Password Grabbers and Key Loggers
Password grabbers are a form of "Trojan horse" which normally intercepts and stores away keystrokes, including passwords, into a file. Writing a simple Trojan is easy, a cracker just mimics the normal login sequence and captures the login id and password into a file. Then the cracker either calls the original login sequence with the correct parameters, or outputs an error message such as "password incorrect" or "login failed", relying on the user to think that they have mistyped their password. More sophisticated password grabbers are DOS Terminate-and-Stay-Resident (TSR) programs or Windows DLLs.
Some of the password grabbers floating around are KEYCOPY, which copies all keystrokes to a file with timestamp, KEYTRAP which copies all keyboard scan codes for later conversion to ASCII, PLAYBACK which is designed to create key macros files for various software packages, and PHANTOM which logs keys and writes them to a file every 32 keystrokes. More "hackerly" orientated tools include DEPL (Delam's Elite Password Leecher) , and VegHead's KeyCopy program, which have both had the distinction of being featured in 2600 magazine.
Password grabbers and key loggers have a large number of uses including the generation of key macros, grabbing passwords to check that they adhere to password policies, and creating complete records of all key transactions for security auditing purposes. A systems administrator will soon find a use for some of the key logging tools available on the Internet.
Blue Boxing Programs
In order to understand what blue boxing programs do, the reader needs to understand a little bit about phone phreaking, so this might be a good time to skip ahead and read some of Chapter 9: Phone Phreaking in the US and UK and get a grasp of what these tools are useful for. Most of these tools have very similar features, so personal preference is the only criterion for choosing one against the other. Please remember that any use of these tools to make calls without paying for them is a criminal act, and that TelCo security will prosecute anyone who uses these tools to commit toll fraud.
One of the phreaker's favourite blue boxing programs was written by "Onkel Dittmeyer" and is called BlueBeep. It comes pre-configured with CCITT-5, DTMF, R2-Forward and R2-Backward, but it allows the phreaker to fully configure any set of trunk dialling codes and save it as a "dial set". Once they are in Action Mode the phreaker can choose their trunk and then dial out. Extra tones such as ST, KP1, KP2 and BREAK are available at the press of a key, so even the most avid phreak will be able to find something in this package to suit. Another useful feature of BlueBeep is that it supports a PBX/VMB scanning mode, which autoincrements the guessed PIN of the mailbox or VMB dialout the phreaker is attempting to gain access to.
Another good boxing program is The Little Operator, providing similar features to BlueBeep, but also providing war dialling facilities as well. BlueDial has support for external sound generation from the parallel port, so it is ideal for use with an older laptop with no onboard sound card. All of these boxing programs are much of a likeness, so as I said before, a phreaker's personal preference is what counts.
A systems administrator can use these tools in many useful ways, as BlueBeep or TLO can be used to retrieve a forgotten password from a corporate VMB or PBX. I successfully have used these tools for this purpose on a CRANE VMB that would not allow the password to a box to be reset without deleting the mailbox. Any use of these tools for the perpetration of toll fraud or theft of service is a criminal act, and unless you have a legitimate purpose for these tools, then possession or use of a "bluebox" program is not recommended.
War Diallers (eg ToneLoc)
The act of "war dialling" or scanning, is the dialling of an entire block of numbers searching for modem carrier tones, sometimes by hand, but preferably using a tool that automates the process and logs the results automatically. In some parts of the US, war diallers are illegal to use, constituting nuisance calls, but in the UK the use of war diallers is a grey area.
There are two main reasons a phreak could have problems using war diallers. The first is that there have been some reports of TelCo security chasing persistent offenders who scan freephone exchanges, and the second problem is that, unless phreaking from the US, using a war dialler to make local scans will cost money. For these reasons, the use of war diallers from a home phone number is not a wise move. Unless you are performing a security audit on your own exchanges, and how many of us do that, then possesion or use of a war dialler is not recommended.
The best war dialler of all time, in many phreaker's opinion, is ToneLoc, which is a fast, highly configurable war dialler which supports a lot of nifty features. ToneLoc is more sophisticated than the average war dialler and can be used for finding and cracking PBXs, as well as the more traditional scanning for loops, tones and carriers. One of Toneloc's nicer features is the support for "tonemaps", diagrams of scanned exchanges that allow the phreak to visualize blocks of numbers in an exchange group more easily than by staring at a list of numbers.
