detailed Most application protocols (which i will just call protocols for the rest of this chapter) are easy to interact with by normal humans without using a special User-side protocol interpreter. Perhaps this is because most protocols that are developed in the early 70s use simple commands like 'GET ' and 'user ' and 'mail from: '. { This was back in the time that opensource was all there was. In the present the company's try to hide the workings of their protocols to create a monopoly. That these protocols look so easy doesn't mean they are not good, why do you think they survived for somany years? } It shouldn't be hard to build your own clients when you are a programmer. The knowledge of each protocol is very important for a hacker. In this chapter i will give you some practical examples which you can try out. You will need a TELNET application (most systems just have a program 'telnet' in console mode which will do; even windows has!). And you need the netcat program for some of them. { Netcat is a very 'basic' yet advanced application, it is the swiss army-knive of the hacker. With netcat you can initiate UDP and TCP connections in full-duplex (like telnet), netcat can handle binary data and you can open a port in passive listening mode on the port you specify (which is very convenient you'll see). Download netcat here: http://packetstormsecurity.org/UNIX/netcat/nc110.tgz ************ Download+Install netcat: ******************** -- bash# mkdir netcat bash# cd netcat bash# lynx -source http://packetstormsecurity.org/UNIX/netcat/nc110.tgz > nc110.tgz bash# tar xvzf ./nc110.tgz bash# make linux -- If you get this compiler error: ------ make -e nc XFLAGS='-DLINUX' STATIC=-static make[1]: Entering directory `/root/netcat' cc -O -s -DLINUX -static -o nc netcat.c /tmp/ccZHNpqq.o: In function `main': /tmp/ccZHNpqq.o(.text+0x15b7): undefined reference to `res_init' collect2: ld returned 1 exit status make[1]: *** [nc] Error 1 make[1]: Leaving directory `/root/netcat' make: *** [linux] Error 2 ------ If you got that compiler error you must remove the following ifdef from the netcat.c file: ------ #ifdef HAVE_BIND /* can *you* say "cc -yaddayadda netcat.c -lresolv -l44bsd" on SunLOSs? */ res_init(); #endif ------ And reinitiate 'make linux'. The compiler didn't show any errors anymore, you can run netcat with: # ./nc ******************************** } I'm glad you made it this far. We're gonna use netcat to learn how services really work. After this chapter you should be able to do alot of things without requiring a special client. You would be able to email without using a mailer, you can read files on webservers without a webbrowser, you will download files without an ftp client program. { In the past there were many people simply using TELNET to send mail, but people have become lazy and they demand a flashy graphical user interface to get turned on. Hehe funny to note; I have heard about someone that was fired at his job because people thought he was hacking; he was checking his POP3 mail with telnet.exe because his outlook crap seemed dead :-}. So I want to remember you; I'm not responsible! hahaha } I encourage you to lookup the Request for Comments (RFCs) at www.rfc.org.uk to learn more about a specific application protocol (or transfer and communication protocols). Hacking is about understanding a system so you can defeat it remember? So if you know how a standard *should* be implemented, you can test if vendors of services implement the standard securely. I will introduce you to the following services in a practical manner: FTP, SSH, TELNET, SMTP, HTTP, POP3 4.1 FTP - File Transfer Protocol FTP is a pretty simple protocol to use. FTP uses a control connection and a data connection. The control connection is initiated by the client PI (Protocol Interpreter) and it is used to send commands. The control connection uses TELNET control characters like (Carriage Return and Line Feed). So if we can't use an FTP client we can use the telnet client for the control connection. And concerning the data connection... that's where netcat comes in. Let's just start a session. First you got to know that everything starting with a 3-digit number is the reply of the FTP server, the rest are my commands. I use console tty1 for the control session and i use netcat in console tty2 for the data connection: Console TTY1 | Console TTY2 -------------------------------|-------------------------------------------- bash# telnet ftp.kernel.org 21 | bash# Trying 204.152.189.113... | Connected to zeus.kernel.org. | Escape character is '^]'. | 220 ProFTPD 1.2.2 Server | USER anonymous | 331 Anonymous login ok, | send your complete email | address as your password. | PASS asdf@asfd.com | 230- Welcome to the | | LINUX KERNEL ARCHIVES | ftp.kernel.org | | "Much more than just kernels" | | 230 restrictions apply. | | PORT 213,93,39,87,4,1 | bash# nc -v -v -l -p 1025 200 PORT command successful. | listening on [any] 1025 ... NLST | connect to [213.93.39.87] from zeus.kernel.org [204.152.189.113] 20 150 Opening ASCII mode data | lost+found connection for file list. | pub 226 Transfer complete. | welcome.msg | for_mirrors_only | debian | debian-cd | sent 0, rcvd 67 | bash# -------------------------------|-------------------------------------------- The console on TTY1 is used for the control connection, and the TTY2 console represents the data connection. With the PORT command you specify which local data port we use to receive the data (a file, a directory listing etc.). So the command looks like this; PORT