___________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 9, Part 1 War Tools! Scan, Sniff, Spoof and Hijack ____________________________________________________________ This Guide is excerpted from the Second Edition of "The Happy Hacker" book, available Sept. 31 1998. "Hello, I don't mean to be rude, but I noticed you were examining something, er... proprietary on our system. Would you mind explaining what you were doing?" Sigh. From time to time I get an email like that. Sometimes it is less polite than this. In this case, I had been examining an intranet server. For some reason it was directly accessible from the Internet instead of being on a private internal network. I'll bet you can't reach that box from the Internet any more:) I was just curious, not trying to break in! The one thing that defines a hacker is curiosity: a blinding, insatiable hunger for more, more, more information. If your objective is to fight those who attack your computers, your curiosity will be your greatest asset. This chapter covers some powerful war tools that can satisfy your curiosity in a legal and constructive way -- and shows how to use them to battle computer criminals. Sysadmins tell me that it is far harder to keep people out of your computer systems than it is to break in. In this chapter we will get a glimpse of this war between sysadmins and computer intruders, and learn something about the tools they both use. ******************* In this chapter you will learn about: IP address scanning Port scanning a beginner's scanner a stealth scanner How to give intruders a hard time Nuke Nabber (for casual users) Port Dumper (for anyone with a sense of humor) RotoRouter (drive the bad guys nuts) Sniffit TCPview TTY-Watcher (great fun for casual users, great tool for sysadmins) Industrial strength tools Etherpeek IP-Watcher T-sight **************** ********************************* You can get punched in the nose warning: Before you start playing with the techniques of this chapter, beware. If you use what you learn here for snooping on other people's networks, you should expect them to suspect you of being a computer criminal. For this reason, if you want to explore other people's systems, it helps to make friends with the staff of your ISP so they won't kick you off for suspicion of computer crime. Also, it helps to get permission from the sysadmins of whatever network you are checking out. If you find a problem, you should notify the responsible sysadmin so he or she may fix the problem. It also helps to maintain a good reputation. If you are known as a troublemaker, you will get lots of grief for using the tools of this chapter. If you have a good reputation, people will believe it when you say you are exploring in order to learn network administration -- or simply for the pure joy of discovery. If your ISP is one of those big, anonymous places that would kick you off at the least sign of trouble, switch to a local ISP where you can drop in and offer to take the tech support staff out for pizza. Trust me on this, if you try out what this chapter teaches, almost any large ISP will soon give you the boot. ********************************* ********************************* You can go to jail warning: If you live outside the United States, be sure to check on what the local computer crime laws are. I can't guarantee the tactics of this chapter will be legal everywhere. ********************************* IP Address and Port Scanning Every day someone emails me to complains that some host name in an ancient GTMHH won't do cool stuff any more. Imagine that! When I wrote those first GTMHHs I was just sending them to a few friends. I assumed these Guides would soon fade out of existence in the vastness of the Internet. Little did I suspect that eventually tens of thousands of newbies would be fingering, telnetting, ftping, phfing and worse into those IP addresses. So of course their sysadmins have buttoned them down. Strangers can't play with them any more. What really saddens me is how many people ask me for good host names they can use. It is so easy to find them yourself! If you want to be primitive about it, you can scan for IP addresses by hand. Find a tempting domain name while surfing the web, running traceroute or tracert, or in the headers of email. Then try the techniques of the "Port Surf's Up!" chapter to see if there is anything interesting there. This is a good way to start, because you know exactly what you are doing and can get a gut feel for the process. Also, it's quite a rush to discover something rare like the Internet backbone VAX/VMS in the port surfing chapter -- and discover that it is advertising the status of its huge network to you from port 15! There also are programs that will find live Internet host computers for you automatically. Many of these tools will also map which ports are open. They won't always give you all the goodies you can get when you port surf by hand, but they find out the basics for you fast. ******************************** You can get punched in the nose warning: The downside of the IP scanner and port scanner tools of this chapter is that when you use them on other