Carolyn's most popular book, in 4th edition now!
For advanced hacker studies, read Carolyn's
|
| Subscribe to Happy Hacker |
| Visit this group |
June 18, 1999
_______________________________________________________________________
See the Happy Hacker web site at http://www.happyhacker.org
URL of the day: http://docs.sun.com/ab2 - Sun's documentation
_______________________________________________________________________URLs
Nuggets of Info
Reader Questions
Reader Submissions
IP Spoofing, Part 2
Setting up your own Wargame
Future Issues
***********************************************************************
*** URLs
***********************************************************************NSA Glossary of Security/Intrustion Detection Terms
http://www.sans.org/NSA/glossary.htmIf you haven't read this yet, get a laugh:
http://www.seattleweekly.com/features/9913/features-barcott.shtml$20 for SCO UNIX, noncommercial use
http://www.sco.com/offers/ZipSlack Linux
http://www.slackware.com/zipslack/The Guides to (mostly) Harmless Hacking, reorganized
http://www.dvs.net.nz/gtmhh/index.html***********************************************************************
*** Nuggets of Info
***********************************************************************1) Still wanna get online with Linux? Gareth Clay can help. Go to
http://home.freeuk.net/i4/computing/linuxarticles/ppp.html2) Want to have a program listening at a certain port? Learn some C/C++
and socket programming. Stevens' "UNIX Network Programming" would be a
good place to start after you know some C.3) Don't go out installing the 2.3.* kernels unless you know what you're
doing. 2.3 series kernels are development releases, and tend to have
bugs that normal users can't easily fix. Stick with the 2.2.* line for
now. (Or get 2.4.* when they come out)4) OpenBSD 2.5 just started shipping on May 19th. It is a really nice OS
for those of us who like an ultra-secure environment. It's not exactly
as easy as most popular Linux distributions to install, but it is, in
my mind, definitely worth it. Download free or order a set of CDs at
http://www.openbsd.org -- You won't be sorry!5) This digest is put out on no set schedule. Basically, release date is
determined by three things: number of decent submissions I receive, the
amount of free time I have, and the lag time between when Carolyn gets
the digest from me and when she sends it out to all of you.
6) When you connect to the echo port of a UNIX computer, it will respond
to the originating port. Unless you could synchronize the sequence
numbers somehow, it's unlikely you can create an 'echo loop'.***********************************************************************
*** Reader Questions
***********************************************************************Magnus Kristiansen <makris@online.no> wrote:
Hey there,
If you could answer this I would really appreciate it!
In the /etc/passwd file, you may sometimes find this:
kandubot5:!!:10715:0:99999:7:::
or in the shadow file:
kandubot5:x:513:513::/home/kandubot5:/bin/bash
What is the "!!", is it a password? Or does t mean something else? Just
something I have been wondering about, not important! =)Sincerely yours,
//Marius
[Ed- It's definitely in the password field. What it is exactly, I'm not
sure. My guess would be that this account has been disabled for some
reason or another. I don't know what type of UNIX you're using, but '*'
in the shadow file in Linux means that account logins are disabled for
that username. Anybody care to elaborate/clarify?]-----------------------------------------------------------------------
Wittayakorn Chamgan wrote:
Dear Sir,
I am a new staff member at the Center of computer services at XXX
University, XXX. May I ask you for a good UNIX security document for
SunOS and LINUX. It's a very big problem for me to maintain many
servers(web,ftp,telnet,DNS,MAIL, etc) because I have less knowledge with
UNIX security.Thank you very much.
Looking forward to your reply
Mr.Wittayakorn Chamgan[Ed- Yep, I censored his email address and university name, since I wasn't
really interested in some of you *ahem* more adventurous types checking to
see what kind of a job he was doing. Anyways, if any of you could suggest
good 'overall' Linux or Solaris documents, I'd (and so would Mr. Chamgan)
appreciate it. Perhaps even a URL that has a good list of links to
appropriate pages. For a quick solution, Mr. Chamgan, I would suggest
looking back to older issues of the UNIX digest for some helpful links.
Also, check the Linux-Security HOWTO.]-----------------------------------------------------------------------
Anonymous wrote:
Help Help. I`ve just bought myself a copy of SUse Linux 6.0.
And the problem is that I can`t get my teleS BRI/16.3 to dial out.
Maybe i`m completly stupid but if anyone are able to help me
PLEASE HELP ME!!!!!!!![Ed- I cannot really answer this question, since I have no clue at what
point you are having problems with (I'm assuming a modem) whatever the
hell a teleS BRI/16.3 is. I will not answer this question, since this is a
security digest. Maybe if Carolyn creates a "Linux-newbies-looking-for-
quick-answers" digest, you'll get your question answered ;) But seriously,
there are many many sources of info out there for setting up Linux. Try
howto.linuxberg.com for a list of HOWTOs and tutorials.]-----------------------------------------------------------------------
Albert Huang <relbs@geocities.com> wrote:
Hi!