h1,h2,h3,h4,p1,p2 the h* represents the IP address of yourself, and the p* is for the port address (TCP). When i don't have my local port open i will get an error: PORT 213,93,39,87,4,2 200 PORT command successful. LIST 425 Can't build data connection: Connection refused So in this case port 1026 was not listening on my PC... if i had a netcat in listening passive mode like in the example or like this: ./nc -l -p 1026 i would have received the listing. By the way; the NLST is almost same as LIST only it shows less information on the filelist. In the past it was possible to create a data connection on a different system, with a different address, like this (i am using 213.93.39.87 as IP and i'm gonna try to retrieve a file on the IP address 213.93.39.1): PORT 213,93,39,1,4,1 500 Illegal PORT command. This is illegal because i don't use my own IP address. I think it's a pitty that you can't receive the file on another system. It was possible in the past but it happens to open a security vulnerability. Where it is enabled you could abuse it to scan ports of a server with it in this way: ------- PORT 213,93,39,1,4,2 200 PORT command successful. LIST 150 Opening ASCII mode data connection for file list. 226 Transfer complete. PORT 213,93,39,1,4,1 200 PORT command successful. LIST 425 Can't build data connection: Connection refused ------- You see, on host 213.93.39.1 the port 1026 is open and port 1025 is closed. You'll have a hard time finding hosts nowadays that suffer this FTP bounce attack. It can also be used to execute certain exploits this way. You should have noted that this technique is of interest to attack a third system without reveiling your address on the internet but that of the FTP server. Now i bet you wondered what a weird port address i was entering (4,1). Well... it's easy, p1 and p2 are both 8bit so i need to define the port address i want to use and then / 256... so if i want to use port 1024 i do 1024 / 256 = 4,0 What is 4 times 256 ?? 1024! Here are some other commands for the control connection: CWD (change working directory to... -> (allows only one dir at a time)) RETR (RETRieve file through data connection (setup netcat!)) PASV (tells which port the server is listening to for uploads over data connection) STOR (dump the file using netcat to the remote port found with PASV) PWD (prints current working directory) RNFR (first command specifying the current name of path to change) RNTO (Rename To ... second command to complete rename of file) ABOR (stop data transfer in data connection) DELE (delete file) RMD (remove empty directory) MKD (create directory) SITE (vary's coz these are site specific commands, lookup with HELP SITE) Using this information you should be able to browse FTP servers simply with telnet and netcat! :))) 4.2 SSH - Secure SHell I don't know much about the internals of SSH. I use it myself by replacing it for TELNET and FTP. For what i know of SSH is that it exists of three layers; the transport layer, the user-authentication layer and the connection-layer. I believe the Transport-layer of SSH is the lowest of the layers which delivers a secure transport layer before the authentication proceeds. Then the user logs in and the password (and the rest of the communication) cannot be captured in a readible form by spies on untrusted networks. The connection protocol serves the session. A login is almost similar to telnet: bash# ssh -l user localhost XT@localhost's password: Last login: Mon Sep 24 18:52:36 2001 Linux 2.4.9. A student who changes the course of history is probably taking an exam. user@stealth:~$ As i said, i only use SSH, i never used it to hack into a system... but i know of difficult attacks involving hijacking of sessions and stuff like that. You should search for it yourself. 4.3 TELNET The telnet protocol itself is a simple standardization of control characters for terminal usage so that users at different systems can login to a system while using the TELNET standard. People can use different keyboards and different keyboard control characters, different operating systems, telnet converts the characters into a defined standard character set. There is a IAC (Interpret As Command) byte followed by the control code. The IAC has the value 255 (FFh) followed by the TELNET command code. TELNET commands include erasing a character or a line, break input and interrupt process. When you connect to the TELNET login service you are asked for username and password. What happens behind the scene: The Inet super daemon listens on port 23, when someone connects the in.telnetd process is run which in turn runs the login process { The INET SuperDaemon is a service that is able to run a specific Unix network service when a connection for that particular service is requested. It is configured like this (config file); ftp stream tcp nowait root /usr/sbin/tcpd proftpd telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd You see... if there is someone knocking on port 23, the inetd service runs in.telnetd. In Unix systems you can seperate services in processes of INETD or standalone. Apache webserver almost always runs standalone (I don't even know if it is ever put under INETD parent) } When the login process has successfully authenticated a user it will check which shell to spawn in /etc/passwd: user:x:1004:100:,,,:/home/duho:/bin/bash { Only notice '/bin/bash'.. the rest is explained later in this book } As you see the user 'user' gets the bash shell (bourne-again shell). This is very simple. On recent systems the superuser 'root' is