people's computers without permission, this practically shouts "I am a criminal hacker." Presumably this isn't true, but way too many sysadmins have discovered that a port scan is soon followed by a break-in attempt. If you do insist on scanning without permission, it helps to scan Internet hosts owned by other hackers. If people who are obviously hackers complain, the sysadmins at your ISP or company LAN may not have much sympathy for them. Hey, they are hackers, they can take care of themselves. However, if you do this without the hackers' permission, you just might incite a hacker war against you, which may nevertheless lead to losing your Internet access. ******************************** So we're ready to scan for Internet hosts and their ports. Let's start with how newbies can do it. You can get a Windows 95/98 program that scans IP addresses and ports, What's Up Gold, from http://www.ipswitch.com. It's free for a one month trial. It's a simple point and click program that does an excellent job. Here's what I get when I scan IP addresses from 198.987.999.1 through 198.987.999.254 looking for any open ports in the range of 1 through 600. This scan is set to check each port by waiting only 100 milliseconds for a response from each one: 198.987.999.033 198.987.999.036 80 198.987.999.044 198.987.999.048 198.987.999.049 198.987.999.066 198.987.999.067 198.987.999.074 198.987.999.080 198.987.999.113 198.987.999.115 198.987.999.118 198.987.999.167 I run the same scan again but with the time-out set to 1 second. This reveals many more live IP addresses and ports: 198.987.999.033 7 9 11 13 15 19 21 23 25 37 53 79 80 110 111 113 139 143 198.987.999.034 139 198.987.999.035 198.987.999.036 80 139 198.987.999.041 198.987.999.042 139 198.987.999.043 139 198.987.999.044 139 198.987.999.045 139 198.987.999.048 139 198.987.999.049 139 198.987.999.050 80 139 198.987.999.051 21 22 23 25 37 70 79 109 110 111 113 143 198.987.999.055 139 198.987.999.056 198.987.999.058 139 198.987.999.059 139 198.987.999.060 198.987.999.061 139 198.987.999.061 139 198.987.999.065 139 198.987.999.066 21 23 80 139 198.987.999.067 198.987.999.068 198.987.999.069 198.987.999.072 198.987.999.073 198.987.999.074 198.987.999.075 198.987.999.077 198.987.999.078 198.987.999.079 198.987.999.080 198.987.999.082 198.987.999.083 198.987.999.084 198.987.999.085 198.987.999.086 198.987.999.088 198.987.999.092 198.987.999.093 198.987.999.098 198.987.999.099 198.987.999.101 198.987.999.103 198.987.999.105 198.987.999.108 198.987.999.110 198.987.999.111 198.987.999.112 198.987.999.113 198.987.999.115 198.987.999.118 198.987.999.119 198.987.999.120 198.987.999.121 198.987.999.122 198.987.999.123 198.987.999.124 198.987.999.125 198.987.999.126 198.987.999.131 198.987.999.133 198.987.999.136 198.987.999.137 198.987.999.139 198.987.999.146 198.987.999.156 80 198.987.999.158 198.987.999.162 139 198.987.999.163 198.987.999.165 198.987.999.166 198.987.999.167 198.987.999.169 7 9 13 198.987.999.173 13 15 21 23 25 79 513 514 515 540 198.987.999.177 198.987.999.178 135 389 198.987.999.180 198.987.999.182 198.987.999.183 198.987.999.184 198.987.999.186 139 198.987.999.188 198.987.999.189 139 198.987.999.194 139 198.987.999.195 7 9 13 17 19 135 139 198.987.999.198 110 119 139 OK, I admit it, to save space I was trying to accomplish two slightly conflicting things with this particular set of IP addresses. These are (foobarred) dynamically assigned IP addresses of an ISP. These are assigned to dial-up customers. So some of these addresses will change or the users of the same address may change from one scan to the next. However, these two scans were done only a few minutes apart. So not many of the connections would have changed in this period. These scans show the importance of a long time-out setting in What's Up. One second (1000 ms) has given me better results. Here, among these dynamically assigned IP addresses, is where I really get my kicks. Dynamically assigned IP addresses are the Rick's Cafe -- no, the Star Wars Cantina -- of cyberspace. OK, most of these IP addresses reveal no open ports. They are probably mere dialups for downloading email or surfing the Web for people who wouldn't know Unix from unicorns. However, since I chose the dynamic IP addresses of an ISP well-known for attracting hackers, this particular set of IP addresses is -- interesting. Check out "198.987.999.036 80 139", "198.987.999.050 80 139", and "198.987.999.156 80". Those 80s represent ephemeral Web sites, in existence only so long as their dialups last. Wonder what they hold? The fact that almost all other services are turned off suggests sophisticated users. Maybe those Web sites will be passworded, or maybe I can get in... That "198.987.999.033 7 9 11 13 15 19 21 23 25 37 53 79 80 110 111 113 139 143" must be a Linux or other home Unix type box. It's run by a real novice, I'd say, judging from all those open ports. Look at that port 21 open. Wonder if he or she has an anonymous ftp server? Better check it out before it winks out of existence. It also has a Web server... Take a look at "198.987.999.051 21 22 23 25 37 70 79 109 110 111 113 143". That port 22 -- that means secure