I was just wondering if you would be able to answer a question for me. I
run a small RedHat 5.2 box that acts as a server for some friends. I've
been trying to find a program that will let me watch/intervene their tty
connections so that I can help them out if they're not sure what they're
doing. I know they're out there somewhere, but I can't seem to find
where.
Any ideas? Thanks!-albert
[Ed- Yep. Debian comes packaged with a program called ttysnoop, that I'm
sure is in other distributions. You need to do a little configuration with
this, but it shouldn't be a big deal. There's also a commercial package
out there called IP-Watcher that will allow you to monitor and control any
login session. Hope this puts you on the right track.]***********************************************************************
*** Reader Submissions
***********************************************************************
Remco B. Brink <remco@pbnec.nl> wrote:
to linux editor of happyhacker mailinglist,
just read your comment to Ristridin (ristridin@earthling.net) in the
digest at http://w1.340.telia.com/~u34002171/hhd/1999/hhdmay899.html about
the ipfwadmin problems he had with SuSE 6.1. You made a couple of minor
errors in your reply to him.- the "firewalling software that might be causing problems" is included in
the standard 6.1 release, no incompatibilities there.[Ed- He's trying to use ipfwadm, which is not supported by the 2.2.5
kernel you claim is default for SuSE 6.1. ipchains is, however. I think it
boils down to using the wrong software for the job.]- SuSE 6.1 uses a 2.2.5 kernel, not a 2.0.X kernel as you claim.
[Ed- I made no such claim. I guessed that, if he had upgraded from a 2.0.*
kernel to a 2.2, he would have problems. I don't make it my job to keep
track of what distribution has what kernel in what version. My apologies.]I'd go for checking my kernel for incompatibilities (eg. some features
needed for firewalling are not enabled).If all else fails:
- RTFM
- call SuSE (he has free 60 day support)
- install kernel version 2.2.9[Ed- Good advice. Also, replace 2.2.9 with whatever version is current at
the time that you're reading this.]regards,
Remco***********************************************************************
*** IP Spoofing, Part 2
***********************************************************************I'd like to note quickly that this explanation is by no means complete.
I'd prefer to just give you a good overview of what it's all about, then
let you dig more if you're so inclined.Ok, in the previous digest, I made the analogy that IP spoofing is like
trying to pretend you're someone else on the phone - if that person is
able to communicate with your target, your trick won't work. So, depending
on what we're hoping to do with our IP spoofing, we have two choices.
(Well, the only two that come to mind at the moment.) So, what are we
trying to do?1) Pretend we're another specific computer to exploit a trust relationship
between the target and the computer you're pretending to be. (rlogin
and rsh are good examples)2) Disguise our own IP so we can do something without the target knowing
where we are coming from.Note that a big problem with IP spoofing, is that you (the spoofer) don't
receive any feedback on your progress with the target. You're essentially
flying blind. So this is probably not something you're going to be trying
from the command prompt - try telnetting someplace, then turning off the
monitor. It's going to be hard for you to know what to do. This does not
render the technique useless, however. (If it was useless, I wouldn't be
writing this, now would I?)The second goal I mentioned - obscuring our own IP to hide our actions, is
something that a popular network scanner called nmap already does - sorta.
(www.insecure.org/nmap) With the -D flag, you can specify a list of
'decoy' hosts to confuse the target. When the admin of the target looks at
his logs, he will see connections from both your machine and the decoy
machines you have listed on the command line. This is not _exactly_ IP
spoofing, as we're really only sending one packet, and not trying to
establish an complete connection using sequence number prediction. I'll
get to that in just a second. The idea I was getting at with #2 was the
possibility of running an exploit against a target with a fake IP. If the
exploit requires alot of feedback from the target, then it will be much
more difficult (but not impossible), since the program doesn't know when
to send the appropriate data.Sequence numbers, which I mentioned in the previous digest, are two
numbers included in every TCP packet to keep all data organized. They
ensure that no data will be passed to the application out of order and
that there is no missing data. The first number tells the receiving
computer where the data in the packet belongs, and the second numberindicates how much data the sending computer has received. If this is a
little unclear, my apologies...to understand this fully, you need to know
how TCP works. I don't have the inclination to explain that here. So,
suffice it to say, these two numbers are very important to a TCP network
connection. In order for the target to believe the sender is who he says
he is, when they exchange packets, the sequence numbers must be correct.
Here's where the potential for trouble lies. Some operating systems'
networking software makes it very easy to guess what the next sequence
number will be. *cough*Windows*cough* Others *cough*OpenBSD*cough*
randomize the sequence numbers sufficiently so that predicting them is
almost impossible. If you can predict these numbers reliably, you can
almost certainly convince the computer that you're someone you're not. I
mentioned above in #1 that you can use IP spoofing to use trust
relationships to your advantage. It turns out that some programs will
allow you to access a computer remotely without a password if you simply
come from a computer it has in a list. This was originally designed for
people moving between multiple UNIX computers using the same login name.