not allowed to telnet into the box.. so don't be lame to try 'root' with password 'root' logins as i've seen alot in the past (people trying that on my box). Ohyeah, i've got to admit that i've tried this stuff when i was a newbie :). But I don't believe there's even one unix box on the internet nowadays where the password of root is root and while the telnet service enables root logins. All login tries are logged on unix systems so don't be stupid to try passwords. I'll do one example telnet login: bash# telnet telnet> o localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. stealth login: user Password: Linux 2.4.9. Last login: Tue Sep 25 15:45:26 +0200 2001 on pts/10 from localhost. No mail. People say I live in my own little fantasy world... well, at least they *know* me there! -- D.L. Roth XT@stealth:~$ logout Connection closed by foreign host. bash# 4.4 SMTP - Simple Mail Transfer Protocol SMTP is only for sending mail, retrieving mail is often done from POP3 or IMAP services. SMTP is easier to use than FTP. So this goes quick. telnet 25 Example: -------------- bash# telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 stealth.duho ESMTP Sendmail 8.11.6/8.11.4; Tue, 25 Sep 2001 17:15:21 +0200 HELO x 250 stealth.duho Hello localhost [127.0.0.1], pleased to meet you MAIL FROM:me@wonderland.net 250 2.1.0 me@wonderland.net... Sender ok RCPT TO:duho@my.security.nl 250 2.1.5 duho@my.security.nl... Recipient ok DATA 354 Enter mail, end with "." on a line by itself Subject: Haia How's life? Me. . 250 2.0.0 f8PFFqN10598 Message accepted for delivery quit 221 2.0.0 stealth.duho closing connection Connection closed by foreign host. bash# -------------- First you saw the banner, and you see i'm running sendmail 8.11.6. The command sequence is always the same: HELO MAIL FROM: RCPT TO: . You can make the sender address anyone you like, only your IP address is still known. When i receive the message it looks like this (with all headers): -------- >From me@wonderland.net Tue Sep 25 08:21:07 2001 Return-Path: Received: from smtp3.hushmail.com (smtp3.hushmail.com [64.40.111.33]) by pl1.hushmail.com (8.9.3/8.9.3) with ESMTP id IAA23863 for ; Tue, 25 Sep 2001 08:21:07 -0700 From: me@wonderland.net Received: from stealth.duho (e39087.upc-e.chello.nl [213.93.39.87]) by smtp3.hushmail.com (Postfix) with ESMTP id 124E1F010 for ; Tue, 25 Sep 2001 08:21:05 -0700 (PDT) Received: from x (localhost [127.0.0.1]) by stealth.duho (8.11.6/8.11.4) with SMTP id f8PFFqN10598 for duho@my.security.nl; Tue, 25 Sep 2001 17:16:16 +0200 Date: Tue, 25 Sep 2001 17:16:16 +0200 Message-Id: <200109251516.f8PFFqN10598@stealth.duho> Subject: Haia To: undisclosed-recipients:; Status: RO How's life? Me. -------- You see, each mailserver that has been used on the path prepends the information header to the complete message. So you can track down which host has sent the message: Received: from stealth.duho (e39087.upc-e.chello.nl [213.93.39.87]) When using a normal mailer your mailer could put a line X-Mailer which reveils the mailer program and version which was used.. This is important information if you want to hack the user which sent you the message, there must be a bug in the software (especially if microsoft mailers are used). : --------- >From XT@asdf.com Tue Sep 25 09:46:14 2001 Return-Path: Received: from smtp3.hushmail.com (smtp3.hushmail.com [64.40.111.33]) by pl1.hushmail.com (8.9.3/8.9.3) with ESMTP id JAA26305 for ; Tue, 25 Sep 2001 09:46:14 -0700 Received: from stealth.duho (e39087.upc-e.chello.nl [213.93.39.87]) by smtp3.hushmail.com (Postfix) with ESMTP id E374EF007 for ; Tue, 25 Sep 2001 09:46:12 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by stealth.duho (8.11.6/8.11.4) with ESMTP id f8PGgBa11137 for ; Tue, 25 Sep 2001 18:42:11 +0200 Date: Tue, 25 Sep 2001 18:42:11 +0200 (CEST) From: hadf X-X-Sender: To: Subject: asdf Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: RO hellow --------- Okay, Pine doesn't include a X-Mailer in the header, but i can still seen that i was using Pine 4.33: Message-ID: And i think the 'LNX' means linux. There is one more interesting feature in SMTP servers. Some older messengers may reveil a persons, mine does not (user XT exists on my system but this version of sendmail lies that he doesn't): ---------- bash-2.05$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 stealth.duho ESMTP Sendmail 8.11.6/8.11.4; Tue, 25 Sep 2001 18:47:46 +0200 vrfy XT 550 5.1.1 XT... User unknown VRFY root 250 2.1.5 ---------- Okay, it didn't lie that user root exists, but that's because nobody believes that it doesn't. EXPN is also something like that.. if there is a mailinglist on the server it should (by the standard) reveil the contents of it's users. I think there's not much more to say about sendmail except that it has a past of many security problems. 