The list of other war diallers is almost endless. Any phreak who wants a different war dialler can hunt for some of these: Demon Dialer, Modem Hunter, Ultra Dial and X-Dialer - or they could have a look at Professor Falken's Phreaking tools. Hunting around the hack/phreak websites locates dozens more, so phreaks have a wide choice of diallers at their disposal whatever platform they are on.
As with all tools, war diallers have their uses and limitations. If a phreak needs some feature that is not available in any of the available war diallers, then they could investigate a terminal emulator program with a script or macro language such as TELIX. Scripts written in the TELIX script language, SALT, can be more powerful than many packaged war diallers for specific applications, which I leave to your imagination.
However they choose to use these tools, a computer enthusiast should learn what they are doing and how they really work. They shouldn't just download them and start using them without some thought. This is especially true with war diallers, because of the problems with TelCo security who take exception to having their freephone exchanges scanned by phreakers and hackers, and there is a chance that someone using these tools could end up in court. Unless a person has a legitimate, legal purpose in owning or using a war dialler, then possesion or use of a war dialler by that person is not recommended.
Encryption Software (eg PGP)
Encryption software is a necessity for anyone serious about system insecurity as they need to prevent privileged information from falling into the wrong hands. Don't rely on the standard UNIX system crypt command; it is very insecure and easy to break. Instead have a look at the packages around and try them out, but don't forget to ask some fundamental questions about the strength of the encryption. Read the crypto FAQ on the Internet, find out if it is a weak algorithm, or if the package has been weakened in any way to comply with US laws on exported encryption packages.
Make sure that you understand exactly how the packages work and how secure they are. An insecure crypto package is worse than no crypto package because it gives a false sense of security. You think your data and email are safely encrypted, but anyone with enough time, energy and patience can break the encryption. Time and time again, commercial software vendors have foisted ill-designed and easily broken encryption packages onto the public, and only the efforts of the hacking community have exposed most of this so-called security for the sham it often is.
In my opinion, if you want the best crypto package around, get a copy of Phil Zimmerman's Pretty Good Privacy (PGP), which can be found and downloaded from the net very easily. PGP works using a pair of keys, a public key and a private key. These keys are actually very large prime numbers which when combined together form the encryption key for the document you are encrypting. You begin by generating a PUBLIC and PRIVATE key pair using a pass phrase, something long and memorable, which is used with the private key to unlock encrypted messages.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.3a
mQCNAi5KlakAAAEEAL0YPIu8/e07+QA9RFR8vaVPUA40z5njToP9
S/tJbpgLNC5apmS2lZzo5sdWwDs60GFxKiNWMCBUCzZwey9opCgA
EuW3hZkr38eD+laH6le2eOV8h2QVmu1Obdl96Cqbhcxv8VPhAAUR
tCJQYXVsIERheSA8cGF1bEBrYW90guGVtb24uY29udWs+
=KmEg
-----END PGP PUBLIC KEY BLOCK-----
Table 4.1: PGP public key
The public key is widely distributed so that when someone wants to send a document to you in privacy, they encrypt the document with PGP and your public key and then send you the document in email. Systems administrators should use PGP or similar to secure any sensitive information on their systems, for example, tripwire or MD5 checksums, to prevent a cracker from tampering with the data.
When you receive the encrypted document you will need your pass phrase, which needs to be as long as you can make it and still remember it, and your private key to decode the encrypted message into plain text. Note that strong encryption is illegal in many countries, so find out what the local laws have to say before jumping in the deep end and downloading PGP or any similar package.
Program Password Recovery
There are a number of programs that allow the "locking" of files to form security protection, but in most cases the encryption is so weak as to be useless. ZIP and ARJ archive passwords can be recovered using brute force attacks. Passwords for Microsoft Access 95/97, Excel 95/97 and Word 95/97 all have their own recovery software, again using brute force attacks, but this time combined with dictionary attacks. This is just a sample of password recovery programs currently available on the Internet, and I have seen whole web sites devoted to nothing but password crackers.
So, for example, if you are a systems administrator who thinks that the TRIPWIRE file is safe when zipped and locked with a password, think again. The availability of this software on the Internet means that you cannot rely on any form of file-based password locking to protect valuable and sensitive information. It would be better to rely on one of the encryption programs mentioned above to conceal any sensitive data from prying eyes. Password recovery tools are an essential tool to the busy systems administrator who works on a large site where people leave or change passwords on mission critical documents and the information needs to be recovered.