shell login. No webserver (80), no echo (7), discard (8), daytime (13), netstat (15) etc. Since these are ports that a cautious sysadmin would disable, these are signs this the box might be owned by a hacker. If this is a dynamically assigned IP address from an ISP on which you have a shell account, a quick look at netstat and/or the "last" command will probably reveal the user name of this hacker. Check out "198.987.999.198 110 119 139" and "198.987.999.178 135 389". Weird selection of ports. Wonder if the owners of those boxes would tell me what they are up to? Hey, there's a POP server (110). Maybe if I email "root@198.987.999.198" I will get a message through. Sheesh, I don't know, I'm just playing around. Hacking. It's OK to make mistakes and hit dead ends, because real hackers mess around, explore, and try out new things. If things don't work, it's no big deal. If they do work, however... If you have a Unix type computer, there are many other port scanners available. SATAN (Security Analysis Tool for Auditing Networks) is famous, free, and also will often identify ports that are vulnerable to attack. You can get it at ftp://ftp.cs.ruu.nl:/pub/SECURITY/. Possession of the code for SATAN is enough to get you kicked off some ISPs. Check out http://www.rootshell.com for other Unix port scanner programs that may not get people as suspicious at you. If you are willing to pay lots of money for a port scanner, several computer security companies sell them. Internet Security Systems (ISS) has an exceptionally good one, Internet Scanner (at http://www.iss.net). Like SATAN, Internet Scanner will identify security holes in the ports you scan. There are versions for both Unix and Windows NT systems. Because their software would be dangerous in the wrong hands, ISS will only sell you a version to scan the IP addresses you own or that the company you work for has given you permission to scan. Stealth Port Scanning You may have already heard that there are port scanners that are impossible to detect. If true, that would solve the problem of getting kicked off your ISP for running scans. One that I have tried out is Nmap, available for free from http://dhp.com. It runs on Unix type operating systems, and has options to do both normal port scanning and "stealth" port scanning. Warning -- like What's Up, Nmap is not always accurate. While What's Up misses open ports, Nmap often erroneously says closed ports are open. **************************** Wizard tip: Here's why Nmap is inaccurate in fin scan (stealth or half-open) mode. It sends to each port on the victim computer a single packet with the fin flag (end of transmission) set. If it gets back a packet with the rst (reset) flag set, it reports the port as closed. If it doesn't get rst back, it reports it as open. Of course a dropped packet can also account for the missing rst. As a result, on a noisy connection Nmap shows many ports as open that aren't. Try fin scanning a nonexistent host with Nmap and you will see all ports reported open. On a theoretical basis, any scanner that sends only a single packet to probe each port is vulnerable to false results. *************************** There is another problem that afflicts all stealth scanners. They actually can be detected, and the sender identified, if the target network is running the right sniffer software. EtherPeek (discussed in detail below) is one we have tested against Nmap on the Happy Hacker Wargame (see http://www.happyhacker.org for details on how to play our Wargame). We discovered that EtherPeek definitely detects and identifies the user of stealth port scanners. How to Tell What Ports are Open on your own Computer It's a good idea to regularly check what ports are open on your own computer. If you discover a new port -- time to investigate. For example, an open port 31337 is an almost sure sign that your computer has been taken over by the Windows Back Orifice Trojan. (See the "How to Break into Windows 95/98 Computers" chapter for removal instructions.) It is possible to check all your ports with just the tools that are already part of your Windows or Unix operating system. The "netstat -a" command will show all the ports open on your computer. Here's what I get on a home Linux box: ~ > netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 134 fu.ml.org:telnet pma03.foo66.com:1030 ESTABLISHED tcp 0 0 *:www *:* LISTEN tcp 0 0 fu.ml.org:22 *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 *:2049 *:* LISTEN tcp 0 0 *:660 *:* LISTEN tcp 0 0 *:printer *:* LISTEN tcp 0 0 *:auth *:* LISTEN tcp 0 0 *:finger *:* LISTEN tcp 0 0 *:imap2 *:* LISTEN tcp 0 0 *:pop3 *:* LISTEN tcp 0 0 *:login *:* LISTEN tcp 0 0 *:shell *:* LISTEN tcp 0 0 *:telnet *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 *:time *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN udp 0 0 *:2049 *:* udp 0 0 *:657 *:* udp 0 0 *:ntalk *:* udp 0 0 *:biff *:* udp 0 0 *:time *:* udp 0 0 *:syslog *:* udp 0 0 *:sunrpc *:* raw 0 0 *:1 *:* Active UNIX domain sockets (including servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ] STREAM 3870 /dev/log unix 2 [ ] STREAM CONNECTED 3869 unix 2 [ ] STREAM 475 /dev/log unix 2 [ ] STREAM CONNECTED 474 unix 2 [ ] STREAM 434 /dev/log unix 2 [ ] STREAM CONNECTED 433 unix 2 [ ] STREAM 281 /dev/log unix 2 [ ] STREAM CONNECTED 280 unix 2 [ ] STREAM 257 /dev/log unix 2 [ ] STREAM CONNECTED 252 unix 1 [ ACC ] STREAM LISTENING 247 /dev/printer unix 2 [ ] STREAM 246 /dev/log unix 1 [ ACC ] STREAM LISTENING 207 /dev/log unix 2 [ ] STREAM CONNECTED 198 How about seeing what ports are open on your Windows computer? If you are not on a LAN, chances are there won't be much to see. Here's what my stand alone Win98 computer (her name is Lovely_Lady) says when I am on America Online: C:\WINDOWS>netstat -a Active Connections Proto Local Address Foreign Address State TCP lovely-lady:137 LOVELY_LADY:0 LISTENING TCP lovely-lady:138 LOVELY_LADY:0 LISTENING TCP lovely-lady:nbsession LOVELY_LADY:0 LISTENING UDP lovely-lady:nbname *:* UDP lovely-lady:nbdatagram *:* How to Give Computer Criminals a Hard Time Now -- are you ready for war? First, you need to know whether an intruder is on your system. How to do that is worth at least another entire chapter that I haven't written yet. However, there are some hints for sysadmins I can give you on the basis of first hand experience from our Happy Hacker Wargame. Don't expect this to be more than a tiny bit of all you should be doing to detect intruders, however. · Look for unusual traffic patterns -- for example, many ftp sessions, or a user who hasn't logged into a shell account for months suddenly spending hours at a time logged in. · A new user name and account that no one remembers creating · Watch the processes. A skilled hacker may replace the "ps" command with a Trojan that hides his or her activities. However, you might see a high CPU utilization when the processes running couldn't account for it. Time to go red alert! · Check whether system configurations have changed, for example new ports open. Or if your policy is to automatically kill all processes when a user logs off (most ISPs do this), perhaps you will discover processes left running after logoff. · Look for an Ethernet card on your local area network that is in promiscuous mode (meaning it is accepting all packets broadcast on the network). That probably means an intruder is sniffing your network with a program hidden on the computer with the promiscuous mode card. · Look for suspiciously large files turning up. They may be secret sniffer logs. · Do you notice a hacked Web page or obscene Message of the Day -- OK, this suggestion is lame, you knew those signs of hacker attack already! Of course it's far better to detect your attacker before he gets inside. Signs that someone is trying to break in are basically activities that we all like to do such as port scans and telnet connections to unusual ports. Coming up in Part II: both free and commercial programs that help you fight intruders! # # # Guess what? "The Happy Hacker Book" has almost sold out its First Edition, published March 31, 1998. So American Eagle Publications is putting out a Second Edition, due to come off the presses Sept. 31, 1998. It has several all-new chapters as well as updates to cover Windows 98 and the major changes that are happening in email forging and spam fighting. How's that -- only six months between editions? This is partly because people were so quick to buy out the First Edition -- and partly because the hacking scene is changing so fast. So instead of going to a second printing, the publisher agreed to spend the extra money to create a Second Edition so we could keep you as up to date as possible. If you want to buy one of the few remaining copies of the First Edition of "The Happy Hacker" (soon to be a collector's item), you can order it from me ($34.95 for Priority mail shipping in the US; $35.95 airmail in Canada and Mexico; email me for quotes outside the US) by sending a check or money order to PO Box 1520, Cedar Crest NM 87008. Since I only have 18 copies left today, if your order comes in too late, be sure to tell me whether I should just return your money or if you want me to hold on to it and be among the first to get a Second Edition. Oh, yes, I autograph all books bought directly from me. _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. So don't email us about any crimes you have committed! And don't expect us to come to your rescue if you crash 100 million computers with some new Java virus you just unleashed. To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 Carolyn Meinel. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _______________________________________________________________________ ____________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 9, Part 2 War Tools! Scan, Sniff, Spoof and Hijack ____________________________________________________________ Note: This Guide is excerpted from the upcoming Second Edition of "The Happy Hacker" book, available Sept. 31, 1998. So now that we know it's time to fight intruders, let's start with free anti-crime tools that are great not only for sysadmins, but also for casual users who just want to have fun. Twinsen (hacker handle) has written Port Dumper, which is a good program for Unix type computers which will deal with snoopers like me. He says "I use this to play with my friends. This program is used to listen to a port (any port), after it is connected with others, you can type something and Port Dumper will send it. It is quite useful when you want to fake a service, such http, smtp, etc... or even telnet (Evil Genius Tips: You know it!) It is in my homepage, Channel X Security Information (http://home.netvigator.com/~jcatchan/). I may write a guide on using it to do a specified mission (such as faking as an http server...) later. Hope you'll enjoy using it! Use at your own risk.. I'm not responsible for the use of this stupid shell script.... Richard Thomas (Humble) has written RotoRouter., "a program for logging and faking the standard Unix udp-based traceroute... . When someone is about to do a DOS (denial of service attack), it is commonplace for them to traceroute to the target, launch the attack, and traceroute again to see the effect..., secure in the belief that their traceroute will never be noticed. They commonly trace from their home machines (99% of packet warriors have 28.8k modems and bandwidth envy, right :P), or ... from the hacked machine they are attacking with." RotoRouter is a great way to fake out those losers who think attacking other people's networks is fun. It sends fake Time Exceeded and Destination Unreachable messages. In Humble's words, other ways his program can fake out people include: · Lead those stupid smurf kiddies away from your vulnerable routers · Lie to customers about your bandwidth... · Scare your ... friends with odd routes, watch their heads explode · Make the final hop reverse to "this.traceroute.has.been.logged.com" However, to run RotoRouter, you must install it on a Unix type computer -- as root. This is another reason to run Linux on your home computer. If you have what it takes to run RotoRouter and want to fake out people and fool attackers, you can get it at http://www.bitchx.com/~humble/. If you really want to have fun, and if you suspect someone has broken into your system, there is a free program for Unix computers called TTY-Watcher It is available from http://www.engarde.com. TTY-Watcher lets you see exactly what anyone is typing on their keyboard while they are logged on to your computer. You can even record their keystrokes and play them back at the same speed the intruder typed them -- or play them back faster, if that d00d is a slow typist. You can also download a free trial of the more advanced Windows version of this program, T-sight, from the En Garde Systems web site. I've seen some playbacks. They make fabulous party entertainment. On one, someone had broken into a computer at Los Alamos Laboratories that actually was a "bait" computer used to practice fighting computer criminals -- using real unsuspecting computer criminals. This particular criminal was trying to send email from this computer bragging of his (hah, hah) feat and demanding that Kevin Mitnick be released from prison. What was fascinating was that Mr. Computer Criminal kept on entering MS-DOS commands on the hacked computer, which didn't work because it was running Unix. After about 20 tries he finally managed to send out his email boast. Then he tried to destroy the evidence of his crime by erasing the entire hard disk. However, he found this hard to do. He kept on giving various erase commands, then listing the directories, and the stuff didn't seem to be disappearing. You could almost feel his rising panic. TTY-Watcher is ideal for when you and your friends are playing hacker wargames where the attacker starts from a shell account on the victim computer. By seeing exactly what other people are doing to leverage unprivileged shell access into root access, you can learn a lot about how to detect and fight attacks. You also can also better understand why it is so hard nowadays to get a shell account on an ISP. TTY-Watcher is outstandingly good at one thing: it allows you to control your victim intruder. I watched this happen once on a friendly hacker wargame. The guy running TTY-Watcher felt sorry for the other player, took over the poor guy's session and fixed his commands. If your intruder is hostile, and you wanted to mess up his commands instead, you could make his day profoundly bad. The only weakness of TTY-Watcher is that it only runs on one machine. It isn't set up to defend an entire network. If you just need a free program to watch what is flowing on your local Ethernet, try Sniffit, available for free from http://www.rootshell.com. It's boring compared to some of the above programs, but valuable for more sophisticated users who need to understand the technical details of how an intruder got in. Its description, "A very flexible network sniffer that has many interesting features (like curses)" suggests that it may be used by your intruders to sniff your network. Computer criminals love Sniffit. If you can become intimately familiar with its features, it will be easier for you to find a hidden Sniffit in operation. Another program for watching criminals at work on Windows computers is TCPview. It is available for free from http://www.sysinternals.com/. It is a GUI (graphical