4.5 DNS - Domain Name System Well, I believe I told you something about name<->address resolution, now I will cover the major aspects on DNS. A hostname consists of a several names seperated with dots, like: duho.cjb.net. or www.duho.cjb.net. The root of the tree is a '.' (dot), the big-ending name is a top-level domain like 'net', 'org', 'com', 'country' (like '.uk'). These days the top-level domains '.net', '.org', '.com', are in the hands of corporate authorities. You can buy (register) a second level domainname from them (if not yet registered). In far history these top-level domains were in the hands of the government (government has .mil, .gov). Country's have their own top-level domains like 'nl', 'uk', 'us', 'de', 'be' etc. You can register domain names from the affected authorities too. When you bought a second level domain, you need to configure an authoritive name server. You can have more than one nameserver to split the load... you have atleast a primary or master nameserver and possibly some slaves. At the primary nameserver you configure the third-level domains like 'academy' or 'students' or 'hq', and there under you can have even more etc... you can also have seperate nameservers for each third, fourth etc. domains you have in your domain. You just have to configure your zone files on the primary name servers, and slaves can do zone transfers to assist the primary nameservers by taking some of the load. A configuration file I could use with BIND 9 (nameserver) looks like this (but there are many diffent possibilities to create it): ---- /var/named/etc/named.conf ---- options { directory "/var/named" ; allow-transfer { } ; allow-query { 10.0.0.0/24; 127.0.0.0/24; } ; }; zone "duho.org" in { type master; file "db.duho.org"; }; zone "87.93.39.213.in-addr.arpa" in { type master; file "db.213.93.39.87"; }; zone "0.0.127.in-addr.arpa" in { type master; file "db.127.0.0"; }; zone "." in { type hint; file "db.cache"; }; ---- EOF ---- BIND doesn't come with default settings, so this why many admins configure their DNS servers securely. You see in my config file: ---- options { directory "/var/named" ; allow-transfer { 127.0.0.0/24; } ; allow-query { 10.0.0.0/24; 127.0.0.0/24; } ; }; ---- I can only do a zone transfer from localhost (all interfaces on my local host). But nobody else can. Why i would want to secure zone transfers is explained in detail a few pages further. The other directives in named.conf tell BIND where my zone files are. In reality the config file and the zone files are in /var/named... which means named.conf at my place is in the /var/named/var/named/ directory, but before BIND loads it gets chroot()ed... but this feature is out of the scope of this part of the tutorial, maybe some other time ;-). The in-addr.arpa directives (as showed below) are for reverse-resolution. Which means that you can lookup an address and find the hostname. This is also why the address is in reverse order (87.93.39.213 instead of 213.93.39.87) because the domain name is also big-ending. zone "87.93.39.213.in-addr.arpa" in { type master; file "db.213.93.39.87"; }; The root nameservers control the in-addr.arpa zone and are able to do these reverse lookups (try 'host -t ns in-addr.arpa' for looking up it's nameservers). Now let me show you a typical zone file for duho.cjb.net: ---- /var/named/db.duho.cjb.net ---- $TTL 3h duho.cjb.net. IN SOA ns.duho.org. root.duho.org. ( 1 3h 1h 1w 1h ) duho.cjb.net IN NS ns.duho.org. duho.cjb.net IN MX 0 mail.duho.cjb.net. ns.duho.org. IN A 213.93.39.87 www.duho.cjb.net IN A 213.93.39.87 mail.duho.cjb.net IN A 213.93.39.87 ---- duho.cjb.net nameserver: ---- duho.cjb.net IN NS ns.duho.org. ---- 'IN' means INTERNET zone, NS is the host type, and 'ns.duho.cjb.net' is it's authoritive nameserver. the address for 'ns.duho.org' is in the db.duho.org file. Where the host type is 'A' it is a non-special hostname address. There have been found some bugs in some BIND 8 and below nameservers which are exploitable and can result in root access. There are also attacks known like DNS poisoning to try to manipulate DNS cache which results in nameservers resolving names to wrong addresses. This causes users of the DNS servers to visit the wrong sites. Hackers with bad intentions could use DNS poisoning to set-up a fake hotmail site for example to trick users into sending passwords to them. But generally I think BIND is pretty secure after all, and BIND development with respect to security is progressing. BIND 9 can use digital signatures with TSIG among other things to make it hard to poison DNS traffic. Zone transfers are explained in one of the last chapters of this paper. 4.6 HTTP - Hyper Text Transfer Protocol The most important application protocol on the internet must be HTTP. Users of HTTP have a user agent called a webbrowser like netscape. To visit a website the user points the webbrowser to the host and optionally the absolute path identifyer on the target host. Combining the path and the host the user forms an URL (Universal Resource Location). The webbrowser can sent the absolute URL to a proxy or it can connect to the host in question on port 80 (if no port is defined in the URL) and issue the REQUEST. If no absolute path is given the webbrowser assumes the path is / (DocumentRoot). A typical request would look like this: GET / HTTP/1.0 GET is the request method. / is the absolute path (/index.html would work most of the time too) HTTP/1.0 is HTTP protocol version 1.0.. we have 0.9 (simple request) and HTTP/1.1 and others. I haven't studied the HTTP/1.0 specication. HTTP uses MIME-style headers to indicate character set, encoding types, media types, user agent information, HTTP version, server information, date and time and status code. You can imagine that if you request the download for a html page your browser wants to know how to handle it. Well, when the request has been performed the HTTP server returns the page along with the HTTP header. The header gives the status code, the HTTP server version, and the content type (and probably some more). The content type for a html page is html/text. Look at this header: ----- HTTP/1.1 200 OK Date: Tue, 02 Oct 2001 10:21:56 GMT Server: Apache/1.3.20 (Unix) PHP/4.0.5 Connection: close Content-Type: text/html ----- You see, i forgot the connection type and date. However when i download a tarred and gzipped file from my server, the header looks like this: ----- HTTP/1.1 200 OK Date: Tue, 02 Oct 2001 10:24:25 GMT Server: Apache/1.3.20 (Unix) PHP/4.0.5 Last-Modified: Fri, 28 Sep 2001 08:32:47 GMT ETag: "363d3-267b-3bb435af" Accept-Ranges: bytes Content-Length: 9851 Connection: close Content-Type: application/x-tar Content-Encoding: x-gzip ----- I think anything that are not images or HTML files are treated as binary and would trigger your browser to start a download process. The server name is particularly interesting to us ofcourse. But i also want to explain the error codes and then i will explain some other HTTP methods and use netcat or telnet as user agent. Status codes starting with: 1xx : Informational 2xx : Successful 3xx : Redirection 4xx : Client error 5xx : Server error For more information see RFC 1945. Other methods but GET are POST and HEAD and PUT. The HEAD command retrieves only the header of the HTTP server: HTTP/1.1 200 OK Date: Tue, 02 Oct 2001 10:30:41 GMT Server: Apache/1.3.20 (Unix) PHP/4.0.5 Connection: close Content-Type: text/html We will get to the POST method later in this tutorial. Let's do a simple HTTP request using telnet or netcat: ----- bash# telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.1 200 OK Date: Tue, 02 Oct 2001 10:32:52 GMT Server: Apache/1.3.20 (Unix) PHP/4.0.5 Connection: close Content-Type: text/html DuHo

Welcome to the DuHo webserver

DuHo Information Team maintains projects dealing with hacking, cracking and other computing issues.
The projects result in papers, program sources and tutorials which are publicly released on these pages.

We have updated or released our latest file on Monday 01 October 2001

Connection closed by foreign host. bash# ----- You see, this was easy! For downloading a binary file however, you should use netcat instead of telnet or the content will be screwed up. Requesting a page via a proxy, you just need to connect to the proxy and type the full URL instead of the absolute path like this: GET http://duho.cjb.net/ HTTP/1.0 4.7 POP3 - Post Office Protocol version 3 POP3 is a popular service for retrieving mail. Just like most other protocols i have discussed, we can use a simple full-duplex connection and issue commands ourselves. Once again it is very important to understand the application protocols. This time i'm just gonna show you one example, that should be enough to get started. ----- bash-2.05# telnet pop.chello.nl 110 Trying 213.46.243.2... Connected to mail.chello.nl. Escape character is '^]'. +OK InterMail POP3 server ready. USER mylogin +OK please send PASS command PASS YImK5sh;W5 +OK mylogin is welcome here LIST +OK 1159 messages 1 3309 2 3985 3 4625 4 1744 5 31202 6 1743 7 1762 8 11318 9 1744 ~thousands more spam messages 1159 1009 . RETR 1159 +OK 1009 octets Return-Path: <> From: admin Subject: ATTENTION: Bounced Message Notification, Total Bytes!! Date: Wed, 19 Sep 2001 22:15:47 +0200 Message-ID: <169943-2001-0919-221547-29195@amsmss12.chello.nl> A message was sent to you that was returned to the sender(bounced) because it would have caused your mailbox quota to be exceeded. The following is the reason that the message was over quota: Quota Type: Total Bytes Quota Available: 0 Total Quota: 10485760 The following is the information on the message that was bounced: Sender: Subject: [No Subject] Size: 4692 Message ID: <6717458.1000924503125.JavaMail.tester@hvwww8> Date: Wed Sep 19 22:15:20 2001 Reply-To: [No Reply-To] To fix this problem, delete some messages from your mailbox, and contact the sender to resend the message. If the size of the message is too big, contact the sender to reduce the size of the message and resend the message. . ----- I don't use this mailbox coz it is overspammed as you see. I never published this email address anywhere, and none of my friends or enemy's even know about it.. so ask my ISP about selling their own email addresses to spammers :). Another important command for POP3 would be DELE: DELE if i wanted to remove the message i just read in my mailbox: ----- DELE 1159 +OK ----- The usage of the POP3 protocol can be looked up using the HELP command once you connect to the POP3 server of choice (TCP port 110). 5. OSI (network protocols - a deeper cut) Now i told you about network-, transport- and application protocols. To put it all together, here is the OSI Model: |-------------------------------- | Application Layer | |-------------------------------- | Presentation Layer | |-------------------------------- | Session Layer) | |-------------------------------- | Transport Layer | |-------------------------------- | Network Layer | |-------------------------------- | Data-Link Layer | |-------------------------------- | Physical Layer | |-------------------------------- 5.1 The Application Layer The application layer is the layer where two applications can talk with each other in their protocol standard without having to know how the lower layers have build the communication. 5.2 The Presentation Layer The presentation layer interprets several data formats. These formats are used for purposes like data compression, data encoding or encryption layer etcetera. You should recognize this layer is being used in some of the well-known application protocols (with the application service depending on it) for communication. 5.3 Session layer The session layer has specific session tasks during a connection with another computer. The tasks are dependent on the application ofcourse. These tasks may be; download resume function or login process etcetera. 