BIOS Password Crackers
BIOS password crackers are useful utilities that retrieve the BIOS lock password and enable access to the machine. Useful if you have forgotten the password, or if you have scrounged up an old motherboard and it turns out to be locked. There are several around, for both the AMI and AWARD BIOS, as well as several programs designed to remove the password from the battery-backed RAM completely. Nobody who works with PC motherboards on a regular basis can be without a selection of these tools, because sooner or later a BIOS password will need recovering, either because a user has forgotten their password, or due to battery failure and BIOS data corruption.
Credit Card and Calling Card Number Generators
If anyone uses of any form of credit card or calling card number, either belonging to someone else, or generated through one of these bits of software, then they aren't a hacker of any description, they are a criminal involved in fraud. Period. Don't do it, If anyone uses one of these tools, then they should make sure that they brag on IRC about how much stuff they have "carded" and then they will get the attention and the reward they so justly deserve. Because of the legal issues surrounding the use of tools such as this, the reader is recommended neither to acquire or use such tools, as to do so would render the user liable to prosecution.
Network Security Scanning Tools
Network security scanners are programs capable of scanning systems for a number of common security holes, which are written to automate the large amount of security checking that a systems administrator has to perform. There are a large number of such programs floating around these days, and the choice of program is entirely up to the systems administrator, depending on whether there is any budget for computer security or not. If not, then the admin had better start learning about writing a security scanner, because the crackers have them and the white hats need them as well.
However, if a systems administrator requires a greater understanding of system insecurities, it is much better for them to run many of the hard-coded attacks by hand, download pre-coded "exploits", or better still, code up exploits themselves. The latter option is the best, as new exploits are discovered and published all the time, and even a good commercial security scanner such as ISS will inevitably lag behind, while other security scanners such as SATAN will never be able to scan for the newest vulnerabilities.
SATAN
- NFS file systems exported to arbitrary hosts
- NFS file systems exported to unprivileged programs
- NFS file systems exported via the portmapper
- NIS password file access from arbitrary hosts
- Old sendmail versions
- X-Server access control disabled
- Writable anonymous ftp directory
- Enabled tftp allowing arbitrary files to be read
Table 4.2: SATAN - a security vulnerabilities scanner
Internet Security Scanner (ISS)
Internet Security Scanner is a fully featured commercial security package from ISS, capable of scanning for around 600 potential vulnerabilities in heterogeneous networks of UNIX and NT boxes. Here are some of the many security holes that ISS can scan for.
- Port Scanner will scan all TCP ports up to 65535.
- Brute force attacks on services such as FTP, POP3, telnet, rexec and rsh.
- Many daemon processes including fingerd, httpd and rlogind are checked.
- Machines are checked for Trojans such as "BackOrifice" and "NetBus".
- Capable of running Denial of Service (DoS) attacks including "ping of death", and "teardrop"
- Checks NFS exports and known NFS security holes.
- Scans Remote Procedure Call (RPC) services for known problems.
- Scans sendmail mail transport agent for possible compromises in setup.
- Checks many known ftp bugs which can allow system intruders access.
- Looks at X-Windows and NetBIOS.
- Attempts to login as root using IP spoofing via rlogin or rsh.
- Gathers information using SNMP and checks for known router vulnerabilities.
Table 4.3: ISS - another security vulnerabilities scanner
Once again, the use of ISS is only as good as the systems administrator using it. When improperly configured, the use of a heavyweight tool like ISS can lead to a false sense of security. If this sounds like a useful tool, then ISS is available to download in an evaluation form capable of only scanning the local host, but there is no substitute for a good knowledge of your own system insecurities gained by exploring and attempting to exploit them yourself.
There are a number of other similar packages kicking around. SAINT is the successor to SATAN, and provides an interesting hyperlinked interface enabling a systems administrator to explore the complex web of trust relationships between hosts on a LAN. The Computer Oracle and Password System (COPS) is an older security scanner that checks for a about a dozen UNIX security holes, including SUID scripts and poor passwords. A systems adminstrator should search the Internet and see what is available, or better still, write a package themselves that they understand and can update if necessary. Either way a network security scanner is an essential tool for the systems administrator responsible for site security, and they should always attempt to use the very best scanners available, even if they are written by "black hat" hackers for the cracking community.