They could simply type the command (assuming they had everything properly
set up)rlogin othercpu
(where othercpu is another computer they have an account on) and they
would get a shell with the same login name, no password, but on a
different computer. I hear your minds churning. "No password?" Yep. So,
basically, if you can determine a user that has this all set up, you could
use IP spoofing to convince the other computer that you really ARE that
user coming from the correct location when in fact, you're not. However,
as I mentioned before, you have to enter your commands blindly. I'll leave
it up to you to figure out what to do from this point.Please, please send me corrections of errors, clarifications of things I
made too difficult. (I tend to ramble and make sense only to myself
sometimes) If any of you found this useful, send me an email at
unixeditor@cmeinel.comHere is a page with some more thorough articles on the subject:
http://www.cell2000.net/~users/salexand/spoof_in.htm
(If anybody has a better list of links on IP spoofing, I'd be grateful to
hear about it)***********************************************************************
*** Setting up your own Wargame
***********************************************************************I suspect this section could easily take up 2 or 3 Guides to (mostly)
Harmless Hacking, but I'll try to keep it short and sweet here. You can be
assured, however, that I plan on going into MUCH more detail in a Guide or
on a web page. I will certainly provide a URL when I get it up and
running. Anyways, onto the meat.Setting up a wargame is a great way to learn about computer security.
Several companies have even run their own 'hacker wargames' in order to
check their security or show off their 'hackerproof' software. The
companies that do this generally have ulterior motives, such as getting a
free (minus the cost of the prize, if any) security audit by
recognition-seeking 'hackers'. Go read HNN's article about these ulterior
motives at http://www.hackernews.com/orig/chall.html and decide for
yourself. (Yes, I know Carolyn doesn't like HNN, but I do, and there are
some very good points in this article) Antionline, now 'partner' of Happy
Hacker even suggests some of these ulterior motives. Read JP's "How to
Become a Hacker Profiler" to see what I mean. Hacker wargames are a good
way to get new attack signatures and find out who the 'baddies' really
are. Ok, enough of my rambling. I'm assuming from this point on, that you
don't have ulterior motives (flawed assumption?) and are into the idea of
a hacker wargame simply to learn a bit.So, you want to allow all sorts of strange people to peck away at your
computer(s) hooked up to the internet? Good for you! You're giving lots oflegal hackers some practice and newbies a way to dive in headfirst without
having to worry about unmarked vans sitting outside their house.Obviously, the first thing you'll need is a computer of some sort to put
up for this hacker 'target practice'. You could even put up multiple
computers, like happyhacker.org has. It's not really that important what
you are going to run on your wargame computer, so long as it has
networking capability of some sort. You could even use just your home
computer and make it available to people who want to play. There are a few
things you need to get out of the way before you start advertising too
much:1) Decide what kind of game it will be.
Are you going to just install some operating system, set up the basics of
networking, then let people loose on it? What will happen in this case
(I would think) is someone who has an exploit handy for that OS will get
in first, then fortify himself/herself by patching holes so nobody else
can get in. This is probably your best option if you have little
experience with patching holes, as you can probably keep an eye on what's
happening and figure out what a smart sysadmin would do to secure his box.
You can install, advertise, then sit back and wait. One problem with this,
however, is that a malicious intruder could use your computer as a staging
ground for further attacks on non-wargame computers. This could lead to
some legal issues for you, and since IANAL (I An Not A Lawyer) I can
really only say that This Is Bad.A variant on this is to give people a shell account with an easily
guessable password, like koan.happyhacker.org does with its guest account.
Another possibility is to give many shell accounts to people who want
them, then let them do their thing in their own private space. Granted,
this will probably take up a bit of space, and the evil genius shell
owners might try to block the rest of the shell owners from getting into
their accounts so he can monopolize it. As you can see, there are pros and
cons for any approach you take with this.A second possible scenario would be you, the relatively-sophisticated
computer owner, trying to secure your box against the oncoming hordes.
You'd install the OS, then patch the problems you can find. Once the box
is hardened to your liking, you can expose it on the net, keeping a backup
of your patched OS handy. When someone breaks in, ideally you'll have logs
of it (I'll probably dive into this in a later article) and you'll be able
to fix the problem that was exposed. Repeat. So, after attackers find
holes in your system, you can close each of those holes and try it again.
(again assuming that you know how they got in - if you ask nicely, they
might even tell you)A variation of this second type would be to secure the box as much as you
see fit, then add some non-standard holes of your own. This will weed out
the script kiddies from the people that might actually know what they're
doing and encourage exploration instead of brute force exploit attempts.