user interface) utility that tells you at any time what connections are open to your box, and what is going on with each connection. If you are brave, or perhaps foolhardy, you could always try running Back Orifice on your Windows computer. The promotional material for this free program make it sound useful for being able to keep your computer out of trouble when you are away from it by logging into it from the Internet. However, it is quite difficult to uninstall Back Orifice. Also, it was written by a member of the Cult of the Dead Cow, a gang notorious for an excessive sense of humor. Many computer security experts warn that Back Orifice is a Trojan that will make it easy for strangers to get into your computer. I don't recommend ever installing Back Orifice. If you have installed it and want to get rid of it, removal instructions are in the chapter "How to Break into Windows 95/98 Computers." Suppose you want to see whether someone is port scanning you or trying to break into a port. One useful utility is Nukenabber, available from http://www.winfiles.com, in the Winsock area. It watches up to 50 ports simultaneously. Yes, it is a Windows program, and it's free. Industrial Strength War Programs Now -- let's say you are responsible for a large LAN or an entire ISP. Especially if you are responsible for a commercial Web site, this is a job that calls for much more than the programs above can do. According to an International Computer Security Association report of April, 1997, about a half of US Web sites are attacked or probed each month. True, most of these are probes from the clueless, but even the clueless get lucky sometimes. You may well need security products that can handle a broad spectrum of computer crime problems, that work across a network, and that can spot the most sophisticated attacks. Most important, you need the power to fight back. Since I don't like to take a company's word for the quality of their security products, I will only discuss the two that I have tested: EtherPeek 3.5 for MacOS, from AG Group at http://www.aggroup.com; and IP-Watcher for Unix from En Garde Systems, http://www.engarde.com. I picked those two because they promised exceptional powers to detect attack, and in the case of IP-Watcher, to fight back when under attack. EtherPeek in particular also gets high recommendations from sysadmins I know at the AGIS Internet backbone, and Rt66 Internet, the largest ISP in New Mexico. Both AGIS and Rt66 have had more than their share of attacks by computer criminals, so they have had real life experience with EtherPeek. Another plus for EtherPeek and IP-Watcher is that they are both ideal for testing other security products such as firewalls, router packet filters, and wrappers, and to track down and gather the evidence needed to put computer criminals behind bars. Let's begin with EtherPeek. Besides the Mac version, there is a version that runs on Windows NT, and even Windows 95/98. However, I recommend the Mac version because not many hackers know how to compromise, disable or crash Macs. Windows, by contrast, is vulnerable to the many denial of service attacks that kode kiddies think are 31337 (elite). While you can protect your Windows boxes from attacks from the Internet with a well-configured router and firewall, what if the intruder is inside your LAN? ********************************************** Wizard tip: If you have a cable modem, try EtherPeek on it. You will probably discover your cable modem is a node on an Ethernet -- and you can see what everyone else on your cable system is doing! That means, of course, that the other guys can see you. Even without EtherPeek, it could be a great playground to test your ability to figure out the details of all the hardware on your cable modem network. ********************************************** ********************************************** You can get punched in the nose warning: It probably won't be a good idea to exploit what EtherPeek tells you to tease your next door neighbor about his visit last night to bianca's Smut Shack. ********************************************** EtherPeek is good for evaluating your security setup. For example, EtherPeek can be used to check the way people login to computers on your network to find out whether these boxes are correctly configured to only send encrypted passwords over your Ethernet. This is necessary because, amazingly enough, many network file servers, mail systems, and databases automatically install in such a way that they send clear text passwords over the network. Once an attacker breaks into one box on a network like that, he or she can install a program such as Sniffit and soon capture every password. Here's an important note. If your network uses Microsoft Point-to-Point Tunneling Protocol (PPTP) to encrypt passwords, and if you have a Solaris box on your LAN, you are nevertheless heading for trouble. There is a free sniffer at http://www.l0pht.com/l0phtcrack which that runs on Solaris and captures encrypted PPTP passwords. Another free program at this site cracks them. By the time you read this, there may be versions of this sniffer that run on other operating