5.4 Transport layer The primary task of the transfer layer is to make sure the packets can travel through all networks, independent of the maximum size of packets allowed on particular networks and that a packet is rebuilt correctly at the destination. Some networks may have a MTU (Maximum Transmission Unit) of 1500 where others have lower or higher capacities. Packets are numbered so that they can be reconstructed at the end in the correct sequence (you will hear about sequence numbers alot more so be aware). { For example; if you have to deliver 3 packets (1,2,3) and you sent them to a destination, there is no guarantee that the packets will arrive in the '1,2,3' sequence.. so packets are numbered so they can be reconstructed on the destination. } There are more details involved depending on the type of transfer protocol used (TCP or UDP or others?). 5.5 The Network layer The network layer supports the transport layer. Packets that are constructed by the transport layer are routed on the network by the network layer. The network layer is the mail delivery guy of the packets. { The transfer layer of the receiving site knows howmany packets to expect. If a certain packet is still not there after a timeout it will ask the sender to send that packet again. } 5.6 Data-Link layer The data-link layer is often build into the networking hardware device. It is responsible for reliable communication on the physical network layer. { (Physical network layers, just like the Network Layer, have no idea what they are sending. They just do... So we need a higher level layer to keep track of the information itself...) } The layer has to deal with physical addressing, error messages on the network, sequence of dataframes and regulating the stream of data (flow control). The data-link layer can be split into sublayers; MAC (Media Access Control) and LLC (Logical Link Layer). MAC manages protocol access to the physical layer. LLC provides the Network Layer two modes: The connection-oriented and the connectionless mode. The connection-oriented mode offers a more reliable connection. 5.7 The Physical layer The physical layer involves physical aspects (typical to the hardware used) like voltages, voltage changes, speeds, maximum transmission distances, connectors and anything involving that particular kind of network. { Ethernet, IEEE 802.3, 100BaseT are examples of such a physical layer. } 6. Back to system profiling Now that you should have a basic understanding on networking on the internet, I'll get back on system profiling. 6.1 The importance of system profiling We can simply try to find which services are running, and have a fast idea of how to exploit it ofcourse. But in these days many admins run firewalls and IDS which try to detect people that 'brute force' the search for vulnerabilities. { For example, there are vulnerability scanners around, these scanners check for known vulnerabilities in CGI scripts, known exploits etc. } Such tools should not be used by crackers or hackers (whatever you wanna call it). They are used by admins to check their security. Using such tools will not help much. They will scan your target without requiring a user to know how it scans. Especially IDSs will detect such an attack immediately. Sometimes triggering a ban on your host so you won't have a chance anymore. Using such tools is script kiddie behaviour. It is the same as having your own set of tools and exploits and just try out everything you have until you get a little wiser. In this chapter I will come up with some examples which hopefully give you an idea of how to approach your target. You should understand that possibilities are endless. Any information about the target, it's users, it's admins are usefull to profile a system. After you have an idea of what you are dealing with you will be able to set up a discrete and hopefully undetected attack in a later stage. 6.2 "Planning" Here's what I think the most general sequence of steps to system profiling: - Available Information - Information retrieval - Identifying possible weaknesses This is the most general planning I can come up with. 6.2.1 Available Information For finding public information I think these are the steps to take: - Find information. - Write down all interesting points - Track down every point - Start over To clear this up, here's an EXAMPLE: { - I found a website I want to hack. - I dig through the whole website and write down any interesting information - One of the things I found was the webmasters mail address. I found it by simply typing in an unexisting page and it said: The request page was not found on this server. If you think this was due to a deadlink on this site please make a report: webmaster@corporation.com { Ahah, i could have guessed this email address myself too } - After I wrote down every interesting point of information available on their website I begin to dig some more information on this website. - I search for the email address on several websites and wrote down everything that seemed important - The most important thing I found was his homepage where he said 'To all my friends: my email address 'john-the-ripper@university.edu' has changed because i have a job at 'Company', the new one is: 'admin@company.com'. - Hehe, I write down all interesting points he made on his homepage - I search for the john-the-ripper@university.edu and a CV (Curriculum Vitae) - I found his curriculum vitae and it says he has experience with