Packet Sniffers
There was a time when a commercial packet sniffer such as LANALYSER would set anyone back a hefty amount of cash, but recent developments on the Internet, such as the availability of LINUX as an operating system, has meant that packet sniffers are now easy to come by and install.
To understand how sniffers work, a systems adminstrator needs to understand a little about how Ethernet works. Ethernet works by sending "packets" of information to all the hosts on a network, with the source address and the destination address encapsulated in the header of the packet. Normally any machine that is not the destination machine will ignore all packets that pass by because it can see that its address and the destination address are different. However, it is possible to place an Ethernet interface in what is called "promiscuous" mode, and when that happens the machine will accept every packet, no matter what the destination address in the header says.
Obviously this is very useful for a network or systems administrator, who can use a machine set in promiscuous mode to monitor network traffic, look for excessively fragmented or malformed packets, and generally keep an eye on the network in this way. For the hacker or cracker, though, packet sniffers are a useful tool to examine network packets on the fly and look for login and password information. Once a machine on an Ethernet segment has been compromised in this way, all the machines on the network will eventually be compromised, and possibly machines on other segments if users are telnetting in and out from that network into the Internet.
Obtaining a packet sniffer is very simple, just go to a search engine and initiate a WWW search for packet sniffers. A systems administrator can get a list of available sniffers and then download one that fits the machine they are working with. Here is a quick example of what kinds of things a systems adminstrator can find out using a standard packet sniffer such as tcpdump.
The tcpdump program runs on a variety of UNIX boxes and LINUX and will print out packet headers according to expressions on the command line. Here is an example of tcpdump running on a network with three hosts, win95.homeworx.org, slack.homeworx.org and redhat6.homeworx.org, which is the monitoring workstation hosting tcpdump. Let's have a look at the kind of information that tcpdump produces when we start monitoring Ethernet packets flying across the LAN. Here is an example where a simple "ping" ICMP echo request is received by the host redhat6 from the host win95.
Table 4.4: Example use of tcpdump to trace ping from redhat6 to win95.
04:11:15 arp who-has redhat6.homeworx.org tell win95
04:11:15 arp reply redhat6.homeworx.org is-at 0:80:c8:1a:47:4c
04:11:15 win95 > redhat6.homeworx.org: icmp: echo request
04:11:15 redhat6.homeworx.org > win95: icmp: echo reply
This is an example of tcpdump when the NIC has been set to promiscuous mode and a ping ICMP echo request is sent from win95.homeworx.org to slack.homeworx.org. It shows network monitoring of two hosts, neither of which is the network monitoring host.
Table 4.5: Example use of tcpdump used for remote monitoring purposes.
04:11:23 arp who-has slack.homeworx.org tell win95
04:11:23 arp reply slack.homeworx.org is-at 0:80:c8:2c:34:6c
04:11:23 win95 > slack.homeworx.org: icmp: echo request
04:11:23 slack.homeworx.org > win95: icmp: echo reply
Of all the packet sniffing tools, tcpdump is the most available on many sites and, although it doesn't support ASCII output, so a cracker can't see those passwords whizzing by in real time, it will dump everything in hex to a file which they can then parse and turn into an ASCII dump. This ASCII dump will contain passwords if tcpdump has captured a login sequence that doesn't use any encryption. The version of tcpdump used here is installed by default with the current distribution of RedHat LINUX, but has been placed into promiscuous mode to demonstrate the potential tcpdump has for simple network hacking. I leave the problem of how to turn promiscuous mode to "on" without official root access as an exercise for the reader.
There are a variety of packet sniffers for DOS; here are a few to look out for when cruising the Internet. Note that configuring packet sniffers for DOS can involve a degree of skill in loading device drivers (ODI or NDIS) and getting the whole thing to work so, unless the budding hacker either has or wants to learn about configuring networking protocols and device drivers, it's probably best if they go back to trading warez or harassing newbies on IRC.