systems, too. For a cryptographic analysis of why it is easy to crack PPTP, see http://www.counterpane.com/pptp.html However, back to EtherPeek. It has a "Tools" menu that allows you to test firewalls and routers. For example, you can check to make sure the firewall is blocking the computers on your LAN from replying with valuable information to a port scan from someone on the outside. The creator of EtherPeek and president of AG Group, Mahboud Zabetian, also explains that his software can collect "messages looking for passwords." EtherPeek has a "File Transfer Protocol (ftp) application in the TCP/IP suite has a PASSWORD embedded command in the command stream channel that is ideal for filter writing. By setting up EtherPeek with a filter for PASSWORD commands embedded in FTP, the security person can quickly examine why systems are failing password connections or where high connection count password attempts are coming from when trying to find the source of random login hacking." OK, I agree with you, the kind of cracker who repeatedly attempts to get into an ftp server by guessing at passwords is seriously lame. However, even lame hackers sometimes get lucky. You would be surprised at how many users choose a password that is the same as their user name, or even choose to have no password at all (just hit "enter"). The best way to deal with this problem is to run a program that forces users to choose secure passwords. Alec Muffet's cracklib will do this. It's available for free at http://www.nmrc.org/files/sunix/index.html. Zabetian also has advice for how to spot the sophisticated break-in artist at work. "By looking for what 'does not belong' on the network connections as well as what does..." one may spot "potential security issues before they become problems. For instance, if there are a lot of connection attempts from a specific address external to the authorized group, it's time to pay a visit to the offender and find out what's going on before it gets serious." Yes, that's right, a hacker really can get punched in the nose, er, paid a "visit," if he or she does too much port scanning and poking around someone's network. For best results, EtherPeek (or any good computer crime fighting software) should be set up on one computer outside the firewall (you do have a firewall, right?) and another inside to deal with the intruders who manage to get inside anyhow. Besides, almost half of all computer crime is committed by people who are already users on the local area networks they attack. EtherPeek is shipped with a companion program, AGNetTools, which can port scan your network while EtherPeek records its results. As mentioned above, one of the warning signs that you have an unexpected visitor is unauthorized ports showing up. Also, sometimes someone gets careless and accidentally opens a Web or ftp port that has little or no security -- and opens the door to invaders. EtherPeek is a great hacker research tool, too. It can detect the corrupted packets of exploits such as Land and Teardrop that disable vulnerable computers. It can save these packets for you to resend against a test computer so you can learn how they do their dirty work. Besides, sometimes there is a hardware glitch that accidentally manufactures destructively corrupt packets. One time when Rt66 Internet was suffering from corrupt packets, EtherPeek helped a sysadmin find the offending hardware within minutes. Occasionally you may be attacked by a truly sophisticated opponent. For example, one trick is to run a denial of service attack such as syn flood in which each packet has a different origination IP address. This will trick many router and firewall defenses into not realizing they are under an attack which will soon shut them down. EtherPeek, however, can analyze (but not deflect) this attack. As mentioned above, EtherPeek easily identifies the sender of so-called stealth port scans. It also detects the true IP address of someone setting up a spoofed IP connection. The attacker is sitting there sending messages to the victim computer thinking that the identity of his computer is hidden. Yet on the other end a sysadmin is looking on the screen of his Mac G3 at the IP address, laughing as he unleashes a Teardrop attack to crash the attacker's computer. Sorry, EtherPeek doesn't strike back. You have to go to a site such as http://www.rootshell.com to get denial of service software such as Teardrop to strike back at the bad guys. ******************************* You can go to jail warning: What if the attacker is on a hacked account of an innocent victim? You might get into trouble if you retaliate with a denial of service attack. ******************************* ******************************* Wizard tip: If you can determine that your attacker is on a dynamically assigned IP address, you might be able to fight back with impunity. A good way to see whether an IP address is dynamically assigned is the command "nslookup hostname" where you substitute the attacking IP address for "hostname". If you get back an answer "Non-existent host/domain," it may be time to fight back! However, if this gets you in trouble anyhow -- remember I