Linux and PHP/MySQL and he is a good database administrator. } That's a nice example of one entry in the system profiling stage. Use your imagination and seek any information you can get! An excellent site on become a master information seeker is +fravia's searchlores sites (lot's of interesting essays): http://www.searchlores.org/ 6.2.2 Active Server-oriented Information probing The publicly available information that you have found helps you to choose the right ways to acquire more information on the server, avoiding probes that are irrelevant which might trigger alarms. { Though the knowledge of the former step is more convenient during the actual attack stage. You have found alot publicly available information that you could not have found during the server probes in this stage. } In this stage we're going to visit some services that might exist on the remote server. 6.2.2.1 PING First we want to know if there is a firewall in place. What I have experienced is that alot of firewalled hosts block ICMP packets. { ICMP (Internet Control Message Protocol) is often used to test for network problems. One feature of ICMP is the ICMP ECHO REQUEST, or a more popular word; ping. When you sent an ICMP ECHO REQUEST to a server that doesn't block ICMP packets, the host (if existent) will reply with the ICMP ECHO REPLY. } Because a PING will never be seen as an attack probe, we can start to sent a PING to the target server (if we are definately sure it is online). If the system does not respond then it has a firewall in place. It is very likely that any scan probes are logged too. We now know we should be very careful in scanning the target. { NOTE: Don't think there cannot be a firewall there if ping is not blocked! } The next thing we could do is lookup the hostname(s)... a host can have several names, and names always contain information. { Hostnames are aliases for IP addresses to make it easier for users to remember them. In practice you will see the difference between administratively chosen names and publicly chosen names. For example, my IP address is 213.93.39.87. My ISP, (Internet Service Provider) Chello Broadband has given this IP address a name for administrative purposes; e39087.upc-e.chello.nl. A quick guess; I think e is the B network class I'm located in, 39087 is the exact IP (39.87) i am within the class B network. upc-e says that i'm in the 213.93 area again, and chello.nl speaks for itself. Maybe they run network management software for these cable modems that makes this kind of addressing important? I publicly chosen my 'duho.cjb.net' hostname so that it is easy to remember. } If you don't understand the hostname code (the administrative one) you might understand it when you have a list of hostnames that are existent in that domain. 6.2.2.2 DNS & Zone Transfers We can try to do a DNS zone transfer, which will be better than to scan for hosts that are online (grab an IP range and do a lookup for all of them). { DNS is the global internet database that exists of millions of nameservers (Nameservers all have a database with hostnames associated to their IP address). Nameservers are 'queried' through their service on TCP port address 53. } We can do this with the program 'host' in linux or unix: host -t ns company.be { -t = type ns = type: NameServer company.be = the domain where we want the nameserver address from } Now you will get something like this as output: company.be name server ns01.company.be company.be name server ns02.company.be company.be name server ns1.telekabel.be I see the telekabel thing.... i think it's best to query that one first. The reason is that it might avoid that our query is logged at company.be itself, which might be more suspicous about such things. { NOTE ALSO that not all nameservers allow zone transfers for security reasons! } So do this at every single nameserver until one allows you to do a DNS zonetransfer: # host -l company.be ns1.telekabel.be { -l = list (zone transfer) company.be = the domain we want the listing of ns1.telekabel.be = one of company.be's primary nameservers } Using domain server: Name: ns1.telekabel.be Address: 100.100.100.100 Aliases: Server failed: Query refused > This server won't allow us to do a DNS zone transfer :( # host -l company.be ns01.company.be // (trying the next nameserver Using domain server: Name: ns01.company.be Address: 123.123.123.123 Aliases: Server failed: Query refused > Damn, another one secured # host -l company.be ns02.company.be Using domain server: Name ns02.company.be Address: 123.123.123.124 Aliases: cache.company.be has address 123.123.100.12 games.company.be has address 123.123.132.23 www.company.be has address 123.123.100.2 office.company.be has address 123.123.123.231 router1.company.be has address 123.123.100.1 ftp.company.be has address 123.123.100.2 ~etc. BINGO! DNS zone transfer allowed :)). To try more verbose entry's use -v with it and if you're lucky you might get even more information by adding the '-t any' option. Like this: # host -l -v -t any company.be Be carefull with zone transfers, they might look suspicious. But when zone transfers are enabled this says alot about the (stupid) admins perhaps? 6.2.2.3 WHOIS The next thing is to gather information on the domain using whois: whois company.be There you will retrieve information about the organisation and the admins. 