Probably my favourite packet sniffer for DOS is the hard-to-find TELNET TAP (TNT) written by VegHead. This places a replica of the telnet terminal session onto the screen of the workstation running TNT. Other alternatives are GOBBLER, ETHDUMP, FERGIE for DOS, the BUTTSniff plugin for BackOrifice, or for various UNIX platforms choose NETWATCH, SNIFFIT, SNOOP and SPY and compile it for the correct system.
For anyone running LINUX, they are not restricted to tcpdump once they understand LINUX - they can install exdump or sniffit. If the LINUX user needs a GUI front end to sniffit, KSNIFF which runs under the KDE desktop is often used, or the GNU project's GNUSNIFF. Finally I recommend anyone to check out the TRINUX network monitoring kit, which boots off floppy and can turn any networked PC into a standalone network monitoring station within minutes.
If anyone is interested in writing their own packet sniffing software for whatever reason, a good place to start is by looking at PHRACK's esniff.c, the source for tcpdump, and at any source from the UNIX-based packet sniffers above. Note: writing a packet sniffer is a non-trivial task, requiring knowledge of PERL or C as well as network protocols, but is a very good way to learn more about the subject for anyone are serious about becoming fully conversant with network protocols.
If you are a systems administrator trying to protect against this kind of thing, there are various tools available to check whether your Ethernet interface has been placed into promiscuous mode surreptitiously, but currently there is no way of preventing someone on the same LAN segment as you from installing one of the many DOS-based sniffers on their PC unless you remove the floppy drive and lock down the installation so tight most legitimate users will kick up a fuss. Of course, if you are administering a corporate LAN, then fuss or no fuss, you will take steps to prevent booting from floppy and installation of software onto your corporate machines anyhow. If high security is a necessity, then look at packages like Secure Shell (SSH), and Secure Socket Layer (SSL) to add security to your LAN transactions.
Password Crackers
The UNIX password cracking tool that I have used most, and would recommend to hackers, crackers and security-minded systems administrators like myself is Alex Muffet's CRACK. CRACK comes as a tar file containing C code that needs to be compiled and configured, and a default dictionary. CRACK is fast, and its nifty pattern-matching system generates hybrid passwords based on patterns entered by the user, which means that Crack's guesses are as good as a cracker can make them. I've watched CRACK chew through a 10,000-entry password file and spit out nearly 1,000 valid logins in less than an hour. Other DOS-based UNIX password cracking tools are CRACKERJACK, JOHN THE RIPPER, HELLFIRE KRACKER, KILLER KRACKER and so on, but for brute force attacks there is nothing like the power of a large UNIX box anyway, so if it's a UNIX system being tested then the systems administrator might as well use CRACK anyhow.
For NT systems, L0phtcrack has to be the password cracker of choice. A highly sophisticated program, l0phtcrack can recover passwords from the registry, the file system and backup tapes, repair disks and, best of all, by "recovering" the passwords as they cross the LAN. Currently L0phtcrack uses three types of attack - dictionary attacks, where the possible passwords are picked out of a file, and hybrid attacks, where L0phtcrack uses dictionary words prepended or appended with numbers or symbols (for example BEAST666). Finally, L0phtcrack can also run a brute force attack on passwords and, although a brute force attack will take a long time, it takes less time than the average interval set up in most sites to force password changes (eg 40 days). So even if it takes three weeks to leverage a password using a brute force attack, this still leaves a large and gaping window for the cracker to take advantage of your system.
Password crackers are a very powerful tool for ensuring that password policies are secure, or for ensuring that the system is wide open to anyone. As with so many tools of this nature, it can be used for white-hat or black-hat hacker activities, so it is up to the systems administrator to ensure that their system is secure. Before starting to use any password cracker then you will need to add as much as you can into the dictionary from anything and everything you can think of - rock bands, role-playing games, Star Trek, newly evolving slang and fashion words, and foreign language dictionaries, etc. One good way of doing this is to trawl through your NNTP spool directories and make a word list out of what you find there, or download large numbers of e-texts from the Internet and create custom dictionaries based on these.
To ensure system security, run a password cracker against your system at regular intervals and then email your users with their passwords and a polite reminder of the password policy. For more persistent offenders use a "name and shame" policy by writing an automatic script that places the login ids and passwords into a message file (after disabling their accounts of course), and then printing it out as the main banner login. The legitimate uses of password crackers are endless, and there are hours of amusement to be had for free, as even the highest paid CEO will often choose the stupidest of passwords
0 comments
Post a Comment