warned you. ******************************* So what do you do when the bad guys attack? EtherPeek can set off a pager when it detects suspicious activity. When the day comes that you are under serious attack, you need to be physically at the network, even if it means being rousted out of bed. Sometimes the only thing you can do to halt your attacker is to physically disconnect your network from the Internet. If you have modem access to your network, you also have to make certain you know where all the modems are, and disable dial-ins. (Use a wardialer to check for secret modem connections to your LAN.) EtherPeek is also useful for logging the evidence you need to put your attackers behind bars. IP-Watcher, written by Mike Neuman, president of En Garde Systems (http://www.engarde.com) is in some ways an even more powerful tool for putting computer criminals behind bars. Neuman has worked closely with several customers to get arrests and convictions of these destructive intruders. This gives him the real-world experience needed to design a tool that will gather evidence that will stand up in court. While gathering evidence, IP-Watcher has the power to protect your network by letting you hijack the attacker's IP session. You can secretly divert the attacker into a "jail" computer where he or she will think they are still at the IP address of the computer they originally broke into. If it turns out this is a malicious intruder, you can record his or her activities in order to prove criminal intent, while not risking anything outside the jail computer. This software was written, according to Neuman, with "our philosophy of manual intrusion detection ... based on the fact that an intruder must establish connections with other computers to accomplish his or her goal. These connections are an intruder's footprints, and the best way to catch the intruder is to have an advanced visualization of those footprints." The Windows version of IP-Watcher, T-sight, is, according to Neuman, even more advanced than IP-Watcher. Like EtherPeek, Neuman's products have an option to page you when they detect that someone has broken in. IP-Watcher would be a deadly tool in the hands of criminals. In order to prevent its abuse, En Garde Systems will only sell your copy of the software pre-compiled for your particular network on which you plan to run it, and enabled to only sniff and control IP sessions on your LAN. Neuman points out a number of ways IP-Watcher can be abused: · IP-Watcher can create network traffic with spoofed source and destination addresses. This makes it possible to kill any user's connection. While this is essential for stopping attackers, it also could be used to deny access to a legitimate user. · When IP-Watcher terminates a user's connection while trying to log in, it looks to the user like the network merely had a fault. Normally the user will try to log in again, at which point IP-Watcher can divert his connection so that it steals the user's password. · If a sysadmin uses the "su" command to enter a root account, IP-Watcher will sniff the cleartext password through its ability to log keystrokes. · This software also can be set to log what it sniffs in many small files. This is useful because it makes it hard for an intruder to edit log files. However, if IP-Watcher is in the hands of an attacker, this feature prevents the sysadmin from discovering a hidden sniffer by the technique of looking for unexplained large files. · Even one-time password systems are vulnerable to IP-Watcher. It can be used to hijack a connection by a trusted user. While the user is going about his or her business, the intruder can be secretly using the same connection to install back doors. ********************************** You can go to jail warning: Computer criminals may be tempted to attempt to break into the En Garde Systems' LAN in hopes of stealing the source code for T-sight and IP-Watcher. This is probably the best place to go if one sincerely wants to get convicted of a computer crime. ********************************** Conclusion Self defense against computer criminals is a topic hat has long been neglected. This is because you have to think like an attacker and be intimately familiar with his or her tools and tactics. However, many systems administrators rely solely on commercial computer security products to keep the bad guys out. The problem is: no firewall is perfect! By contrast, if you use some of the software and techniques of this chapter to watch for and battle intruders, you have a fighting chance even if your firewall fails to stop the bad guys. Also, it can be fun to detect and fight your attackers. Be sure to save those TTY-Watcher logs so you can play back your latest hacker battle at parties! _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. So don't email us about any crimes you have committed! And don't expect us to come to your rescue if you crash 100 million computers with some new Java virus you just unleashed. To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 Carolyn Meinel. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _________________________________________________________