For this option, you'll obviously need a pretty decent understanding of
your computer system to set up any good challenges.Another thing you may consider is setting little traps or fake holes to
make people think they have more access than they really do. You could do
this by creating a 'jail' environment, where the intruder seems to have
root, yet is prevented from doing any real damage. (I'll explore more on
this on my more detailed writeup - definitely not the easiest thing to do)You might even get a bunch of friends together to set up their own
computers and try to budget your time securing your own box and attacking
others'. (Yes, Carolyn mentioned this oh-so-long-ago) You could even gang
up on one person and form alliances. Yes, this sounds a little childish,
but hey, it might be fun. Computers really don't have to be as serious as
everyone makes them.2) Make sure that it's ok for you to start a wargame.
If you're on a local network, it is ESSENTIAL that you let the
administrator of the network know what you have in mind, not only so he
can see what's coming ahead of time, but perhaps so he'll learn a bit too.
Computer bad guys will try to attack the other hosts on the same network
as the wargame box, which is definitely illegal. If you're using an ISP,
be sure to let them know ahead of time, too. Take Carolyn's advice and
take the tech support guys out for pizza, or Thai, or whatever they
prefer. Also, if this is computer used by more than just you, I would
definitely let everyone using the system know what's going on. (A banner
upon login might be appropriate)A side note here: If you are about to start participating in a new wargame
you just found out about, make sure it's legitimate. Someone might try to
advertise a box that's not his for a wargame, unbeknownst to the owner of
that computer. Be careful, and check your sources.3) Establish rules.
This is very important. Explain clearly that other boxes except those
you explicitly say are ok are off-limits. You really don't need bad guys
trying to get to you through your ISP or your roommate's computer. You may
also want to say that, once a vulnerability is found, that you must be
contacted. Now, alot of people won't do this, but you can always try. :)
Definitely say that your computer cannot be used for further hacking
attempts. (As I mentioned above) It also might not be a bad idea to set a
time limit on when the attacks can go on. This way, someone won't dig up
an old newsgroup posting saying your box is ok to be attacked 2 years
after you stopped.Ok, unless I've missed something obvious (which I'm sure you will all let
me know, right?) it's now time to advertise your wargame.You'll probably want to have a web site up somewhere that outlines the
rules, as well as the target computers. This way, you can direct people to
one place for them to get their information. You could even set up a web
server on one of the target computers, and then let the intruders post an
ego page when they get in. Otherwise, if your info site is outside of your
attackable boxes, you will be more likely to keep control of what is said
there.A decent place to advertise your wargame is right here. Send the info URLs
to me, and I'll compile a list in a future digest. I'd prefer to release
the list in a big block, so the first person I mention doesn't get
hammered by a couple thousand digest subscribers :) (Ever hear of the
Slashdot Effect? ;) Other possible places to advertise would be on your
own website if you just want a small crowd. IRC or BBSs might not be bad
choices either. Newsgroup postings will pretty much last forever, so if
you post there, expect people to be finding your posting years later and
to take advantage of it. (See the time limit rule above)If something bad happens and you want to say "Ok, enough.", post it to
your information page, and change your host/domain name if necessary. You
may even need to change IPs. Hopefully by then, the gamers will get the
hint.Now I'm going to buffer myself against the onslaught of questions on how
to set up these computers: Please check HOWTOs, READMEs, and anything else
you can find for setting up your computers. I don't want to be rude, but
I'm not your personal setup tutor. In other words, RTFM. If you don't know
what that means, I'd reconsider starting a wargame. Also, please don't
take my word as gospel (unless you are creating a new religion based
around me, in which case, let me know) because I do make mistakes, and I
don't want somebody to get in trouble because I missed something. If
you're looking for advice on setting up a wargame, by all means email me.
If you have a UNIX security issue coming up that you can't figure out, ask
me. If you can't figure out how to set up Tripwire, RTFM. On that note,
have fun. Please give me feedback on this article...I put it together
rather quickly and only roughly organized it. Thanks!***********************************************************************
*** Future Issues***********************************************************************
How Private is It?
Onion Routing
How Far is Too Far?***********************************************************************
_______________________________________________________________________This is a list devoted to *legal* hacking! If you plan to use any
information in this Digest or at our Web site to commit crime, go away!
Foo on you! Don't email us bragging about any crimes you may have
committed. We mean it.For Unix questions, contact unixeditor@cmeinel.com.
Happy Hacker staff: Unix editor, <unixeditor@cmeinel.com>;
Windows editor, <editor@cmeinel.com>;
Hacker Wargame Director, Vincent Larsen <vincent@sage-inc.com>;
Clown Princess: Carolyn Meinel <>Happy Hacker is a 501 (c) (3) tax deductible organization
in the United States operating under Shepherd's Fold Ministries.