Net App Opens Doors for Hackers

Downloadable scripting utility simultaneously promotes security, break-ins

By Al Berg
When thinking of computer hackers, most people picture teenage techno-wizards who know the ins and outs of the computer hardware and software that they explore or attack. But that could change rapidly, as new automated hacking tools make their way to Microsoft Windows NT and open the world of Internet hacking to a much broader base.

The first of these tools, called netcat, was introduced last month at the annual Def Con hacker conference in Las Vegas.

Netcat is a downloadable, shareware utility that "reads and writes data across network connections using TCP or UDP [User Datagram Protocol]," according to its creator, who is known only by the alias "hobbit."

In the hands of a network administrator, netcat can be us ed to test firewalls, perform file transfers, test network performance, and even write World Wide Web browsers and proxy gateways.

But by reducing the technical expertise needed for entry, netcat could open networks to attack by computer criminals intent on causing damage or stealing information.

Frighteningly, the documentation for the package provides detailed descriptions of "dark side" uses for the tool. According to hobbit, "You can clearly use something like netcat to attack or defend. I don't try to govern anyone's social outlook, I just build tools."

In the software's documentation, hobbit concedes that "taking out mailers and Web servers is sociopathic," but he also provides instructions on how to conceal what netcat is doing from the administrator of the machine it is being run against. Netcat comes with a number of prewritten scripts, one of which advises users to launch a massive volume of packets "at yon victim in no particular order," which will "set off every intrusion alarm in e xistence on a paranoid machine!"

"These tools make it easier for everyone" to gain unauthorized access, admitted "Mudge," one of the core members of The LOPHT, a Boston-based hacker think tank where netcat was ported to NT. "This is much like saying, 'Do you think tools like hammers make it easier for vandals to break windows?' Well, yes, but the answer is not [to outlaw the production of] hammers," argued Mudge in an interview that took place over E-mail.

To be fair, there are many legitimate uses of netcat, including probing your own network for vulnerabilities. Yet many of netcat's features can serve a dual purpose.

With port scanning, services on IP hosts--such as ftp (File Transfer Protocol), Web servers, sendmail, and telnet--"listen" for connections on specific ports. Netcat allows the user to quickly determine which ports a host is listening for. This lets network administrators test their firewall setup and check for any unauthorized services on their machines. For the hacker, a port s can can be the first "knock on the door" to decide how an attack can be mounted.

In the case of port spoofing, some firewalls decide whether to let packets into the protected network on the basis of their type or port number. Netcat allows the user to send packets from what appear to be legitimate ports, such as those used by Domain Naming Service (DNS) or incoming ftp transfers, to try to access services to which they are not granted permission.

And session hijacking and sniffing capabilities mean that netcat's documentation describes how to use the tool to mount a "man in the middle" attack in which the attacker's machine receives data meant for another and sends back its own responses.

For example, an attacker could take over a company's Web server and send back his or her own false pages to the legitimate user, with the goal of collecting information such as credit-card numbers or simply creating a negative experience for the customer. It is also possible for the attacker to "lie low" and capture all of the traffic between a legitimate user and a server and then sift the session for valuable information such as usernames and passwords for a later attack.

With denial of service capabilities, using a technique called "SYN bombing," a script can be written to flood a TCP server with connection requests, thus rendering it incapable of processing legitimate requests. This type of attack can be directed against a public service such as a Web server or used to disable security-related processes on a targeted machine.

Even if you're not paranoid, the prospect of a program such as netcat becoming widely available is unsettling at best. However, there are ways to prevent an intrusion. For starters, running netcat against systems before a hacker gets started may save a lot of time and trouble. It may also help to better recognize the signs of an attack. At the very least, managers will be familiar with the product and glean a little insight into hacker mentality.

To investigate, a Unix v ersion of netcat can be obtained at . The NT version is still in beta.

Al Berg is a LAN Times contributing editor.