6.2.2.4 Scanning Services To find out which services are running we can just start to scan the system in default mode. But this is not a very stealth way. If you found out that the system filters ICMP then we are almost certain that the system has a firewall. But it is also possible that the ISP or any router between you and the victim is blocking ICMP (maybe to stand up against some Denial of Service types like pingflood). If the system has a firewall we must be very very careful with scanning the service. With all the information you have found so far, you can possibly guess what kind of operating system it is and what services it is likely to deliver. So we scan only the ports that we think might be open. But we don't scan for services like TELNET or SSH or another remote login. Example: I have done some little research on company.be's mailserver and I found out that it's IP address has three hostnames: mail.company.be, ftp.company.be and www.company.be. { Meaning that it is likely that one computer is used for mail, ftp and http, not very clever... } I'm going to check this information which suggests that the host has ports 25,110(or 143),80 open to the world. I found out that the admin's expertise was MySQL/PHP/Apache/Linux. { Sometimes the webserver reveils if MySQL and PHP are installed. Just retrieve the HTTP header and sometimes the webserver will tell you if PHP and/or MySQL are supported. (sometimes the banner just reveils the operating system too!) => see chapter 4.6 for this method } So possibly port 3306 (MySQL) is opened too. If it is filtered and the rest is closed, it seems like they purposely filtered this port which may mean that MySQL is only accessible to certain hosts. Though maybe MySQL isn't that interesting, because even when it is open, it is unlikely (atleast in the newer versions) that it will accept a connection from your host. You will get an error like: # telnet x.x.x.x 3306 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. Host 'x.x.x.x' is not allowed to connect to this MySQL serverConnection closed by foreign host. bash# MySQL has an ACL, and my host is configured to only allow connections from localhost. { Note that a firewall can DROP connections (filter) or BLOCK connections. When a firewall BLOCKs connections, it is hard to find out that a firewall is blocking the port or that the port is simply not in use. } I conclude that I want to scan ports 21,25,80,110,3306 I have two choices for scans: 1. A full connect to each port with a long interval between each port. 2. A half-open or NULL-FIN-X-Mas scan with a long interval between each port. Advantages & Disadvantages of the methods: 1. A full connect definately makes a log entry. But, because I am visiting just 5 ports and the visit intervals for each port are high, the firewall or IDS will not see that I'm scanning the port, because I'm not using 'illegal' probes and the admin will not suspect anything because I scan for services that are publicly accessible. So you should not -in the case of using a full-connect-scan- scan for ports like SSH and TELNET. Full connect scan is done like this in Nmap (with large interval): # nmap -sT -T Polite -p21,25,80,110,3306 www.company.be { -sT = TCP Connect() scan -T = has to do with timing intervals between probes -p = custom ports to scan (notation: n-n (range) n,n (list)) www.company.be = target } 2. A half-open or NULL-FIN-X-Mas scan with long interval between each port. You should be very carefull with this if the host runs a firewall or IDS. When there is no firewall it is the best method because it won't show up in the normal logs (e.g. /var/log/messages ..). Full-connect method is the best if there IS a firewall in place, it will give the most accurate results. { Though remember: only scan for ports which like FTP and HTTP which will not make the admin suspicious, but always make the interval something like '-T polite', so that the admin doesn't see connections to 3 services in a short time. } The NULL, FIN and X-Mas portscans give back wrong results when scanning filtered ports (filtered ports will be marked as OPEN). Half-open (SYN) are easily detected if there is a firewall which does logging of suspicious network activity, or an IDS. The Half-open, NULL, FIN and X-Mas techniques are all based on illegal packets or illegal connections, and that's why you should be very polite to the target when using them. { With illegal-connections I mean that the constructed packets are not according to the standard. Sometimes using techniques with illegal packets may even allow you to scan through the firewall, but you can never be sure. } Half-open scan example: # nmap -sS -T Polite -p 21,25,80,110,3306 www.company.be { -sS = SYN scan (doesn't complete a connection) -T Polite = Use a pretty large interval between connections } Others: # nmap -sN -T Polite -p 21,25,80,110,3306 www.company.be { NULLscan } # nmap -sF -T Polite -p 21,25,80,110,3306 www.company.be { FINscan } # nmap -sX -T Polite -p 21,25,80,110,3306 www.company.be { X-Mas scan } If you want a very large interval use '-T Sneaky' or worse '-T Paranoid'. See manpage for more info on Nmap. Or if you are dutch; http://duho.cjb.net/pub/hacking/NmapGids2.html for my Nmap Guide in dutch language. 7. Last words I think there is nothing more to say about system profiling. I only hope you understand the importance and basic idea behind it. It was just an introduction, I think now you know that you cannot be a good hacker if you don't know all about the technologies involved in every aspect of hacking. XT : [DuHo] 2001 With corrections made on 01/17/02 Visit http://duho.cjb.net/ for updates or new parts of this tutorial every now and then. -EOF- Size: 61440 bytes chars: 55721 Words: 8785 Lines: 1554